Infected with system progressive protection [Archive]

View Full Version : Infected with system progressive protection

cobolguy

2012-10-09, 00:30

hi there

got infected with the above :sad:, tried to follow the instructions from
http://malwaretips/com/blogs/system-progressive-protection-removal/

Got so far but system seemed to hang at the hitmanpro step. Malware did flag up quite a few malware files, inclusing a rootkit0 strain and cleaned them. I also ran a full scan of my system using my virus checker avira which also flagged and removed virus strains.

However, my system runs very slow, takes ages to load windows and task throughput very slow.

Files attached as per your Q & E pages

Look forward to your response.

Regards
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by sandra at 21:45:31 on 2012-10-08
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1471.854 [GMT 1:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.asus.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {687578B9-7132-4A7A-80E4-30EE31099E03} - No File
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Wireless Console 2] "c:\program files\wireless console 2\wcourier.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\sandra\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
LSP: mswsock.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/select/asusTek_sys_ctrl3.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {32C11E38-E587-4BE9-9ABB-D69158C21CE5} - hxxp://cam.thesandbar.com/activex/decoder/mpeg4_dec.cab
DPF: {3BB1D69B-A780-4BE1-876E-F3D488877135} - hxxp://download.microsoft.com/download/3/B/E/3BE57995-8452-41F1-8297-DD75EF049853/VirtualEarth3D.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4D561B31-49A0-4E2C-8AFF-353468EC669B} - hxxp://www.greasypalm.co.uk/bho/update/GreasyPalm.cab
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.tescophoto.com/wpp/tesco/app/ImageUploader5.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1211294225812
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://webcam1.ttu.ee/activex/AMC.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://webcam.salisbury.edu/activex/AxisCamControl.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://217.22.201.135/activex/AMC.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{A97A08D4-B39E-4E5F-A1D4-622F067B28E0} : DhcpNameServer = 192.168.1.254
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli scecli
mASetup: ccc-core-static - msiexec /fums {857D4360-762B-978B-76AD-491AA719E47A} /qb
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\sandra\application data\mozilla\firefox\profiles\ti4a0nad.default\
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.50917.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_265.dll
.
============= SERVICES / DRIVERS ===============
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2012-9-7 65848]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-3-14 36000]
R1 C2SCSI;C2SCSI;c:\windows\system32\drivers\c2scsi.sys [2009-5-28 230272]
R1 RapportCerberus_42020;RapportCerberus_42020;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_42020.sys [2012-8-10 228376]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2012-9-7 71480]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2012-9-7 166840]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-3-14 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-3-14 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-3-14 83392]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2011-9-15 88576]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2012-9-7 976728]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-7-28 27632]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2012-3-31 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-22 21248]
S3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [2010-7-28 9728]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2006-8-17 14336]
S3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgwhsdiag.sys [2010-7-28 106752]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys [2010-7-28 106752]
S3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\drivers\zgwhsnmea.sys [2010-7-28 106752]
S4 JoinMEUI Assistant Service;JoinMEUI Assistant Service;c:\program files\pc suite\JoinMEAssistantServices.exe [2010-7-28 242688]
S4 OracleDBConsolesean01;OracleDBConsolesean01;c:\oracle\product\10.1.0\db_1\bin\nmesrvc.exe --> c:\oracle\product\10.1.0\db_1\bin\nmesrvc.exe [?]
S4 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;c:\oracle\product\10.1.0\db_1\bin\tnslsnr --> c:\oracle\product\10.1.0\db_1\bin\TNSLSNR [?]
S4 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2012-8-13 3064000]
S4 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\o2\bin\sprtsvc.exe [2007-6-7 202280]
.
=============== Created Last 30 ================
.
2012-10-05 22:31:12 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
2012-10-05 22:12:09 1205 ----a-w- C:\registryfix.reg
2012-10-05 06:21:08 -------- d-----w- c:\documents and settings\sandra\application data\Malwarebytes
2012-10-05 00:21:12 -------- d-----w- c:\documents and settings\all users\application data\1B61202FF1FA8DB800491B60D75D1B70
.
==================== Find3M ====================
.
2012-09-07 16:04:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-07 10:07:30 65848 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2012-07-25 22:01:18 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-25 22:01:18 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2003-08-27 14:19:18 36963 -c--a-r- c:\program files\common files\SM1updtr.dll
.
============= FINISH: 21:47:59.14 ===============
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-10-08 22:03:05
-----------------------------
22:03:05.359 OS Version: Windows 5.1.2600 Service Pack 3
22:03:05.359 Number of processors: 2 586 0xF0D
22:03:05.359 ComputerName: LAPTOP02 UserName: sandra
22:03:25.468 Initialize success
22:12:21.203 AVAST engine defs: 12100801
22:12:55.312 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
22:12:55.312 Disk 0 Vendor: Hitachi_HTS541616J9SA00 SB4OC70P Size: 152627MB BusType: 3
22:12:55.734 Disk 0 MBR read successfully
22:12:55.750 Disk 0 MBR scan
22:12:55.953 Disk 0 Windows XP default MBR code
22:12:55.968 Disk 0 Partition 1 00 1B Hidd FAT32 MSDOS5.0 4000 MB offset 63
22:12:56.062 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 91573 MB offset 8193150
22:12:56.109 Disk 0 Partition - 00 0F Extended LBA 57051 MB offset 195735960
22:12:56.140 Disk 0 Partition 3 00 0B FAT32 MSWIN4.1 57051 MB offset 195736023
22:12:56.203 Disk 0 scanning sectors +312576705
22:12:56.390 Disk 0 scanning C:\WINDOWS\system32\drivers
22:14:07.640 Service scanning
22:15:38.812 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
22:15:54.609 Modules scanning
22:16:33.109 Disk 0 trace - called modules:
22:16:33.140 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spvk.sys >>UNKNOWN [0x8a557938]<<
22:16:33.140 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a506ab8]
22:16:33.140 3 CLASSPNP.SYS[ba8e8fd7] -> nt!IofCallDriver -> \Device\00000081[0x8a5af030]
22:16:33.156 5 ACPI.sys[ba674620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a5ac3b0]
22:16:51.265 AVAST engine scan C:\WINDOWS
22:17:54.578 AVAST engine scan C:\WINDOWS\system32
22:45:08.296 AVAST engine scan C:\WINDOWS\system32\drivers
22:47:28.828 AVAST engine scan C:\Documents and Settings\sandra
22:57:45.562 AVAST engine scan C:\Documents and Settings\All Users
23:04:32.781 Scan finished successfully
23:11:37.156 Disk 0 MBR has been saved successfully to "C:\logfiles\MBR.dat"
23:11:37.171 The log file has been saved successfully to "C:\logfiles\aswMBR.txt"

Blade81

2012-10-11, 10:11

Hi,

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent

I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).

Please uninstall the programs listed above (in red). Post fresh dds logs when done.

cobolguy

2012-10-11, 23:53

Sorry, as requested I've removed utorrant. Posting below.

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by sandra at 22:41:06 on 2012-10-11
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1471.830 [GMT 1:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.asus.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {687578B9-7132-4A7A-80E4-30EE31099E03} - No File
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Wireless Console 2] "c:\program files\wireless console 2\wcourier.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\sandra\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
LSP: mswsock.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/select/asusTek_sys_ctrl3.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {32C11E38-E587-4BE9-9ABB-D69158C21CE5} - hxxp://cam.thesandbar.com/activex/decoder/mpeg4_dec.cab
DPF: {3BB1D69B-A780-4BE1-876E-F3D488877135} - hxxp://download.microsoft.com/download/3/B/E/3BE57995-8452-41F1-8297-DD75EF049853/VirtualEarth3D.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4D561B31-49A0-4E2C-8AFF-353468EC669B} - hxxp://www.greasypalm.co.uk/bho/update/GreasyPalm.cab
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.tescophoto.com/wpp/tesco/app/ImageUploader5.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1211294225812
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://webcam1.ttu.ee/activex/AMC.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://webcam.salisbury.edu/activex/AxisCamControl.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://217.22.201.135/activex/AMC.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{A97A08D4-B39E-4E5F-A1D4-622F067B28E0} : DhcpNameServer = 192.168.1.254
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli scecli
mASetup: ccc-core-static - msiexec /fums {857D4360-762B-978B-76AD-491AA719E47A} /qb
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\sandra\application data\mozilla\firefox\profiles\ti4a0nad.default\
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.50917.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_265.dll
.
============= SERVICES / DRIVERS ===============
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2012-9-7 65848]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-3-14 36000]
R1 C2SCSI;C2SCSI;c:\windows\system32\drivers\c2scsi.sys [2009-5-28 230272]
R1 RapportCerberus_42020;RapportCerberus_42020;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_42020.sys [2012-8-10 228376]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2012-9-7 71480]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2012-9-7 166840]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-3-14 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-3-14 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-3-14 83392]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2011-9-15 88576]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2012-9-7 976728]
R3 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\39624\RapportIaso.sys [2012-5-28 21520]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-7-28 27632]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2012-3-31 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-22 21248]
S3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [2010-7-28 9728]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2006-8-17 14336]
S3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgwhsdiag.sys [2010-7-28 106752]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys [2010-7-28 106752]
S3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\drivers\zgwhsnmea.sys [2010-7-28 106752]
S4 JoinMEUI Assistant Service;JoinMEUI Assistant Service;c:\program files\pc suite\JoinMEAssistantServices.exe [2010-7-28 242688]
S4 OracleDBConsolesean01;OracleDBConsolesean01;c:\oracle\product\10.1.0\db_1\bin\nmesrvc.exe --> c:\oracle\product\10.1.0\db_1\bin\nmesrvc.exe [?]
S4 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;c:\oracle\product\10.1.0\db_1\bin\tnslsnr --> c:\oracle\product\10.1.0\db_1\bin\TNSLSNR [?]
S4 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2012-8-13 3064000]
S4 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\o2\bin\sprtsvc.exe [2007-6-7 202280]
.
=============== Created Last 30 ================
.
2012-10-08 20:46:52 -------- d-----w- C:\logfiles
2012-10-05 22:31:12 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
2012-10-05 22:12:09 1205 ----a-w- C:\registryfix.reg
2012-10-05 06:21:08 -------- d-----w- c:\documents and settings\sandra\application data\Malwarebytes
2012-10-05 00:21:12 -------- d-----w- c:\documents and settings\all users\application data\1B61202FF1FA8DB800491B60D75D1B70
.
==================== Find3M ====================
.
2012-09-07 16:04:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-07 10:07:30 65848 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2012-07-25 22:01:18 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-25 22:01:18 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2003-08-27 14:19:18 36963 -c--a-r- c:\program files\common files\SM1updtr.dll
.
============= FINISH: 22:43:20.00 ===============

Blade81

2012-10-12, 06:21

Hi

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.

Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

cobolguy

2012-10-12, 20:27

Thanks for your help so far :)

Log after running combo process ....

ComboFix 12-10-12.01 - sandra 12/10/2012 18:45:11.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1471.994 [GMT 1:00]
Running from: c:\documents and settings\sandra\Desktop\ComboFix.exe
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\DragToDiscUserNameE.txt
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Config.Msi\PT11E.tmp
c:\documents and settings\Config.Msi\PT11F.tmp
c:\documents and settings\Config.Msi\PT127.tmp
c:\documents and settings\Config.Msi\PT77.tmp
c:\documents and settings\Config.Msi\PT9F.tmp
c:\documents and settings\Config.Msi\PTA5.tmp
c:\program files\RadioPI_4eEI
c:\windows\system32\Cache
c:\windows\system32\SET207.tmp
c:\windows\system32\SET213.tmp
c:\windows\system32\SET220.tmp
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-09-12 to 2012-10-12 )))))))))))))))))))))))))))))))
.
.
2012-10-08 20:46 . 2012-10-11 21:50 -------- d-----w- C:\logfiles
2012-10-08 20:42 . 2012-10-08 20:43 -------- d-----w- c:\program files\ERUNT
2012-10-05 22:31 . 2012-10-05 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-10-05 22:12 . 2012-10-05 22:12 1205 ----a-w- C:\registryfix.reg
2012-10-05 06:21 . 2012-10-05 06:21 -------- d-----w- c:\documents and settings\sandra\Application Data\Malwarebytes
2012-10-05 00:21 . 2012-10-07 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\1B61202FF1FA8DB800491B60D75D1B70
2012-09-22 15:34 . 2012-09-22 15:34 65848 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-07 16:04 . 2009-04-28 20:33 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-25 22:01 . 2012-06-12 17:14 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-25 22:01 . 2011-06-08 18:42 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2003-08-27 14:19 . 2008-11-10 17:10 36963 -c--a-r- c:\program files\Common Files\SM1updtr.dll
2011-11-21 04:04 . 2011-11-27 22:49 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-25 786521]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2007-07-05 1040384]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-08-09 348664]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
.
c:\documents and settings\sandra\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
backup=c:\windows\pss\Monitor Apache Servers.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PC Details.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PC Details.lnk
backup=c:\windows\pss\PC Details.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^sean^Start Menu^Programs^Startup^CCC.lnk]
path=c:\documents and settings\sean\Start Menu\Programs\Startup\CCC.lnk
backup=c:\windows\pss\CCC.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^sean^Start Menu^Programs^Startup^Secunia PSI.lnk]
path=c:\documents and settings\sean\Start Menu\Programs\Startup\Secunia PSI.lnk
backup=c:\windows\pss\Secunia PSI.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABLKSR]
2006-01-02 18:14 61440 -c--a-w- c:\windows\ABLKSR\ABLKSR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACMON]
2007-07-10 09:59 851968 -c--a-w- c:\program files\ASUS\Splendid\ACMON.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACU]
2007-04-17 00:06 372825 ----a-w- c:\program files\Atheros\ACU.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 10:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-03-27 12:41 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 02:43 69632 -c--a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Screen Saver Protector]
2007-12-20 19:46 33136 -c--a-w- c:\windows\ASScrPro.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUSTPE]
2007-01-16 15:13 106496 -c--a-w- c:\windows\system32\ASUSTPE.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 00:12 110592 ----a-w- c:\windows\system32\bthprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CameraFixer]
2005-10-03 10:23 20480 ------w- c:\windows\CameraFixer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DrvMon.exe]
2004-11-29 09:55 53248 -c----w- c:\windows\system32\DrvMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R285 Series]
2007-04-13 06:00 182272 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATICKE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-01-30 12:21 136176 ----atw- c:\documents and settings\sean\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HTC Sync Loader]
2012-04-17 14:05 651264 ----a-w- c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-06-05 18:52 421160 -c--a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JoinMEUIExec]
2009-03-10 17:50 131072 -c--a-w- c:\program files\PC Suite\JoinMEUIExec.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\O2]
2008-03-28 22:47 198184 -c--a-w- c:\program files\O2\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power_Gear]
2006-07-26 17:01 90112 -c--a-w- c:\program files\ASUS\Power4 Gear\BatteryLife.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 16:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-01-12 02:01 32768 -c--a-w- c:\program files\ASUSTek\ASUSDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2005-03-08 21:13 1695744 -c--a-w- c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-10-30 03:49 16269312 -c--a-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-07-13 12:33 17418928 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 02:04 2879488 -c--a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2006-11-22 01:31 630784 -c--a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd3]
2006-09-19 08:07 827392 ----a-w- c:\windows\vsnpstd3.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
2012-07-14 23:46 1192664 ----a-w- c:\program files\Spotify\Data\SpotifyWebHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 15:07 2260480 -csha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 12:35 90112 -c--a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 11:59 254696 -c--a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-07-05 22:28 202256 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnpstd3]
2005-11-04 14:05 90112 ----a-w- c:\windows\tsnpstd3.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
2011-03-07 13:33 89456 ----a-w- c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"SMTPSVC"=2 (0x2)
"w3svc"=2 (0x2)
"IISADMIN"=2 (0x2)
"Apache2.2"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"JoinMEUI Assistant Service"=2 (0x2)
"Secunia PSI Agent"=3 (0x3)
"Secunia Update Agent"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [22/09/2012 16:34 65848]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [02/01/2010 13:37 691696]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [14/03/2012 01:35 36000]
R1 C2SCSI;C2SCSI;c:\windows\system32\drivers\c2scsi.sys [28/05/2009 22:33 230272]
R1 RapportCerberus_42020;RapportCerberus_42020;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_42020.sys [10/08/2012 19:07 228376]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [22/09/2012 16:34 71480]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [22/09/2012 16:34 166840]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [14/03/2012 01:35 86224]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [15/09/2011 12:06 88576]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [22/09/2012 16:34 976728]
R3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\39624\RapportIaso.sys [28/05/2012 21:35 21520]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [28/07/2010 21:08 27632]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [13/07/2012 13:28 160944]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [31/03/2012 23:51 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [22/06/2010 18:01 21248]
S3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [28/07/2010 20:17 9728]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [17/08/2006 10:54 14336]
S3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgwhsdiag.sys [28/07/2010 20:17 106752]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys [28/07/2010 20:17 106752]
S3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\drivers\zgwhsnmea.sys [28/07/2010 20:17 106752]
S4 JoinMEUI Assistant Service;JoinMEUI Assistant Service;c:\program files\PC Suite\JoinMEAssistantServices.exe [28/07/2010 20:16 242688]
S4 OracleDBConsolesean01;OracleDBConsolesean01;c:\oracle\product\10.1.0\Db_1\bin\nmesrvc.exe --> c:\oracle\product\10.1.0\Db_1\bin\nmesrvc.exe [?]
S4 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;c:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR --> c:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR [?]
S4 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [13/08/2012 13:33 3064000]
S4 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [07/06/2007 17:19 202280]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - RAPPORTMGMTSERVICE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4204088417-295494685-3788373613-1005Core.job
- c:\documents and settings\sean\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-30 12:21]
.
2012-10-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4204088417-295494685-3788373613-1005UA.job
- c:\documents and settings\sean\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-30 12:21]
.
2012-10-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4204088417-295494685-3788373613-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2012-10-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4204088417-295494685-3788373613-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2012-10-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4204088417-295494685-3788373613-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2012-10-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4204088417-295494685-3788373613-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2012-10-11 c:\windows\Tasks\User_Feed_Synchronization-{99538423-7653-467D-BD42-F6202E57E053}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.asus.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: DhcpNameServer = 192.168.1.254
DPF: {32C11E38-E587-4BE9-9ABB-D69158C21CE5} - hxxp://cam.thesandbar.com/activex/decoder/mpeg4_dec.cab
DPF: {4D561B31-49A0-4E2C-8AFF-353468EC669B} - hxxp://www.greasypalm.co.uk/bho/update/GreasyPalm.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://217.22.201.135/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\sandra\Application Data\Mozilla\Firefox\Profiles\ti4a0nad.default\
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{687578B9-7132-4A7A-80E4-30EE31099E03} - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
MSConfigStartUp-ASUS Camera ScreenSaver - c:\windows\ASScrProlog.exe
MSConfigStartUp-ATKHOTKEY - c:\program files\ATK Hotkey\Hcontrol.exe
MSConfigStartUp-BitTorrent - c:\program files\BitTorrent\BitTorrent.exe
MSConfigStartUp-FixCamera - c:\windows\FixCamera.exe
MSConfigStartUp-FreeCall - c:\program files\FreeCall.com\FreeCall\FreeCall.exe
MSConfigStartUp-GreasyPalmUpdate - c:\windows\GreasyPalmUpdate.exe
MSConfigStartUp-LightScribe Control Panel - c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
MSConfigStartUp-lmdmi - c:\documents and settings\sean\Application Data\lmdmi.dll
MSConfigStartUp-nftac - c:\documents and settings\sean\Application Data\nftac.dll
MSConfigStartUp-NokiaMusic FastStart - c:\program files\Nokia\Ovi Player\NokiaOviPlayer.exe
MSConfigStartUp-PC Suite Tray - c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe
MSConfigStartUp-PowerForPhone - c:\program files\P4P\P4P.exe
MSConfigStartUp-RadioPI Search Scope Monitor - c:\progra~1\RADIOP~2\bar\1.bin\4esrchmn.exe
MSConfigStartUp-RadioPI_4e Browser Plugin Loader - c:\progra~1\RADIOP~2\bar\1.bin\4ebrmon.exe
MSConfigStartUp-SM1BG - c:\windows\SM1BG.EXE
MSConfigStartUp-sortc - c:\documents and settings\sean\Application Data\sortc.dll
MSConfigStartUp-upidli - c:\documents and settings\sean\Application Data\upidli.dll
MSConfigStartUp-uTorrent - c:\program files\uTorrent\uTorrent.exe
MSConfigStartUp-WinVNC - c:\program files\TightVNC\WinVNC.exe
HKLM_ActiveSetup-ccc-core-static - msiexec
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-12 19:03
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraDb10g_home1TNSListener]
"ImagePath"="c:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR "
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1072)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-10-12 19:09:02
ComboFix-quarantined-files.txt 2012-10-12 18:08
.
Pre-Run: 64,083,286,528 bytes free
Post-Run: 64,331,561,472 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut
.
- - End Of File - - CF91FE6A3176A604D3F934774C25ABFE

.>>>>>>>>>>>>>>>>>>>>>>>>> DDS Logs

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by sandra at 19:20:27 on 2012-10-12
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1471.862 [GMT 1:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Avira\AntiVir Desktop\avconfig.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.asus.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Wireless Console 2] "c:\program files\wireless console 2\wcourier.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\sandra\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/select/asusTek_sys_ctrl3.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {32C11E38-E587-4BE9-9ABB-D69158C21CE5} - hxxp://cam.thesandbar.com/activex/decoder/mpeg4_dec.cab
DPF: {3BB1D69B-A780-4BE1-876E-F3D488877135} - hxxp://download.microsoft.com/download/3/B/E/3BE57995-8452-41F1-8297-DD75EF049853/VirtualEarth3D.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4D561B31-49A0-4E2C-8AFF-353468EC669B} - hxxp://www.greasypalm.co.uk/bho/update/GreasyPalm.cab
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.tescophoto.com/wpp/tesco/app/ImageUploader5.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1211294225812
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://webcam1.ttu.ee/activex/AMC.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://webcam.salisbury.edu/activex/AxisCamControl.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://217.22.201.135/activex/AMC.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{A97A08D4-B39E-4E5F-A1D4-622F067B28E0} : DhcpNameServer = 192.168.1.254
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\sandra\application data\mozilla\firefox\profiles\ti4a0nad.default\
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.50917.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_265.dll
.
============= SERVICES / DRIVERS ===============
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2012-9-22 65848]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-3-14 36000]
R1 C2SCSI;C2SCSI;c:\windows\system32\drivers\c2scsi.sys [2009-5-28 230272]
R1 RapportCerberus_42020;RapportCerberus_42020;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_42020.sys [2012-8-10 228376]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2012-9-22 71480]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2012-9-22 166840]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-3-14 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-3-14 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-3-14 83392]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2011-9-15 88576]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2012-9-22 976728]
R3 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\39624\RapportIaso.sys [2012-5-28 21520]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-7-28 27632]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2012-3-31 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-22 21248]
S3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [2010-7-28 9728]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2006-8-17 14336]
S3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgwhsdiag.sys [2010-7-28 106752]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys [2010-7-28 106752]
S3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\drivers\zgwhsnmea.sys [2010-7-28 106752]
S4 JoinMEUI Assistant Service;JoinMEUI Assistant Service;c:\program files\pc suite\JoinMEAssistantServices.exe [2010-7-28 242688]
S4 OracleDBConsolesean01;OracleDBConsolesean01;c:\oracle\product\10.1.0\db_1\bin\nmesrvc.exe --> c:\oracle\product\10.1.0\db_1\bin\nmesrvc.exe [?]
S4 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;c:\oracle\product\10.1.0\db_1\bin\tnslsnr --> c:\oracle\product\10.1.0\db_1\bin\TNSLSNR [?]
S4 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2012-8-13 3064000]
S4 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\o2\bin\sprtsvc.exe [2007-6-7 202280]
.
=============== Created Last 30 ================
.
2012-10-12 17:27:53 -------- d-sha-r- C:\cmdcons
2012-10-12 17:24:15 98816 ----a-w- c:\windows\sed.exe
2012-10-12 17:24:15 518144 ----a-w- c:\windows\SWREG.exe
2012-10-12 17:24:15 256000 ----a-w- c:\windows\PEV.exe
2012-10-12 17:24:15 208896 ----a-w- c:\windows\MBR.exe
2012-10-08 20:46:52 -------- d-----w- C:\logfiles
2012-10-05 22:31:12 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
2012-10-05 22:12:09 1205 ----a-w- C:\registryfix.reg
2012-10-05 06:21:08 -------- d-----w- c:\documents and settings\sandra\application data\Malwarebytes
2012-10-05 00:21:12 -------- d-----w- c:\documents and settings\all users\application data\1B61202FF1FA8DB800491B60D75D1B70
2012-09-22 15:34:42 65848 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.
==================== Find3M ====================
.
2012-09-07 16:04:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-25 22:01:18 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-25 22:01:18 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2003-08-27 14:19:18 36963 -c--a-r- c:\program files\common files\SM1updtr.dll
.
============= FINISH: 19:21:14.89 ===============

Blade81

2012-10-14, 18:30

Hi again,

Open notepad and copy/paste the text in the quotebox below into it:

DirLook::
c:\documents and settings\all users\application data\1B61202FF1FA8DB800491B60D75D1B70

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log.

Get Adobe Reader 9.5.2 update here here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't (unless you want to) install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).

If Mozilla Firefox isn't used uninstall it. Otherwise, replace it with the latest version here (http://www.mozilla.org/en-US/firefox/fx/).

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 7 Update 7 (http://www.oracle.com/technetwork/java/javase/downloads/index.html).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.

The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-7u7-windows-i586.exe to install the newest version.

* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
Click Scan
Wait for the scan to finish.

Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

cobolguy

2012-10-15, 08:15

Hi there

Logs as requested. ESET scan reported 4 infections but as not cleaned as I unchecked the remove option as instructed.

Look forward to your next instructions

Regards

>> ComboFix

ComboFix 12-10-14.03 - sandra 14/10/2012 20:01:50.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1471.833 [GMT 1:00]
Running from: c:\documents and settings\sandra\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\sandra\Desktop\Cfscript.txt
AV: Avira Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((( Files Created from 2012-09-14 to 2012-10-14 )))))))))))))))))))))))))))))))
.
.
2012-10-08 20:46 . 2012-10-11 21:50 -------- d-----w- C:\logfiles
2012-10-08 20:42 . 2012-10-08 20:43 -------- d-----w- c:\program files\ERUNT
2012-10-05 22:31 . 2012-10-05 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-10-05 22:12 . 2012-10-05 22:12 1205 ----a-w- C:\registryfix.reg
2012-10-05 06:21 . 2012-10-05 06:21 -------- d-----w- c:\documents and settings\sandra\Application Data\Malwarebytes
2012-10-05 00:21 . 2012-10-07 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\1B61202FF1FA8DB800491B60D75D1B70
2012-09-22 15:34 . 2012-09-22 15:34 65848 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-07 16:04 . 2009-04-28 20:33 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-25 22:01 . 2012-06-12 17:14 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-25 22:01 . 2011-06-08 18:42 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2003-08-27 14:19 . 2008-11-10 17:10 36963 -c--a-r- c:\program files\Common Files\SM1updtr.dll
2011-11-21 04:04 . 2011-11-27 22:49 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\all users\application data\1B61202FF1FA8DB800491B60D75D1B70 ----
.
2012-10-05 00:23 . 2012-10-05 06:05 2896 ----a-w- c:\documents and settings\all users\application data\1B61202FF1FA8DB800491B60D75D1B70\1B61202FF1FA8DB800491B60D75D1B70
2012-10-05 00:21 . 2012-10-05 00:21 4286 ----a-w- c:\documents and settings\all users\application data\1B61202FF1FA8DB800491B60D75D1B70\1B61202FF1FA8DB800491B60D75D1B70.ico
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-25 786521]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2007-07-05 1040384]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-08-09 348664]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
.
c:\documents and settings\sandra\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
backup=c:\windows\pss\Monitor Apache Servers.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PC Details.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PC Details.lnk
backup=c:\windows\pss\PC Details.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^sean^Start Menu^Programs^Startup^CCC.lnk]
path=c:\documents and settings\sean\Start Menu\Programs\Startup\CCC.lnk
backup=c:\windows\pss\CCC.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^sean^Start Menu^Programs^Startup^Secunia PSI.lnk]
path=c:\documents and settings\sean\Start Menu\Programs\Startup\Secunia PSI.lnk
backup=c:\windows\pss\Secunia PSI.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABLKSR]
2006-01-02 18:14 61440 -c--a-w- c:\windows\ABLKSR\ABLKSR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACMON]
2007-07-10 09:59 851968 -c--a-w- c:\program files\ASUS\Splendid\ACMON.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACU]
2007-04-17 00:06 372825 ----a-w- c:\program files\Atheros\ACU.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 10:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-03-27 12:41 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 02:43 69632 -c--a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Screen Saver Protector]
2007-12-20 19:46 33136 -c--a-w- c:\windows\ASScrPro.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUSTPE]
2007-01-16 15:13 106496 -c--a-w- c:\windows\system32\ASUSTPE.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 00:12 110592 ----a-w- c:\windows\system32\bthprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CameraFixer]
2005-10-03 10:23 20480 ------w- c:\windows\CameraFixer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DrvMon.exe]
2004-11-29 09:55 53248 -c----w- c:\windows\system32\DrvMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R285 Series]
2007-04-13 06:00 182272 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATICKE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-01-30 12:21 136176 ----atw- c:\documents and settings\sean\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HTC Sync Loader]
2012-04-17 14:05 651264 ----a-w- c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-06-05 18:52 421160 -c--a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JoinMEUIExec]
2009-03-10 17:50 131072 -c--a-w- c:\program files\PC Suite\JoinMEUIExec.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\O2]
2008-03-28 22:47 198184 -c--a-w- c:\program files\O2\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power_Gear]
2006-07-26 17:01 90112 -c--a-w- c:\program files\ASUS\Power4 Gear\BatteryLife.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 16:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-01-12 02:01 32768 -c--a-w- c:\program files\ASUSTek\ASUSDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2005-03-08 21:13 1695744 -c--a-w- c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-10-30 03:49 16269312 -c--a-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-07-13 12:33 17418928 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 02:04 2879488 -c--a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2006-11-22 01:31 630784 -c--a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd3]
2006-09-19 08:07 827392 ----a-w- c:\windows\vsnpstd3.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
2012-07-14 23:46 1192664 ----a-w- c:\program files\Spotify\Data\SpotifyWebHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 15:07 2260480 -c----w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 12:35 90112 -c--a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 11:59 254696 -c--a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-07-05 22:28 202256 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnpstd3]
2005-11-04 14:05 90112 ----a-w- c:\windows\tsnpstd3.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
2011-03-07 13:33 89456 ----a-w- c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"SMTPSVC"=2 (0x2)
"w3svc"=2 (0x2)
"IISADMIN"=2 (0x2)
"Apache2.2"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"JoinMEUI Assistant Service"=2 (0x2)
"Secunia PSI Agent"=3 (0x3)
"Secunia Update Agent"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [22/09/2012 16:34 65848]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [02/01/2010 13:37 691696]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [14/03/2012 01:35 36000]
R1 C2SCSI;C2SCSI;c:\windows\system32\drivers\c2scsi.sys [28/05/2009 22:33 230272]
R1 RapportCerberus_42020;RapportCerberus_42020;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_42020.sys [10/08/2012 19:07 228376]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [22/09/2012 16:34 71480]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [22/09/2012 16:34 166840]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [14/03/2012 01:35 86224]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [15/09/2011 12:06 88576]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [22/09/2012 16:34 976728]
R3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\39624\RapportIaso.sys [28/05/2012 21:35 21520]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [28/07/2010 21:08 27632]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [13/07/2012 13:28 160944]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [31/03/2012 23:51 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [22/06/2010 18:01 21248]
S3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [28/07/2010 20:17 9728]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [17/08/2006 10:54 14336]
S3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgwhsdiag.sys [28/07/2010 20:17 106752]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys [28/07/2010 20:17 106752]
S3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\drivers\zgwhsnmea.sys [28/07/2010 20:17 106752]
S4 JoinMEUI Assistant Service;JoinMEUI Assistant Service;c:\program files\PC Suite\JoinMEAssistantServices.exe [28/07/2010 20:16 242688]
S4 OracleDBConsolesean01;OracleDBConsolesean01;c:\oracle\product\10.1.0\Db_1\bin\nmesrvc.exe --> c:\oracle\product\10.1.0\Db_1\bin\nmesrvc.exe [?]
S4 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;c:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR --> c:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR [?]
S4 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [13/08/2012 13:33 3064000]
S4 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [07/06/2007 17:19 202280]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - BITS
*NewlyCreated* - RAPPORTIASO
*NewlyCreated* - WS2IFSL
*NewlyCreated* - WUAUSERV
*Deregistered* - PROCEXP152
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4204088417-295494685-3788373613-1005Core.job
- c:\documents and settings\sean\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-30 12:21]
.
2012-10-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4204088417-295494685-3788373613-1005UA.job
- c:\documents and settings\sean\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-30 12:21]
.
2012-10-14 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4204088417-295494685-3788373613-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2012-10-14 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4204088417-295494685-3788373613-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2012-10-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4204088417-295494685-3788373613-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2012-10-14 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4204088417-295494685-3788373613-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2012-10-14 c:\windows\Tasks\User_Feed_Synchronization-{99538423-7653-467D-BD42-F6202E57E053}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.asus.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: DhcpNameServer = 192.168.1.254
DPF: {32C11E38-E587-4BE9-9ABB-D69158C21CE5} - hxxp://cam.thesandbar.com/activex/decoder/mpeg4_dec.cab
DPF: {4D561B31-49A0-4E2C-8AFF-353468EC669B} - hxxp://www.greasypalm.co.uk/bho/update/GreasyPalm.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://217.22.201.135/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\sandra\Application Data\Mozilla\Firefox\Profiles\ti4a0nad.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-14 20:19
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraDb10g_home1TNSListener]
"ImagePath"="c:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR "
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1076)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(1164)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-10-14 20:27:22
ComboFix-quarantined-files.txt 2012-10-14 19:27
ComboFix2.txt 2012-10-12 18:09
.
Pre-Run: 64,196,444,160 bytes free
Post-Run: 64,229,229,056 bytes free
.
- - End Of File - - E88B8386AF9C8167020EEC7D0E98297E

>>

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_35
Run by sandra at 6:55:15 on 2012-10-15
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1471.774 [GMT 1:00]
.
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.asus.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Wireless Console 2] "c:\program files\wireless console 2\wcourier.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\sandra\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/select/asusTek_sys_ctrl3.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {32C11E38-E587-4BE9-9ABB-D69158C21CE5} - hxxp://cam.thesandbar.com/activex/decoder/mpeg4_dec.cab
DPF: {3BB1D69B-A780-4BE1-876E-F3D488877135} - hxxp://download.microsoft.com/download/3/B/E/3BE57995-8452-41F1-8297-DD75EF049853/VirtualEarth3D.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4D561B31-49A0-4E2C-8AFF-353468EC669B} - hxxp://www.greasypalm.co.uk/bho/update/GreasyPalm.cab
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.tescophoto.com/wpp/tesco/app/ImageUploader5.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1211294225812
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://webcam1.ttu.ee/activex/AMC.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://webcam.salisbury.edu/activex/AxisCamControl.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://217.22.201.135/activex/AMC.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{A97A08D4-B39E-4E5F-A1D4-622F067B28E0} : DhcpNameServer = 192.168.1.254
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\sandra\application data\mozilla\firefox\profiles\ti4a0nad.default\
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.50917.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_265.dll
.
============= SERVICES / DRIVERS ===============
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2012-9-22 65848]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-3-14 36000]
R1 C2SCSI;C2SCSI;c:\windows\system32\drivers\c2scsi.sys [2009-5-28 230272]
R1 RapportCerberus_42020;RapportCerberus_42020;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_42020.sys [2012-8-10 228376]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2012-9-22 71480]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2012-9-22 166840]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-3-14 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-3-14 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-3-14 83392]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2011-9-15 88576]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2012-9-22 976728]
R3 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\39624\RapportIaso.sys [2012-5-28 21520]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-7-28 27632]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2012-3-31 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-22 21248]
S3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [2010-7-28 9728]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-10-14 115168]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2006-8-17 14336]
S3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgwhsdiag.sys [2010-7-28 106752]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys [2010-7-28 106752]
S3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\drivers\zgwhsnmea.sys [2010-7-28 106752]
S4 JoinMEUI Assistant Service;JoinMEUI Assistant Service;c:\program files\pc suite\JoinMEAssistantServices.exe [2010-7-28 242688]
S4 OracleDBConsolesean01;OracleDBConsolesean01;c:\oracle\product\10.1.0\db_1\bin\nmesrvc.exe --> c:\oracle\product\10.1.0\db_1\bin\nmesrvc.exe [?]
S4 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;c:\oracle\product\10.1.0\db_1\bin\tnslsnr --> c:\oracle\product\10.1.0\db_1\bin\TNSLSNR [?]
S4 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2012-8-13 3064000]
S4 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\o2\bin\sprtsvc.exe [2007-6-7 202280]
.
=============== Created Last 30 ================
.
2012-10-14 21:05:32 -------- d-----w- c:\program files\ESET
2012-10-14 20:05:27 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-10-14 20:00:20 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-10-14 19:51:00 18912 ----a-w- c:\program files\mozilla firefox\AccessibleMarshal.dll
2012-10-14 19:44:55 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-10-14 19:44:04 21472 ----a-w- c:\program files\mozilla firefox\plc4.dll
2012-10-14 19:44:04 20960 ----a-w- c:\program files\mozilla firefox\plds4.dll
2012-10-14 19:44:04 16864 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2012-10-14 19:44:03 91104 ----a-w- c:\program files\mozilla firefox\smime3.dll
2012-10-14 19:44:03 889848 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe
2012-10-14 19:44:03 270816 ----a-w- c:\program files\mozilla firefox\updater.exe
2012-10-14 19:44:03 19424 ----a-w- c:\program files\mozilla firefox\xpcom.dll
2012-10-14 19:44:03 155104 ----a-w- c:\program files\mozilla firefox\softokn3.dll
2012-10-14 19:44:03 145376 ----a-w- c:\program files\mozilla firefox\ssl3.dll
2012-10-14 19:43:49 14676960 ----a-w- c:\program files\mozilla firefox\xul.dll
2012-10-12 17:27:53 -------- d-sha-r- C:\cmdcons
2012-10-12 17:24:15 98816 ----a-w- c:\windows\sed.exe
2012-10-12 17:24:15 518144 ----a-w- c:\windows\SWREG.exe
2012-10-12 17:24:15 256000 ----a-w- c:\windows\PEV.exe
2012-10-12 17:24:15 208896 ----a-w- c:\windows\MBR.exe
2012-10-08 20:46:52 -------- d-----w- C:\logfiles
2012-10-05 22:31:12 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
2012-10-05 22:12:09 1205 ----a-w- C:\registryfix.reg
2012-10-05 06:21:08 -------- d-----w- c:\documents and settings\sandra\application data\Malwarebytes
2012-10-05 00:21:12 -------- d-----w- c:\documents and settings\all users\application data\1B61202FF1FA8DB800491B60D75D1B70
2012-09-22 15:34:42 65848 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.
==================== Find3M ====================
.
2012-10-14 20:04:05 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-07 16:04:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-25 22:01:18 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-25 22:01:18 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2003-08-27 14:19:18 36963 -c--a-r- c:\program files\common files\SM1updtr.dll
.
============= FINISH: 6:57:54.79 ===============

cobolguy

2012-10-15, 08:23

Hi

Found eset log file

Posted below.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=d45dc078498ed749b45a1b509817b483
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-10-15 02:06:18
# local_time=2012-10-15 03:06:18 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1792 16777179 100 0 18567565 18567565 0 0
# compatibility_mode=8192 67108863 100 0 533 533 0 0
# scanned=141220
# found=4
# cleaned=0
# scan_time=17544
C:\Documents and Settings\sean\Local Settings\Application Data\{C99D6302-E652-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\sean\Local Settings\Temp\ICReinstall_DownloadManagerSetup[1].exe a variant of Win32/InstallCore.AW application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{E422C504-DD0C-4351-82F3-8689D2C7CE65}\RP104\A0090325.exe Win32/Toolbar.Babylon application (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\CameraFixer.exe probably a variant of Win32/KillProc.A application (unable to clean) 00000000000000000000000000000000 I

Blade81

2012-10-15, 16:55

Hi again,

Open notepad and copy/paste the text in the quotebox below into it:

Folder::
C:\Documents and Settings\sean\Local Settings\Application Data\{C99D6302-E652-11E1-8270-B8AC6F996F26}
File::
C:\Documents and Settings\sean\Local Settings\Temp\ICReinstall_DownloadManagerSetup[1].exe

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log. How's the system running?

cobolguy

2012-10-15, 20:35

Hello again

Ran the process requested DDS and COMBO logs below.

System still running very very slowly

Look forward to your next post

Regards

>>>>>>>>>>>>>>>>>> DDS log

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_35
Run by sandra at 19:28:14 on 2012-10-15
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1471.915 [GMT 1:00]
.
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\acs.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.asus.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Wireless Console 2] "c:\program files\wireless console 2\wcourier.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\sandra\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/select/asusTek_sys_ctrl3.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {32C11E38-E587-4BE9-9ABB-D69158C21CE5} - hxxp://cam.thesandbar.com/activex/decoder/mpeg4_dec.cab
DPF: {3BB1D69B-A780-4BE1-876E-F3D488877135} - hxxp://download.microsoft.com/download/3/B/E/3BE57995-8452-41F1-8297-DD75EF049853/VirtualEarth3D.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4D561B31-49A0-4E2C-8AFF-353468EC669B} - hxxp://www.greasypalm.co.uk/bho/update/GreasyPalm.cab
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.tescophoto.com/wpp/tesco/app/ImageUploader5.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1211294225812
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://webcam1.ttu.ee/activex/AMC.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://webcam.salisbury.edu/activex/AxisCamControl.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://217.22.201.135/activex/AMC.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{A97A08D4-B39E-4E5F-A1D4-622F067B28E0} : DhcpNameServer = 192.168.1.254
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\sandra\application data\mozilla\firefox\profiles\ti4a0nad.default\
.
============= SERVICES / DRIVERS ===============
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2012-9-22 65848]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-3-14 36000]
R1 C2SCSI;C2SCSI;c:\windows\system32\drivers\c2scsi.sys [2009-5-28 230272]
R1 RapportCerberus_42020;RapportCerberus_42020;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_42020.sys [2012-8-10 228376]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2012-9-22 71480]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2012-9-22 166840]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-3-14 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-3-14 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-3-14 83392]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2011-9-15 88576]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2012-9-22 976728]
R3 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\39624\RapportIaso.sys [2012-5-28 21520]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-7-28 27632]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2012-3-31 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-22 21248]
S3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [2010-7-28 9728]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-10-14 115168]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2006-8-17 14336]
S3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgwhsdiag.sys [2010-7-28 106752]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys [2010-7-28 106752]
S3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\drivers\zgwhsnmea.sys [2010-7-28 106752]
S4 JoinMEUI Assistant Service;JoinMEUI Assistant Service;c:\program files\pc suite\JoinMEAssistantServices.exe [2010-7-28 242688]
S4 OracleDBConsolesean01;OracleDBConsolesean01;c:\oracle\product\10.1.0\db_1\bin\nmesrvc.exe --> c:\oracle\product\10.1.0\db_1\bin\nmesrvc.exe [?]
S4 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;c:\oracle\product\10.1.0\db_1\bin\tnslsnr --> c:\oracle\product\10.1.0\db_1\bin\TNSLSNR [?]
S4 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2012-8-13 3064000]
S4 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\o2\bin\sprtsvc.exe [2007-6-7 202280]
.
=============== Created Last 30 ================
.
2012-10-14 21:05:32 -------- d-----w- c:\program files\ESET
2012-10-14 20:05:27 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-10-14 20:00:20 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-10-14 19:51:00 18912 ----a-w- c:\program files\mozilla firefox\AccessibleMarshal.dll
2012-10-14 19:44:55 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-10-14 19:44:04 21472 ----a-w- c:\program files\mozilla firefox\plc4.dll
2012-10-14 19:44:04 20960 ----a-w- c:\program files\mozilla firefox\plds4.dll
2012-10-14 19:44:04 16864 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2012-10-14 19:44:03 91104 ----a-w- c:\program files\mozilla firefox\smime3.dll
2012-10-14 19:44:03 889848 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe
2012-10-14 19:44:03 270816 ----a-w- c:\program files\mozilla firefox\updater.exe
2012-10-14 19:44:03 19424 ----a-w- c:\program files\mozilla firefox\xpcom.dll
2012-10-14 19:44:03 155104 ----a-w- c:\program files\mozilla firefox\softokn3.dll
2012-10-14 19:44:03 145376 ----a-w- c:\program files\mozilla firefox\ssl3.dll
2012-10-14 19:43:49 14676960 ----a-w- c:\program files\mozilla firefox\xul.dll
2012-10-12 17:27:53 -------- d-sha-r- C:\cmdcons
2012-10-12 17:24:15 98816 ----a-w- c:\windows\sed.exe
2012-10-12 17:24:15 518144 ----a-w- c:\windows\SWREG.exe
2012-10-12 17:24:15 256000 ----a-w- c:\windows\PEV.exe
2012-10-12 17:24:15 208896 ----a-w- c:\windows\MBR.exe
2012-10-08 20:46:52 -------- d-----w- C:\logfiles
2012-10-05 22:31:12 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
2012-10-05 22:12:09 1205 ----a-w- C:\registryfix.reg
2012-10-05 06:21:08 -------- d-----w- c:\documents and settings\sandra\application data\Malwarebytes
2012-10-05 00:21:12 -------- d-----w- c:\documents and settings\all users\application data\1B61202FF1FA8DB800491B60D75D1B70
2012-09-22 15:34:42 65848 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.
==================== Find3M ====================
.
2012-10-14 20:04:05 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-07 16:04:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-25 22:01:18 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-25 22:01:18 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2003-08-27 14:19:18 36963 -c--a-r- c:\program files\common files\SM1updtr.dll
.
============= FINISH: 19:30:52.34 ===============

>>>>>>>>>>>>> combo log

ComboFix 12-10-14.03 - sandra 15/10/2012 18:20:04.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1471.794 [GMT 1:00]
Running from: c:\documents and settings\sandra\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\sandra\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
FILE ::
"c:\documents and settings\sean\Local Settings\Temp\ICReinstall_DownloadManagerSetup"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\sean\Local Settings\Application Data\{C99D6302-E652-11E1-8270-B8AC6F996F26}
c:\documents and settings\sean\Local Settings\Application Data\{C99D6302-E652-11E1-8270-B8AC6F996F26}\chrome.manifest
c:\documents and settings\sean\Local Settings\Application Data\{C99D6302-E652-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul
c:\documents and settings\sean\Local Settings\Application Data\{C99D6302-E652-11E1-8270-B8AC6F996F26}\install.rdf
.
.
((((((((((((((((((((((((( Files Created from 2012-09-15 to 2012-10-15 )))))))))))))))))))))))))))))))
.
.
2012-10-14 21:05 . 2012-10-14 21:05 -------- d-----w- c:\program files\ESET
2012-10-14 20:20 . 2012-10-14 20:20 -------- d-----w- c:\program files\Common Files\Java
2012-10-14 20:05 . 2012-10-14 20:04 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-10-14 20:00 . 2012-10-14 20:04 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-10-14 19:51 . 2012-10-14 19:51 18912 ----a-w- c:\program files\Mozilla Firefox\AccessibleMarshal.dll
2012-10-14 19:44 . 2012-10-14 20:34 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-10-14 19:44 . 2012-10-14 19:50 21472 ----a-w- c:\program files\Mozilla Firefox\plc4.dll
2012-10-14 19:44 . 2012-10-14 19:50 20960 ----a-w- c:\program files\Mozilla Firefox\plds4.dll
2012-10-14 19:44 . 2012-10-14 19:50 16864 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2012-10-14 19:44 . 2012-10-14 19:50 91104 ----a-w- c:\program files\Mozilla Firefox\smime3.dll
2012-10-14 19:44 . 2012-10-14 19:50 889848 ----a-w- c:\program files\Mozilla Firefox\uninstall\helper.exe
2012-10-14 19:44 . 2012-10-14 19:50 270816 ----a-w- c:\program files\Mozilla Firefox\updater.exe
2012-10-14 19:44 . 2012-10-14 19:50 19424 ----a-w- c:\program files\Mozilla Firefox\xpcom.dll
2012-10-14 19:44 . 2012-10-14 19:50 155104 ----a-w- c:\program files\Mozilla Firefox\softokn3.dll
2012-10-14 19:44 . 2012-10-14 19:50 145376 ----a-w- c:\program files\Mozilla Firefox\ssl3.dll
2012-10-14 19:43 . 2012-10-14 19:50 14676960 ----a-w- c:\program files\Mozilla Firefox\xul.dll
2012-10-08 20:46 . 2012-10-11 21:50 -------- d-----w- C:\logfiles
2012-10-08 20:42 . 2012-10-08 20:43 -------- d-----w- c:\program files\ERUNT
2012-10-05 22:31 . 2012-10-05 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-10-05 22:12 . 2012-10-05 22:12 1205 ----a-w- C:\registryfix.reg
2012-10-05 06:21 . 2012-10-05 06:21 -------- d-----w- c:\documents and settings\sandra\Application Data\Malwarebytes
2012-10-05 00:21 . 2012-10-07 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\1B61202FF1FA8DB800491B60D75D1B70
2012-09-22 15:34 . 2012-09-22 15:34 65848 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-14 20:04 . 2010-04-15 17:12 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-07 16:04 . 2009-04-28 20:33 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-25 22:01 . 2012-06-12 17:14 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-25 22:01 . 2011-06-08 18:42 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2003-08-27 14:19 . 2008-11-10 17:10 36963 -c--a-r- c:\program files\Common Files\SM1updtr.dll
2012-10-14 19:50 . 2012-10-14 19:50 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-25 786521]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2007-07-05 1040384]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-08-09 348664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
.
c:\documents and settings\sandra\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
backup=c:\windows\pss\Monitor Apache Servers.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PC Details.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PC Details.lnk
backup=c:\windows\pss\PC Details.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^sean^Start Menu^Programs^Startup^CCC.lnk]
path=c:\documents and settings\sean\Start Menu\Programs\Startup\CCC.lnk
backup=c:\windows\pss\CCC.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^sean^Start Menu^Programs^Startup^Secunia PSI.lnk]
path=c:\documents and settings\sean\Start Menu\Programs\Startup\Secunia PSI.lnk
backup=c:\windows\pss\Secunia PSI.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABLKSR]
2006-01-02 18:14 61440 -c--a-w- c:\windows\ABLKSR\ABLKSR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACMON]
2007-07-10 09:59 851968 -c--a-w- c:\program files\ASUS\Splendid\ACMON.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACU]
2007-04-17 00:06 372825 ----a-w- c:\program files\Atheros\ACU.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-11 19:00 919008 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-07-31 11:20 38872 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 02:43 69632 -c--a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Screen Saver Protector]
2007-12-20 19:46 33136 -c--a-w- c:\windows\ASScrPro.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUSTPE]
2007-01-16 15:13 106496 -c--a-w- c:\windows\system32\ASUSTPE.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 00:12 110592 ----a-w- c:\windows\system32\bthprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CameraFixer]
2005-10-03 10:23 20480 ------w- c:\windows\CameraFixer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DrvMon.exe]
2004-11-29 09:55 53248 -c----w- c:\windows\system32\DrvMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R285 Series]
2007-04-13 06:00 182272 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATICKE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-01-30 12:21 136176 ----atw- c:\documents and settings\sean\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HTC Sync Loader]
2012-04-17 14:05 651264 ----a-w- c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-06-05 18:52 421160 -c--a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JoinMEUIExec]
2009-03-10 17:50 131072 -c--a-w- c:\program files\PC Suite\JoinMEUIExec.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\O2]
2008-03-28 22:47 198184 -c--a-w- c:\program files\O2\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power_Gear]
2006-07-26 17:01 90112 -c--a-w- c:\program files\ASUS\Power4 Gear\BatteryLife.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 16:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-01-12 02:01 32768 -c--a-w- c:\program files\ASUSTek\ASUSDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2005-03-08 21:13 1695744 -c--a-w- c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-10-30 03:49 16269312 -c--a-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-07-13 12:33 17418928 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 02:04 2879488 -c--a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2006-11-22 01:31 630784 -c--a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd3]
2006-09-19 08:07 827392 ----a-w- c:\windows\vsnpstd3.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
2012-07-14 23:46 1192664 ----a-w- c:\program files\Spotify\Data\SpotifyWebHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 15:07 2260480 -c----w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 12:35 90112 -c--a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 13:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-07-05 22:28 202256 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnpstd3]
2005-11-04 14:05 90112 ----a-w- c:\windows\tsnpstd3.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
2011-03-07 13:33 89456 ----a-w- c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"SMTPSVC"=2 (0x2)
"w3svc"=2 (0x2)
"IISADMIN"=2 (0x2)
"Apache2.2"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"JoinMEUI Assistant Service"=2 (0x2)
"Secunia PSI Agent"=3 (0x3)
"Secunia Update Agent"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [22/09/2012 16:34 65848]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [02/01/2010 13:37 691696]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [14/03/2012 01:35 36000]
R1 C2SCSI;C2SCSI;c:\windows\system32\drivers\c2scsi.sys [28/05/2009 22:33 230272]
R1 RapportCerberus_42020;RapportCerberus_42020;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_42020.sys [10/08/2012 19:07 228376]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [22/09/2012 16:34 71480]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [22/09/2012 16:34 166840]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [14/03/2012 01:35 86224]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [15/09/2011 12:06 88576]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [22/09/2012 16:34 976728]
R3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\39624\RapportIaso.sys [28/05/2012 21:35 21520]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [28/07/2010 21:08 27632]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [13/07/2012 13:28 160944]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [31/03/2012 23:51 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [22/06/2010 18:01 21248]
S3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [28/07/2010 20:17 9728]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [14/10/2012 20:44 115168]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [17/08/2006 10:54 14336]
S3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgwhsdiag.sys [28/07/2010 20:17 106752]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys [28/07/2010 20:17 106752]
S3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\drivers\zgwhsnmea.sys [28/07/2010 20:17 106752]
S4 JoinMEUI Assistant Service;JoinMEUI Assistant Service;c:\program files\PC Suite\JoinMEAssistantServices.exe [28/07/2010 20:16 242688]
S4 OracleDBConsolesean01;OracleDBConsolesean01;c:\oracle\product\10.1.0\Db_1\bin\nmesrvc.exe --> c:\oracle\product\10.1.0\Db_1\bin\nmesrvc.exe [?]
S4 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;c:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR --> c:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR [?]
S4 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [13/08/2012 13:33 3064000]
S4 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [07/06/2007 17:19 202280]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4204088417-295494685-3788373613-1005Core.job
- c:\documents and settings\sean\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-30 12:21]
.
2012-10-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4204088417-295494685-3788373613-1005UA.job
- c:\documents and settings\sean\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-30 12:21]
.
2012-10-14 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4204088417-295494685-3788373613-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2012-10-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4204088417-295494685-3788373613-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2012-10-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4204088417-295494685-3788373613-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2012-10-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4204088417-295494685-3788373613-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2012-10-15 c:\windows\Tasks\User_Feed_Synchronization-{99538423-7653-467D-BD42-F6202E57E053}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.asus.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: DhcpNameServer = 192.168.1.254
DPF: {32C11E38-E587-4BE9-9ABB-D69158C21CE5} - hxxp://cam.thesandbar.com/activex/decoder/mpeg4_dec.cab
DPF: {4D561B31-49A0-4E2C-8AFF-353468EC669B} - hxxp://www.greasypalm.co.uk/bho/update/GreasyPalm.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://217.22.201.135/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\sandra\Application Data\Mozilla\Firefox\Profiles\ti4a0nad.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-15 18:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraDb10g_home1TNSListener]
"ImagePath"="c:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR "
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1080)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-10-15 18:45:46
ComboFix-quarantined-files.txt 2012-10-15 17:45
ComboFix2.txt 2012-10-14 19:27
ComboFix3.txt 2012-10-12 18:09
.
Pre-Run: 64,244,554,240 bytes free
Post-Run: 64,253,818,368 bytes free
.
- - End Of File - - FB1A58E69B59FC7024AC8C67F793BF40

Blade81

2012-10-16, 06:36

Hi,

1. Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and extract its contents into a folder in desired location (i.e. c:\tdsskiller).
2. Execute the file TDSSKiller.exe.
3. Click Start Scan. If threats are found, select skip and click Continue.
4. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format). Post fresh attach.txt contents too.

cobolguy

2012-10-16, 19:08

Hi there.

logs as requested. attach zipped and attached !

Machine still running so slow :confused:

Regards

Sean

>>>>>>>>>> tdskiller logs

17:46:25.0187 0756 TDSS rootkit removing tool 2.8.13.0 Oct 12 2012 17:26:47
17:46:25.0421 0756 ============================================================
17:46:25.0421 0756 Current date / time: 2012/10/16 17:46:25.0421
17:46:25.0421 0756 SystemInfo:
17:46:25.0421 0756
17:46:25.0421 0756 OS Version: 5.1.2600 ServicePack: 3.0
17:46:25.0421 0756 Product type: Workstation
17:46:25.0421 0756 ComputerName: LAPTOP02
17:46:25.0421 0756 UserName: sandra
17:46:25.0421 0756 Windows directory: C:\WINDOWS
17:46:25.0421 0756 System windows directory: C:\WINDOWS
17:46:25.0421 0756 Processor architecture: Intel x86
17:46:25.0421 0756 Number of processors: 2
17:46:25.0421 0756 Page size: 0x1000
17:46:25.0421 0756 Boot type: Normal boot
17:46:25.0421 0756 ============================================================
17:46:28.0531 0756 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
17:46:28.0578 0756 ============================================================
17:46:28.0578 0756 \Device\Harddisk0\DR0:
17:46:28.0578 0756 MBR partitions:
17:46:28.0578 0756 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x7D047E, BlocksNum 0xB2DAD1A
17:46:28.0593 0756 \Device\Harddisk0\DR0\Partition2: MBR, Type 0xB, StartLBA 0xBAAB1D7, BlocksNum 0x6F6D8EA
17:46:28.0609 0756 ============================================================
17:46:28.0703 0756 C: <-> \Device\Harddisk0\DR0\Partition1
17:46:28.0703 0756 D: <-> \Device\Harddisk0\DR0\Partition2
17:46:28.0703 0756 ============================================================
17:46:28.0703 0756 Initialize success
17:46:28.0703 0756 ============================================================
17:46:35.0359 3384 ============================================================
17:46:35.0359 3384 Scan started
17:46:35.0359 3384 Mode: Manual;
17:46:35.0359 3384 ============================================================
17:46:39.0000 3384 ================ Scan system memory ========================
17:46:39.0000 3384 System memory - ok
17:46:39.0000 3384 ================ Scan services =============================
17:46:39.0875 3384 Abiosdsk - ok
17:46:39.0890 3384 abp480n5 - ok
17:46:40.0078 3384 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
17:46:40.0218 3384 ACPI - ok
17:46:40.0500 3384 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
17:46:40.0515 3384 ACPIEC - ok
17:46:40.0828 3384 [ A3E3552E9E99E9A690A12A25973EF30A ] ACS C:\WINDOWS\system32\acs.exe
17:46:41.0140 3384 ACS - ok
17:46:41.0140 3384 adpu160m - ok
17:46:41.0281 3384 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
17:46:41.0546 3384 aec - ok
17:46:41.0796 3384 [ 7E775010EF291DA96AD17CA4B17137D7 ] AFD C:\WINDOWS\System32\drivers\afd.sys
17:46:41.0890 3384 AFD - ok
17:46:41.0921 3384 Aha154x - ok
17:46:41.0937 3384 aic78u2 - ok
17:46:41.0953 3384 aic78xx - ok
17:46:42.0031 3384 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
17:46:42.0031 3384 Alerter - ok
17:46:42.0093 3384 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
17:46:42.0125 3384 ALG - ok
17:46:42.0140 3384 AliIde - ok
17:46:42.0140 3384 amsint - ok
17:46:42.0640 3384 [ 0A1CC583E8147004E4AD4625D7FBF88C ] AntiVirSchedulerService C:\Program Files\Avira\AntiVir Desktop\sched.exe
17:46:42.0687 3384 AntiVirSchedulerService - ok
17:46:42.0875 3384 [ C9A36EF935ACED86AEDF93E97E606911 ] AntiVirService C:\Program Files\Avira\AntiVir Desktop\avguard.exe
17:46:43.0000 3384 AntiVirService - ok
17:46:44.0953 3384 [ 70D7BE78061126DD0C3ACCDB7E129017 ] Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
17:46:45.0187 3384 Apple Mobile Device - ok
17:46:45.0609 3384 [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt C:\WINDOWS\System32\appmgmts.dll
17:46:45.0828 3384 AppMgmt - ok
17:46:47.0093 3384 [ 6D5F95602B8D0D994D31A864872B38EF ] AR5211 C:\WINDOWS\system32\DRIVERS\ar5211.sys
17:46:47.0656 3384 AR5211 - ok
17:46:49.0015 3384 [ 43CB9E73A60D27AD069046B88CC4EFEB ] AR5416 C:\WINDOWS\system32\DRIVERS\athw.sys
17:46:50.0609 3384 AR5416 - ok
17:46:50.0625 3384 asc - ok
17:46:50.0640 3384 asc3350p - ok
17:46:50.0750 3384 asc3550 - ok
17:46:51.0484 3384 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
17:46:52.0109 3384 aspnet_state - ok
17:46:52.0171 3384 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
17:46:52.0203 3384 AsyncMac - ok
17:46:52.0312 3384 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
17:46:52.0312 3384 atapi - ok
17:46:52.0890 3384 [ 5DD646E4C9E447D83D7E781EF202F709 ] AtcL002 C:\WINDOWS\system32\DRIVERS\l251x86.sys
17:46:52.0953 3384 AtcL002 - ok
17:46:52.0968 3384 Atdisk - ok
17:46:53.0390 3384 [ 29B2874B3956B62C0DBEA32D75A8E776 ] Ati HotKey Poller C:\WINDOWS\system32\Ati2evxx.exe
17:46:54.0046 3384 Ati HotKey Poller - ok
17:46:56.0593 3384 [ A1789368B4A31D2111AF7AEDA0C8D3FC ] ati2mtag C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
17:46:58.0671 3384 ati2mtag - ok
17:46:58.0937 3384 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
17:46:58.0984 3384 Atmarpc - ok
17:46:59.0093 3384 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
17:46:59.0125 3384 AudioSrv - ok
17:46:59.0171 3384 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
17:46:59.0171 3384 audstub - ok
17:46:59.0250 3384 [ D5541F0AFB767E85FC412FC609D96A74 ] avgntflt C:\WINDOWS\system32\DRIVERS\avgntflt.sys
17:46:59.0250 3384 avgntflt - ok
17:46:59.0406 3384 [ 7D967A682D4694DF7FA57D63A2DB01FE ] avipbb C:\WINDOWS\system32\DRIVERS\avipbb.sys
17:46:59.0437 3384 avipbb - ok
17:46:59.0484 3384 [ 271CFD1A989209B1964E24D969552BF7 ] avkmgr C:\WINDOWS\system32\DRIVERS\avkmgr.sys
17:46:59.0484 3384 avkmgr - ok
17:46:59.0531 3384 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
17:46:59.0546 3384 Beep - ok
17:47:00.0375 3384 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll
17:47:00.0750 3384 BITS - ok
17:47:02.0953 3384 [ F2060A34C8A75BC24A9222EB4F8C07BD ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe
17:47:03.0578 3384 Bonjour Service - ok
17:47:03.0687 3384 [ A06CE3399D16DB864F55FAEB1F1927A9 ] Browser C:\WINDOWS\System32\browser.dll
17:47:03.0875 3384 Browser - ok
17:47:03.0890 3384 btaudio - ok
17:47:03.0906 3384 BTDriver - ok
17:47:04.0078 3384 [ B279426E3C0C344893ED78A613A73BDE ] BthEnum C:\WINDOWS\system32\DRIVERS\BthEnum.sys
17:47:04.0093 3384 BthEnum - ok
17:47:04.0171 3384 [ FCA6F069597B62D42495191ACE3FC6C1 ] BTHMODEM C:\WINDOWS\system32\DRIVERS\bthmodem.sys
17:47:04.0187 3384 BTHMODEM - ok
17:47:04.0250 3384 [ 80602B8746D3738F5886CE3D67EF06B6 ] BthPan C:\WINDOWS\system32\DRIVERS\bthpan.sys
17:47:04.0312 3384 BthPan - ok
17:47:04.0484 3384 [ 662BFD909447DD9CC15B1A1C366583B4 ] BTHPORT C:\WINDOWS\system32\Drivers\BTHport.sys
17:47:04.0734 3384 BTHPORT - ok
17:47:05.0000 3384 [ F4C43C66471B87996D95DB7A3A664A37 ] BthServ C:\WINDOWS\System32\bthserv.dll
17:47:05.0015 3384 BthServ - ok
17:47:05.0046 3384 [ 61364CD71EF63B0F038B7E9DF00F1EFA ] BTHUSB C:\WINDOWS\system32\Drivers\BTHUSB.sys
17:47:05.0062 3384 BTHUSB - ok
17:47:05.0078 3384 BTWDNDIS - ok
17:47:05.0093 3384 btwhid - ok
17:47:05.0109 3384 BTWUSB - ok
17:47:05.0312 3384 [ 5EF19C203288228354F8A98F80702D6B ] C2SCSI C:\WINDOWS\system32\drivers\C2SCSI.sys
17:47:05.0484 3384 C2SCSI - ok
17:47:05.0937 3384 catchme - ok
17:47:05.0968 3384 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
17:47:05.0984 3384 cbidf2k - ok
17:47:06.0078 3384 [ 0BE5AEF125BE881C4F854C554F2B025C ] CCDECODE C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
17:47:06.0093 3384 CCDECODE - ok
17:47:06.0109 3384 cd20xrnt - ok
17:47:06.0156 3384 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
17:47:06.0171 3384 Cdaudio - ok
17:47:06.0265 3384 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
17:47:06.0312 3384 Cdfs - ok
17:47:06.0406 3384 [ 6674BB4A919220D05BD002BBF6081AAA ] Cdr4_xp C:\WINDOWS\system32\drivers\Cdr4_xp.sys
17:47:06.0437 3384 Cdr4_xp - ok
17:47:06.0468 3384 [ 8822A9246C20AF99686E65710C7D6A5D ] Cdralw2k C:\WINDOWS\system32\drivers\Cdralw2k.sys
17:47:06.0484 3384 Cdralw2k - ok
17:47:06.0546 3384 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
17:47:06.0578 3384 Cdrom - ok
17:47:07.0062 3384 [ 66B9F9C62721F2347211C0C9BCCE4E98 ] cdudf_xp C:\WINDOWS\system32\drivers\cdudf_xp.sys
17:47:07.0359 3384 cdudf_xp - ok
17:47:07.0375 3384 Changer - ok
17:47:07.0421 3384 [ F6A0F51706CB4B0D5B8718FF69F831BA ] Cinemsup C:\WINDOWS\system32\drivers\Cinemsup.sys
17:47:07.0437 3384 Cinemsup - ok
17:47:07.0484 3384 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe
17:47:07.0500 3384 CiSvc - ok
17:47:07.0546 3384 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
17:47:07.0562 3384 ClipSrv - ok
17:47:07.0656 3384 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
17:47:08.0359 3384 clr_optimization_v2.0.50727_32 - ok
17:47:08.0437 3384 [ 0F6C187D38D98F8DF904589A5F94D411 ] CmBatt C:\WINDOWS\system32\DRIVERS\CmBatt.sys
17:47:08.0437 3384 CmBatt - ok
17:47:08.0453 3384 CmdIde - ok
17:47:08.0515 3384 [ 6E4C9F21F0FAE8940661144F41B13203 ] Compbatt C:\WINDOWS\system32\DRIVERS\compbatt.sys
17:47:08.0531 3384 Compbatt - ok
17:47:08.0546 3384 COMSysApp - ok
17:47:08.0578 3384 Cpqarray - ok
17:47:08.0687 3384 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
17:47:08.0734 3384 CryptSvc - ok
17:47:08.0750 3384 dac2w2k - ok
17:47:08.0765 3384 dac960nt - ok
17:47:09.0390 3384 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
17:47:09.0687 3384 DcomLaunch - ok
17:47:09.0812 3384 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
17:47:10.0000 3384 Dhcp - ok
17:47:10.0218 3384 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
17:47:10.0250 3384 Disk - ok
17:47:10.0250 3384 dmadmin - ok
17:47:10.0437 3384 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
17:47:10.0593 3384 dmboot - ok
17:47:10.0718 3384 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
17:47:10.0828 3384 dmio - ok
17:47:11.0156 3384 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
17:47:11.0156 3384 dmload - ok
17:47:11.0234 3384 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
17:47:11.0250 3384 dmserver - ok
17:47:11.0312 3384 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
17:47:11.0343 3384 DMusic - ok
17:47:11.0390 3384 [ 474B4DC3983173E4B4C9740B0DAC98A6 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
17:47:11.0421 3384 Dnscache - ok
17:47:11.0531 3384 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
17:47:11.0593 3384 Dot3svc - ok
17:47:11.0609 3384 dpti2o - ok
17:47:11.0625 3384 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
17:47:11.0625 3384 drmkaud - ok
17:47:11.0718 3384 [ 7DF2E645FBDA7CDE94FCABBA7F0DE4C2 ] drvmcdb C:\WINDOWS\system32\DRIVERS\drvmcdb.sys
17:47:11.0796 3384 drvmcdb - ok
17:47:11.0968 3384 [ 1D5EDA9961B16B8E800639038D7492AD ] DVDVRRdr_xp C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
17:47:12.0156 3384 DVDVRRdr_xp - ok
17:47:12.0359 3384 [ DF112F6F01EFEDC21C9BC5CE822CE1D3 ] dvd_2K C:\WINDOWS\system32\drivers\dvd_2K.sys
17:47:12.0390 3384 dvd_2K - ok
17:47:12.0437 3384 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
17:47:12.0453 3384 EapHost - ok
17:47:12.0515 3384 [ D71233D7CCC2E64F8715A20428D5A33B ] ElbyCDIO C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
17:47:12.0546 3384 ElbyCDIO - ok
17:47:12.0593 3384 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
17:47:12.0609 3384 ERSvc - ok
17:47:12.0734 3384 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe
17:47:12.0828 3384 Eventlog - ok
17:47:13.0375 3384 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\system32\es.dll
17:47:13.0578 3384 EventSystem - ok
17:47:13.0750 3384 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
17:47:13.0875 3384 Fastfat - ok
17:47:14.0218 3384 [ 1926899BF9FFE2602B63074971700412 ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
17:47:14.0421 3384 FastUserSwitchingCompatibility - ok
17:47:14.0500 3384 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\drivers\Fdc.sys
17:47:14.0515 3384 Fdc - ok
17:47:14.0578 3384 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
17:47:14.0625 3384 Fips - ok
17:47:14.0671 3384 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\drivers\Flpydisk.sys
17:47:14.0687 3384 Flpydisk - ok
17:47:14.0796 3384 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
17:47:14.0890 3384 FltMgr - ok
17:47:15.0031 3384 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
17:47:15.0218 3384 FontCache3.0.0.0 - ok
17:47:15.0296 3384 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
17:47:15.0375 3384 Fs_Rec - ok
17:47:15.0500 3384 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
17:47:15.0593 3384 Ftdisk - ok
17:47:15.0671 3384 [ 8182FF89C65E4D38B2DE4BB0FB18564E ] GEARAspiWDM C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
17:47:15.0687 3384 GEARAspiWDM - ok
17:47:15.0828 3384 [ 63677825D08CF4458CAAE9EF2372E5D6 ] getPlusHelper C:\Program Files\NOS\bin\getPlus_Helper.dll
17:47:15.0875 3384 getPlusHelper - ok
17:47:16.0375 3384 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
17:47:16.0406 3384 Gpc - ok
17:47:16.0687 3384 [ C1B577B2169900F4CF7190C39F085794 ] gusvc C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
17:47:16.0796 3384 gusvc - ok
17:47:16.0921 3384 [ 573C7D0A32852B48F3058CFD8026F511 ] HDAudBus C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
17:47:17.0140 3384 HDAudBus - ok
17:47:17.0484 3384 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
17:47:17.0515 3384 helpsvc - ok
17:47:17.0578 3384 [ DEB04DA35CC871B6D309B77E1443C796 ] HidServ C:\WINDOWS\System32\hidserv.dll
17:47:17.0593 3384 HidServ - ok
17:47:17.0640 3384 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys
17:47:17.0656 3384 HidUsb - ok
17:47:17.0718 3384 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
17:47:17.0750 3384 hkmsvc - ok
17:47:17.0765 3384 hpn - ok
17:47:17.0828 3384 [ CBD09ED9CF6822177EE85AEA4D8816A2 ] HTCAND32 C:\WINDOWS\system32\Drivers\ANDROIDUSB.sys
17:47:17.0843 3384 HTCAND32 - ok
17:47:17.0906 3384 [ 04E3B3554076B8192A668EFE88A682A1 ] htcnprot C:\WINDOWS\system32\DRIVERS\htcnprot.sys
17:47:17.0921 3384 htcnprot - ok
17:47:18.0437 3384 [ F6AACF5BCE2893E0C1754AFEB672E5C9 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
17:47:18.0640 3384 HTTP - ok
17:47:18.0671 3384 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
17:47:18.0687 3384 HTTPFilter - ok
17:47:18.0687 3384 i2omgmt - ok
17:47:18.0703 3384 i2omp - ok
17:47:18.0765 3384 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
17:47:18.0812 3384 i8042prt - ok
17:47:18.0921 3384 [ 6F95324909B502E2651442C1548AB12F ] IDriverT C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
17:47:18.0968 3384 IDriverT - ok
17:47:19.0687 3384 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
17:47:20.0109 3384 idsvc - ok
17:47:20.0437 3384 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
17:47:20.0468 3384 Imapi - ok
17:47:20.0625 3384 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
17:47:20.0734 3384 ImapiService - ok
17:47:20.0750 3384 ini910u - ok
17:47:25.0593 3384 [ 47F27AF890DA3E51C633FDD510910115 ] IntcAzAudAddService C:\WINDOWS\system32\drivers\RtkHDAud.sys
17:47:30.0031 3384 IntcAzAudAddService - ok
17:47:30.0046 3384 IntelIde - ok
17:47:30.0093 3384 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
17:47:30.0125 3384 intelppm - ok
17:47:30.0171 3384 [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw C:\WINDOWS\system32\drivers\ip6fw.sys
17:47:30.0187 3384 Ip6Fw - ok
17:47:30.0250 3384 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
17:47:30.0265 3384 IpFilterDriver - ok
17:47:30.0296 3384 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
17:47:30.0312 3384 IpInIp - ok
17:47:30.0703 3384 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
17:47:30.0765 3384 IpNat - ok
17:47:31.0781 3384 [ 3384D1961CE2698C29914F43A29EF823 ] iPod Service C:\Program Files\iPod\bin\iPodService.exe
17:47:32.0703 3384 iPod Service - ok
17:47:32.0828 3384 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
17:47:32.0890 3384 IPSec - ok
17:47:33.0000 3384 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
17:47:33.0000 3384 IRENUM - ok
17:47:33.0062 3384 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
17:47:33.0093 3384 isapnp - ok
17:47:33.0578 3384 [ 0E410EDC8D0527801B899CF29E60597C ] JavaQuickStarterService C:\Program Files\Java\jre6\bin\jqs.exe
17:47:33.0843 3384 JavaQuickStarterService - ok
17:47:34.0125 3384 [ 928034ECCE50DC6AB6C4CD575B78BD10 ] JoinMEUI Assistant Service C:\Program Files\PC Suite\JoinMEAssistantServices.exe
17:47:34.0328 3384 JoinMEUI Assistant Service - ok
17:47:34.0390 3384 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
17:47:34.0406 3384 Kbdclass - ok
17:47:34.0734 3384 [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys
17:47:34.0750 3384 kbdhid - ok
17:47:34.0765 3384 [ CC2A86D7BBF14977340DCA61BBCBA771 ] kbfiltr C:\WINDOWS\system32\DRIVERS\kbfiltr.sys
17:47:34.0765 3384 kbfiltr - ok
17:47:34.0937 3384 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
17:47:35.0062 3384 kmixer - ok
17:47:35.0187 3384 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
17:47:35.0250 3384 KSecDD - ok
17:47:35.0343 3384 [ F385F4B02C535BFFE1D70CAB80838123 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
17:47:35.0515 3384 lanmanserver - ok
17:47:35.0828 3384 [ A8888A5327621856C0CEC4E385F69309 ] LanmanWorkstation C:\WINDOWS\System32\wkssvc.dll
17:47:35.0937 3384 LanmanWorkstation - ok
17:47:35.0937 3384 lbrtfdc - ok
17:47:36.0000 3384 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
17:47:36.0000 3384 LmHosts - ok
17:47:36.0046 3384 [ 38BFA8FA6D838CBAB58A1C2B49EBF96B ] massfilter_hs C:\WINDOWS\system32\drivers\massfilter_hs.sys
17:47:36.0046 3384 massfilter_hs - ok
17:47:36.0109 3384 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
17:47:36.0125 3384 Messenger - ok
17:47:36.0156 3384 [ A52ED33515755E825D090A47793B773F ] mmc_2K C:\WINDOWS\system32\drivers\mmc_2K.sys
17:47:36.0171 3384 mmc_2K - ok
17:47:36.0203 3384 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
17:47:36.0234 3384 mnmdd - ok
17:47:36.0296 3384 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
17:47:36.0328 3384 mnmsrvc - ok
17:47:36.0375 3384 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
17:47:36.0406 3384 Modem - ok
17:47:36.0468 3384 [ 1992E0D143B09653AB0F9C5E04B0FD65 ] MODEMCSA C:\WINDOWS\system32\drivers\MODEMCSA.sys
17:47:36.0593 3384 MODEMCSA - ok
17:47:36.0765 3384 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
17:47:36.0781 3384 Mouclass - ok
17:47:36.0812 3384 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
17:47:36.0828 3384 mouhid - ok
17:47:36.0875 3384 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
17:47:36.0906 3384 MountMgr - ok
17:47:37.0046 3384 [ 4D7F2682D29B92A6251B17957AA0B985 ] MozillaMaintenance C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
17:47:37.0140 3384 MozillaMaintenance - ok
17:47:37.0140 3384 mraid35x - ok
17:47:37.0296 3384 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
17:47:37.0437 3384 MRxDAV - ok
17:47:38.0062 3384 [ 60AE98742484E7AB80C3C1450E708148 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
17:47:38.0453 3384 MRxSmb - ok
17:47:38.0750 3384 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
17:47:38.0765 3384 MSDTC - ok
17:47:38.0812 3384 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
17:47:38.0828 3384 Msfs - ok
17:47:38.0828 3384 MSIServer - ok
17:47:38.0890 3384 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
17:47:38.0890 3384 MSKSSRV - ok
17:47:38.0921 3384 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
17:47:38.0921 3384 MSPCLOCK - ok
17:47:38.0937 3384 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
17:47:38.0937 3384 MSPQM - ok
17:47:38.0984 3384 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
17:47:39.0000 3384 mssmbios - ok
17:47:39.0046 3384 [ E53736A9E30C45FA9E7B5EAC55056D1D ] MSTEE C:\WINDOWS\system32\drivers\MSTEE.sys
17:47:39.0046 3384 MSTEE - ok
17:47:39.0093 3384 [ 97AFFA9D95FFE20EEE6229BC6BE166CF ] MTsensor C:\WINDOWS\system32\DRIVERS\ATKACPI.sys
17:47:39.0093 3384 MTsensor - ok
17:47:39.0187 3384 [ 2F625D11385B1A94360BFC70AAEFDEE1 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
17:47:39.0265 3384 Mup - ok
17:47:39.0328 3384 [ 5B50F1B2A2ED47D560577B221DA734DB ] NABTSFEC C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
17:47:39.0359 3384 NABTSFEC - ok
17:47:39.0843 3384 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
17:47:40.0000 3384 napagent - ok
17:47:40.0171 3384 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
17:47:40.0296 3384 NDIS - ok
17:47:40.0359 3384 [ 7FF1F1FD8609C149AA432F95A8163D97 ] NdisIP C:\WINDOWS\system32\DRIVERS\NdisIP.sys
17:47:40.0375 3384 NdisIP - ok
17:47:40.0421 3384 [ 1AB3D00C991AB086E69DB84B6C0ED78F ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
17:47:40.0421 3384 NdisTapi - ok
17:47:40.0750 3384 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
17:47:40.0750 3384 Ndisuio - ok
17:47:40.0828 3384 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
17:47:40.0906 3384 NdisWan - ok
17:47:40.0937 3384 [ 6215023940CFD3702B46ABC304E1D45A ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
17:47:40.0968 3384 NDProxy - ok
17:47:41.0015 3384 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
17:47:41.0031 3384 NetBIOS - ok
17:47:41.0171 3384 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
17:47:41.0281 3384 NetBT - ok
17:47:41.0375 3384 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
17:47:41.0484 3384 NetDDE - ok
17:47:41.0765 3384 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
17:47:41.0765 3384 NetDDEdsdm - ok
17:47:41.0812 3384 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe
17:47:41.0828 3384 Netlogon - ok
17:47:41.0984 3384 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
17:47:42.0125 3384 Netman - ok
17:47:42.0218 3384 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
17:47:42.0281 3384 NetTcpPortSharing - ok
17:47:42.0500 3384 [ 832E4DD8964AB7ACC880B2837CB1ED20 ] Nla C:\WINDOWS\System32\mswsock.dll
17:47:42.0890 3384 Nla - ok
17:47:42.0937 3384 NMIndexingService - ok
17:47:43.0015 3384 [ 0E58F99692802C501454EAC3D2AC3394 ] nosGetPlusHelper C:\Program Files\NOS\bin\getPlus_Helper_3004.dll
17:47:43.0046 3384 nosGetPlusHelper - ok
17:47:43.0125 3384 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
17:47:43.0140 3384 Npfs - ok
17:47:43.0265 3384 [ 53F7546E8DAEFB3A0813F5E19C4613C9 ] NSNDIS5 C:\WINDOWS\system32\NSNDIS5.SYS
17:47:43.0265 3384 NSNDIS5 - ok
17:47:43.0906 3384 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
17:47:44.0406 3384 Ntfs - ok
17:47:44.0453 3384 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
17:47:44.0453 3384 NtLmSsp - ok
17:47:44.0718 3384 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
17:47:44.0937 3384 NtmsSvc - ok
17:47:44.0968 3384 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
17:47:44.0968 3384 Null - ok
17:47:45.0000 3384 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
17:47:45.0015 3384 NwlnkFlt - ok
17:47:45.0046 3384 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
17:47:45.0078 3384 NwlnkFwd - ok
17:47:45.0078 3384 OracleDBConsolesean01 - ok
17:47:45.0078 3384 OracleOraDb10g_home1TNSListener - ok
17:47:45.0234 3384 [ 7A56CF3E3F12E8AF599963B16F50FB6A ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
17:47:45.0296 3384 ose - ok
17:47:45.0390 3384 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\drivers\Parport.sys
17:47:45.0437 3384 Parport - ok
17:47:45.0468 3384 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
17:47:45.0484 3384 PartMgr - ok
17:47:45.0531 3384 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
17:47:45.0531 3384 ParVdm - ok
17:47:45.0656 3384 [ 39B9DCD7040654C2E57D7396736C718E ] PassThru Service C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
17:47:45.0718 3384 PassThru Service - ok
17:47:45.0781 3384 [ FD2041E9BA03DB7764B2248F02475079 ] pccsmcfd C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys
17:47:45.0796 3384 pccsmcfd - ok
17:47:45.0843 3384 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
17:47:45.0890 3384 PCI - ok
17:47:45.0906 3384 PCIDump - ok
17:47:45.0937 3384 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
17:47:45.0937 3384 PCIIde - ok
17:47:46.0046 3384 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys
17:47:46.0109 3384 Pcmcia - ok
17:47:46.0125 3384 PDCOMP - ok
17:47:46.0140 3384 PDFRAME - ok
17:47:46.0140 3384 PDRELI - ok
17:47:46.0156 3384 PDRFRAME - ok
17:47:46.0171 3384 perc2 - ok
17:47:46.0187 3384 perc2hib - ok
17:47:46.0312 3384 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe
17:47:46.0312 3384 PlugPlay - ok
17:47:46.0328 3384 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
17:47:46.0328 3384 PolicyAgent - ok
17:47:46.0390 3384 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
17:47:46.0421 3384 PptpMiniport - ok
17:47:46.0468 3384 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
17:47:46.0468 3384 ProtectedStorage - ok
17:47:46.0515 3384 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
17:47:46.0578 3384 PSched - ok
17:47:46.0593 3384 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
17:47:46.0609 3384 Ptilink - ok
17:47:46.0734 3384 [ 62D29677F6A7F018C5D49119CEA67DE5 ] pwd_2k C:\WINDOWS\system32\drivers\pwd_2k.sys
17:47:46.0828 3384 pwd_2k - ok
17:47:46.0890 3384 [ 183EF96BCC2EC3D5294CB2C2C0ECBCD1 ] PxHelp20 C:\WINDOWS\system32\Drivers\PxHelp20.sys
17:47:46.0906 3384 PxHelp20 - ok
17:47:46.0921 3384 ql1080 - ok
17:47:46.0921 3384 Ql10wnt - ok
17:47:46.0937 3384 ql12160 - ok
17:47:46.0953 3384 ql1240 - ok
17:47:46.0953 3384 ql1280 - ok
17:47:47.0281 3384 [ 9054C4B91761773F0EFA59BED70C54B6 ] RapportCerberus_42020 C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_42020.sys
17:47:47.0453 3384 RapportCerberus_42020 - ok
17:47:47.0687 3384 [ 032C53D286711390505A2DA074B36401 ] RapportEI C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys
17:47:47.0750 3384 RapportEI - ok
17:47:47.0875 3384 [ 35199EC35EDC7DCBA71FDA711DFB05C0 ] RapportIaso c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\39624\rapportiaso.sys
17:47:47.0875 3384 RapportIaso - ok
17:47:47.0937 3384 [ 91FBC51EAC56DF03A8FE409C5CAF260D ] RapportKELL C:\WINDOWS\system32\Drivers\RapportKELL.sys
17:47:47.0984 3384 RapportKELL - ok
17:47:48.0781 3384 [ 65AA99CB303BA21F9ACC8C1374A14798 ] RapportMgmtService C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
17:47:49.0546 3384 RapportMgmtService - ok
17:47:49.0796 3384 [ 57195D4E4E6F2F9E38BA586C37ACD83A ] RapportPG C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
17:47:49.0937 3384 RapportPG - ok
17:47:49.0953 3384 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
17:47:49.0984 3384 RasAcd - ok
17:47:50.0062 3384 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
17:47:50.0109 3384 RasAuto - ok
17:47:50.0171 3384 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
17:47:50.0203 3384 Rasl2tp - ok
17:47:50.0390 3384 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
17:47:50.0531 3384 RasMan - ok
17:47:50.0578 3384 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
17:47:50.0625 3384 RasPppoe - ok
17:47:50.0640 3384 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
17:47:50.0656 3384 Raspti - ok
17:47:50.0812 3384 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
17:47:50.0937 3384 Rdbss - ok
17:47:50.0953 3384 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
17:47:50.0968 3384 RDPCDD - ok
17:47:51.0125 3384 [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
17:47:51.0265 3384 rdpdr - ok
17:47:51.0375 3384 [ 6728E45B66F93C08F11DE2E316FC70DD ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
17:47:51.0484 3384 RDPWD - ok
17:47:51.0625 3384 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
17:47:51.0765 3384 RDSessMgr - ok
17:47:51.0828 3384 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
17:47:51.0875 3384 redbook - ok
17:47:51.0937 3384 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
17:47:51.0968 3384 RemoteAccess - ok
17:47:52.0046 3384 [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll
17:47:52.0093 3384 RemoteRegistry - ok
17:47:52.0171 3384 [ 851C30DF2807FCFA21E4C681A7D6440E ] RFCOMM C:\WINDOWS\system32\DRIVERS\rfcomm.sys
17:47:52.0203 3384 RFCOMM - ok
17:47:52.0265 3384 [ D8B0B4ADE32574B2D9C5CC34DC0DBBE7 ] ROOTMODEM C:\WINDOWS\system32\Drivers\RootMdm.sys
17:47:52.0265 3384 ROOTMODEM - ok
17:47:52.0343 3384 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\system32\locator.exe
17:47:52.0406 3384 RpcLocator - ok
17:47:52.0718 3384 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\System32\rpcss.dll
17:47:52.0734 3384 RpcSs - ok
17:47:52.0875 3384 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe
17:47:52.0984 3384 RSVP - ok
17:47:53.0031 3384 [ DAAF657C0B5BD0595669496857040F75 ] RTSTOR C:\WINDOWS\system32\drivers\RTSTOR.SYS
17:47:53.0046 3384 RTSTOR - ok
17:47:53.0078 3384 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
17:47:53.0078 3384 SamSs - ok
17:47:53.0203 3384 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
17:47:53.0281 3384 SCardSvr - ok
17:47:53.0468 3384 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
17:47:53.0656 3384 Schedule - ok
17:47:53.0703 3384 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
17:47:53.0718 3384 Secdrv - ok
17:47:53.0765 3384 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
17:47:53.0781 3384 seclogon - ok
17:47:53.0859 3384 [ E5B56569A9F79B70314FEDE6C953641E ] seehcri C:\WINDOWS\system32\DRIVERS\seehcri.sys
17:47:53.0875 3384 seehcri - ok
17:47:53.0921 3384 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
17:47:53.0953 3384 SENS - ok
17:47:54.0015 3384 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\drivers\Serial.sys
17:47:54.0078 3384 Serial - ok
17:47:54.0468 3384 [ 2D841B7B7F6DEC32162EDFCC69D61F42 ] ServiceLayer C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
17:47:54.0828 3384 ServiceLayer - ok
17:47:54.0890 3384 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
17:47:54.0906 3384 Sfloppy - ok
17:47:55.0125 3384 [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
17:47:55.0296 3384 SharedAccess - ok
17:47:55.0421 3384 [ 1926899BF9FFE2602B63074971700412 ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
17:47:55.0421 3384 ShellHWDetection - ok
17:47:55.0437 3384 Simbad - ok
17:47:58.0125 3384 [ 753D254205E0A62100A050BD8B458D06 ] Skype C2C Service C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
17:48:00.0765 3384 Skype C2C Service - ok
17:48:01.0093 3384 [ F07AF60B152221472FBDB2FECEC4896D ] SkypeUpdate C:\Program Files\Skype\Updater\Updater.exe
17:48:01.0250 3384 SkypeUpdate - ok
17:48:01.0296 3384 [ 866D538EBE33709A5C9F5C62B73B7D14 ] SLIP C:\WINDOWS\system32\DRIVERS\SLIP.sys
17:48:01.0312 3384 SLIP - ok
17:48:02.0187 3384 [ D9BFD2298F5CF116D8EAAE3B02DCEE2E ] smserial C:\WINDOWS\system32\DRIVERS\smserial.sys
17:48:03.0062 3384 smserial - ok
17:48:03.0171 3384 [ DB3C22745C0DA4666F3BE31F1AF36B2F ] SMTPSVC C:\WINDOWS\system32\inetsrv\inetinfo.exe
17:48:03.0187 3384 SMTPSVC - ok
17:48:16.0375 3384 [ 11BB0E11D42CC3A43D741D9B30839BE1 ] SNPSTD3 C:\WINDOWS\system32\DRIVERS\snpstd3.sys
17:48:28.0640 3384 SNPSTD3 - ok
17:48:28.0718 3384 [ A1ECEEAA5C5E74B2499EB51D38185B84 ] SONYPVU1 C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
17:48:28.0734 3384 SONYPVU1 - ok
17:48:28.0750 3384 Sparrow - ok
17:48:28.0781 3384 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
17:48:28.0781 3384 splitter - ok
17:48:28.0890 3384 [ D8E14A61ACC1D4A6CD0D38AEBAC7FA3B ] Spooler C:\WINDOWS\system32\spoolsv.exe
17:48:28.0937 3384 Spooler - ok
17:48:29.0156 3384 [ 539D0391B680E6FDF5D9004F42902B1B ] sprtsvc_O2 C:\Program Files\O2\bin\sprtsvc.exe
17:48:29.0281 3384 sprtsvc_O2 - ok
17:48:29.0890 3384 [ CDDDEC541BC3C96F91ECB48759673505 ] sptd C:\WINDOWS\system32\Drivers\sptd.sys
17:48:29.0890 3384 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: CDDDEC541BC3C96F91ECB48759673505
17:48:29.0890 3384 sptd ( LockedFile.Multi.Generic ) - warning
17:48:29.0890 3384 sptd - detected LockedFile.Multi.Generic (1)
17:48:29.0968 3384 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
17:48:30.0031 3384 sr - ok
17:48:30.0187 3384 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
17:48:30.0312 3384 srservice - ok
17:48:30.0578 3384 [ 3BB03F2BA89D2BE417206C373D2AF17C ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
17:48:30.0828 3384 Srv - ok
17:48:30.0906 3384 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
17:48:30.0968 3384 SSDPSRV - ok
17:48:31.0046 3384 [ A36EE93698802CD899F98BFD553D8185 ] ssmdrv C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
17:48:31.0046 3384 ssmdrv - ok
17:48:31.0296 3384 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
17:48:31.0546 3384 stisvc - ok
17:48:31.0578 3384 [ 77813007BA6265C4B6098187E6ED79D2 ] streamip C:\WINDOWS\system32\DRIVERS\StreamIP.sys
17:48:31.0593 3384 streamip - ok
17:48:31.0953 3384 [ 882FC174AC21C536E41351AFF58A7D7D ] SupportSoft RemoteAssist C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
17:48:32.0250 3384 SupportSoft RemoteAssist - ok
17:48:32.0281 3384 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
17:48:32.0281 3384 swenum - ok
17:48:32.0375 3384 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
17:48:32.0406 3384 swmidi - ok
17:48:32.0421 3384 SwPrv - ok
17:48:32.0453 3384 symc810 - ok
17:48:32.0468 3384 symc8xx - ok
17:48:32.0484 3384 sym_hi - ok
17:48:32.0484 3384 sym_u3 - ok
17:48:32.0656 3384 [ 69BF2DD9B1099D1AA3E7CF14B4B842CD ] SynTP C:\WINDOWS\system32\DRIVERS\SynTP.sys
17:48:32.0796 3384 SynTP - ok
17:48:32.0875 3384 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
17:48:32.0921 3384 sysaudio - ok
17:48:33.0031 3384 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
17:48:33.0093 3384 SysmonLog - ok
17:48:33.0312 3384 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
17:48:33.0500 3384 TapiSrv - ok
17:48:33.0781 3384 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
17:48:34.0093 3384 Tcpip - ok
17:48:34.0140 3384 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
17:48:34.0140 3384 TDPIPE - ok
17:48:34.0187 3384 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
17:48:34.0203 3384 TDTCP - ok
17:48:34.0265 3384 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
17:48:34.0296 3384 TermDD - ok
17:48:34.0546 3384 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll
17:48:34.0765 3384 TermService - ok
17:48:34.0937 3384 [ 1926899BF9FFE2602B63074971700412 ] Themes C:\WINDOWS\System32\shsvcs.dll
17:48:34.0937 3384 Themes - ok
17:48:35.0000 3384 [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr C:\WINDOWS\system32\tlntsvr.exe
17:48:35.0046 3384 TlntSvr - ok
17:48:35.0046 3384 TosIde - ok
17:48:35.0125 3384 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
17:48:35.0187 3384 TrkWks - ok
17:48:35.0359 3384 [ FD0B16F8828F360390135031D8924CCD ] UDFReadr C:\WINDOWS\system32\drivers\UDFReadr.sys
17:48:35.0515 3384 UDFReadr - ok
17:48:35.0578 3384 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
17:48:35.0625 3384 Udfs - ok
17:48:35.0640 3384 ultra - ok
17:48:35.0953 3384 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
17:48:36.0234 3384 Update - ok
17:48:36.0375 3384 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
17:48:36.0468 3384 upnphost - ok
17:48:36.0500 3384 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
17:48:36.0515 3384 UPS - ok
17:48:36.0593 3384 [ 4B8A9C16B6D9258ED99C512AECB8C555 ] USBAAPL C:\WINDOWS\system32\Drivers\usbaapl.sys
17:48:36.0625 3384 USBAAPL - ok
17:48:36.0687 3384 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
17:48:36.0703 3384 usbccgp - ok
17:48:36.0765 3384 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
17:48:36.0781 3384 usbehci - ok
17:48:36.0875 3384 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
17:48:36.0921 3384 usbhub - ok
17:48:36.0984 3384 [ 0DAECCE65366EA32B162F85F07C6753B ] usbohci C:\WINDOWS\system32\DRIVERS\usbohci.sys
17:48:37.0000 3384 usbohci - ok
17:48:37.0062 3384 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
17:48:37.0078 3384 usbprint - ok
17:48:37.0125 3384 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
17:48:37.0140 3384 usbscan - ok
17:48:37.0187 3384 [ A32426D9B14A089EAA1D922E0C5801A9 ] usbstor C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:48:37.0218 3384 usbstor - ok
17:48:37.0265 3384 [ FCE98C43B5C5DB8E0DA8EA0E2B45E044 ] VClone C:\WINDOWS\system32\DRIVERS\VClone.sys
17:48:37.0296 3384 VClone - ok
17:48:37.0343 3384 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
17:48:37.0359 3384 VgaSave - ok
17:48:37.0359 3384 ViaIde - ok
17:48:37.0421 3384 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
17:48:37.0468 3384 VolSnap - ok
17:48:37.0734 3384 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
17:48:37.0953 3384 VSS - ok
17:48:38.0109 3384 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\system32\w32time.dll
17:48:38.0250 3384 W32Time - ok
17:48:38.0296 3384 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
17:48:38.0328 3384 Wanarp - ok
17:48:38.0734 3384 [ 4769596D7CC0F5FA447D2BABC239672A ] Wdf01000 C:\WINDOWS\system32\Drivers\wdf01000.sys
17:48:39.0109 3384 Wdf01000 - ok
17:48:39.0109 3384 WDICA - ok
17:48:39.0203 3384 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
17:48:39.0265 3384 wdmaud - ok
17:48:39.0359 3384 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
17:48:39.0421 3384 WebClient - ok
17:48:39.0640 3384 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
17:48:39.0750 3384 winmgmt - ok
17:48:39.0859 3384 [ C51B4A5C05A5475708E3C81C7765B71D ] WmdmPmSN C:\WINDOWS\system32\MsPMSNSv.dll
17:48:39.0875 3384 WmdmPmSN - ok
17:48:40.0390 3384 [ E76F8807070ED04E7408A86D6D3A6137 ] Wmi C:\WINDOWS\System32\advapi32.dll
17:48:40.0812 3384 Wmi - ok
17:48:40.0968 3384 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
17:48:41.0078 3384 WmiApSrv - ok
17:48:41.0625 3384 [ F74E3D9A7FA9556C3BBB14D4E5E63D3B ] WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe
17:48:42.0078 3384 WMPNetworkSvc - ok
17:48:42.0125 3384 [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL C:\WINDOWS\System32\drivers\ws2ifsl.sys
17:48:42.0125 3384 WS2IFSL - ok
17:48:42.0234 3384 [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc C:\WINDOWS\system32\wscsvc.dll
17:48:42.0296 3384 wscsvc - ok
17:48:42.0406 3384 [ 8FEDE6CF2EB103EF1274CE2C9D8EE0E7 ] WSIMD C:\WINDOWS\system32\DRIVERS\wsimd.sys
17:48:42.0453 3384 WSIMD - ok
17:48:42.0484 3384 [ C98B39829C2BBD34E454150633C62C78 ] WSTCODEC C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
17:48:42.0500 3384 WSTCODEC - ok
17:48:42.0531 3384 [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv C:\WINDOWS\system32\wuauserv.dll
17:48:42.0546 3384 wuauserv - ok
17:48:42.0656 3384 [ EAA6324F51214D2F6718977EC9CE0DEF ] WudfPf C:\WINDOWS\system32\DRIVERS\WudfPf.sys
17:48:42.0734 3384 WudfPf - ok
17:48:42.0828 3384 [ F91FF1E51FCA30B3C3981DB7D5924252 ] WudfRd C:\WINDOWS\system32\DRIVERS\wudfrd.sys
17:48:42.0906 3384 WudfRd - ok
17:48:42.0984 3384 [ DDEE3682FE97037C45F4D7AB467CB8B6 ] WudfSvc C:\WINDOWS\System32\WUDFSvc.dll
17:48:43.0046 3384 WudfSvc - ok
17:48:43.0437 3384 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
17:48:43.0796 3384 WZCSVC - ok
17:48:43.0906 3384 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
17:48:43.0984 3384 xmlprov - ok
17:48:44.0078 3384 [ FF737AF88F2198DC63A3BEDF21F3C657 ] zgwhsdiag C:\WINDOWS\system32\DRIVERS\zgwhsdiag.sys
17:48:44.0125 3384 zgwhsdiag - ok
17:48:44.0218 3384 [ FF737AF88F2198DC63A3BEDF21F3C657 ] zgwhsmdm C:\WINDOWS\system32\DRIVERS\zgwhsmdm.sys
17:48:44.0265 3384 zgwhsmdm - ok
17:48:44.0359 3384 [ FF737AF88F2198DC63A3BEDF21F3C657 ] zgwhsnmea C:\WINDOWS\system32\DRIVERS\zgwhsnmea.sys
17:48:44.0421 3384 zgwhsnmea - ok
17:48:44.0453 3384 ================ Scan global ===============================
17:48:44.0531 3384 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
17:48:44.0812 3384 [ 1618F36D4F7F6CCCEB3EE44BA95BE85C ] C:\WINDOWS\system32\winsrv.dll
17:48:45.0296 3384 [ 1618F36D4F7F6CCCEB3EE44BA95BE85C ] C:\WINDOWS\system32\winsrv.dll
17:48:45.0406 3384 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
17:48:45.0406 3384 [Global] - ok
17:48:45.0406 3384 ================ Scan MBR ==================================
17:48:45.0453 3384 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
17:48:45.0843 3384 \Device\Harddisk0\DR0 - ok
17:48:45.0843 3384 ================ Scan VBR ==================================
17:48:45.0859 3384 [ 697FF5EE4E5E4BD427DFF7413B37C9E4 ] \Device\Harddisk0\DR0\Partition1
17:48:45.0875 3384 \Device\Harddisk0\DR0\Partition1 - ok
17:48:45.0906 3384 [ D80261F2F2D8B27A08F4CFE8540EA6C0 ] \Device\Harddisk0\DR0\Partition2
17:48:45.0906 3384 \Device\Harddisk0\DR0\Partition2 - ok
17:48:45.0906 3384 ============================================================
17:48:45.0906 3384 Scan finished
17:48:45.0906 3384 ============================================================
17:48:45.0937 1596 Detected object count: 1
17:48:45.0937 1596 Actual detected object count: 1
17:48:57.0703 1596 sptd ( LockedFile.Multi.Generic ) - skipped by user
17:48:57.0703 1596 sptd ( LockedFile.Multi.Generic ) - User select action: Skip
17:49:02.0312 3192 Deinitialize success

>>>>>>>>>> DDS Log file

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_35
Run by sandra at 17:58:36 on 2012-10-16
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1471.613 [GMT 1:00]
.
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\acs.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.asus.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Wireless Console 2] "c:\program files\wireless console 2\wcourier.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\sandra\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/select/asusTek_sys_ctrl3.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {32C11E38-E587-4BE9-9ABB-D69158C21CE5} - hxxp://cam.thesandbar.com/activex/decoder/mpeg4_dec.cab
DPF: {3BB1D69B-A780-4BE1-876E-F3D488877135} - hxxp://download.microsoft.com/download/3/B/E/3BE57995-8452-41F1-8297-DD75EF049853/VirtualEarth3D.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4D561B31-49A0-4E2C-8AFF-353468EC669B} - hxxp://www.greasypalm.co.uk/bho/update/GreasyPalm.cab
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.tescophoto.com/wpp/tesco/app/ImageUploader5.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1211294225812
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://webcam1.ttu.ee/activex/AMC.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://webcam.salisbury.edu/activex/AxisCamControl.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://217.22.201.135/activex/AMC.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{A97A08D4-B39E-4E5F-A1D4-622F067B28E0} : DhcpNameServer = 192.168.1.254
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\sandra\application data\mozilla\firefox\profiles\ti4a0nad.default\
.
============= SERVICES / DRIVERS ===============
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2012-9-22 65848]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-3-14 36000]
R1 C2SCSI;C2SCSI;c:\windows\system32\drivers\c2scsi.sys [2009-5-28 230272]
R1 RapportCerberus_42020;RapportCerberus_42020;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_42020.sys [2012-8-10 228376]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2012-9-22 71480]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2012-9-22 166840]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-3-14 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-3-14 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-3-14 83392]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2011-9-15 88576]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2012-9-22 976728]
R3 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\39624\RapportIaso.sys [2012-5-28 21520]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-7-28 27632]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2012-3-31 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-22 21248]
S3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [2010-7-28 9728]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-10-14 115168]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2006-8-17 14336]
S3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgwhsdiag.sys [2010-7-28 106752]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys [2010-7-28 106752]
S3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\drivers\zgwhsnmea.sys [2010-7-28 106752]
S4 JoinMEUI Assistant Service;JoinMEUI Assistant Service;c:\program files\pc suite\JoinMEAssistantServices.exe [2010-7-28 242688]
S4 OracleDBConsolesean01;OracleDBConsolesean01;c:\oracle\product\10.1.0\db_1\bin\nmesrvc.exe --> c:\oracle\product\10.1.0\db_1\bin\nmesrvc.exe [?]
S4 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;c:\oracle\product\10.1.0\db_1\bin\tnslsnr --> c:\oracle\product\10.1.0\db_1\bin\TNSLSNR [?]
S4 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2012-8-13 3064000]
S4 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\o2\bin\sprtsvc.exe [2007-6-7 202280]
.
=============== Created Last 30 ================
.
2012-10-16 16:45:16 -------- d-----w- C:\tdskiller
2012-10-14 21:05:32 -------- d-----w- c:\program files\ESET
2012-10-14 20:05:27 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-10-14 20:00:20 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-10-14 19:51:00 18912 ----a-w- c:\program files\mozilla firefox\AccessibleMarshal.dll
2012-10-14 19:44:55 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-10-14 19:44:04 21472 ----a-w- c:\program files\mozilla firefox\plc4.dll
2012-10-14 19:44:04 20960 ----a-w- c:\program files\mozilla firefox\plds4.dll
2012-10-14 19:44:04 16864 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2012-10-14 19:44:03 91104 ----a-w- c:\program files\mozilla firefox\smime3.dll
2012-10-14 19:44:03 889848 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe
2012-10-14 19:44:03 270816 ----a-w- c:\program files\mozilla firefox\updater.exe
2012-10-14 19:44:03 19424 ----a-w- c:\program files\mozilla firefox\xpcom.dll
2012-10-14 19:44:03 155104 ----a-w- c:\program files\mozilla firefox\softokn3.dll
2012-10-14 19:44:03 145376 ----a-w- c:\program files\mozilla firefox\ssl3.dll
2012-10-14 19:43:49 14676960 ----a-w- c:\program files\mozilla firefox\xul.dll
2012-10-12 17:27:53 -------- d-sha-r- C:\cmdcons
2012-10-12 17:24:15 98816 ----a-w- c:\windows\sed.exe
2012-10-12 17:24:15 518144 ----a-w- c:\windows\SWREG.exe
2012-10-12 17:24:15 256000 ----a-w- c:\windows\PEV.exe
2012-10-12 17:24:15 208896 ----a-w- c:\windows\MBR.exe
2012-10-08 20:46:52 -------- d-----w- C:\logfiles
2012-10-05 22:31:12 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
2012-10-05 22:12:09 1205 ----a-w- C:\registryfix.reg
2012-10-05 06:21:08 -------- d-----w- c:\documents and settings\sandra\application data\Malwarebytes
2012-10-05 00:21:12 -------- d-----w- c:\documents and settings\all users\application data\1B61202FF1FA8DB800491B60D75D1B70
2012-09-22 15:34:42 65848 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.
==================== Find3M ====================
.
2012-10-14 20:04:05 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-07 16:04:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-25 22:01:18 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-25 22:01:18 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2003-08-27 14:19:18 36963 -c--a-r- c:\program files\common files\SM1updtr.dll
.
============= FINISH: 18:00:08.82 ===============

Blade81

2012-10-17, 06:47

Hi,

Follow steps under "How to run Chkdsk from My Computer or from Windows Explorer" here (http://support.microsoft.com/kb/315265/en-us) to check C: and D: drive for errors.

After that run defrag process for both hard drives by following method 1 here (http://support.microsoft.com/kb/314848/en-us).

Any improvements?

cobolguy

2012-10-17, 22:24

Hi there.

Thought I would update the posting. Carry out the checkdisk process, nothing untowards.

Currently carrying out defrag process (using different laptop to do this post). It's going to take quite some time.

Some things I've noticed about the laptop.

It takes ages to boot into windows (both in normal & safe mode).

For quite some time during bootup and after startup services have been loaded over 50% of cpu is being consumed by something so ....

Using a utility supplied by microsoft called processexplorer, I was able to see active processes. Something called Interrupt, which had the description hardware interrupts & DPC's, seemed to be consuming over 50% cpu on some occassions. This would then fall back to around zero until I executed a program (say internet explorerer, adobe...etc) and the cpu these processws consumed when back up to around 50% for a while then back to around zero.

I was also thinking of starting to uninstall programs and see if I have a faulty driver somewhere, delete java and empty the java cache.

If this does not work I'm beginning to think about a reinstall (windows repair first), if this fails then a rebuild :oops:

Comments appreciated.

Regards

Sean

cobolguy

2012-10-18, 10:50

Defrag successfully completed. Cold restart of laptop, no improvement in performance :shrug: :confused:

Blade81

2012-10-18, 18:04

Hi,

It sounds that repair install (or total reinstall) of operating system is the only sensible option at this point.

cobolguy

2012-10-21, 13:19

I decided not to give up on this, I've ran malwarebytes and it it found trojon.0Access. Being doing a bit of reading on this. Seems to be rather nasty. Any comments please ?

Blade81

2012-10-21, 16:57

Hi,

Please post Malwarebytes' log showing the finding back here.

cobolguy

2012-10-21, 21:15

Hi there

Here is the log that identified the trojon

>>>>>>>>>>>>>>>>>>>>>>

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.10.21.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
sean :: LAPTOP02 [administrator]

21/10/2012 11:40:56
mbam-log-2012-10-21 (11-40-56).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 235226
Time elapsed: 17 minute(s), 53 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKCR\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InProcServer32| (Trojan.0Access) -> Bad: (C:\RECYCLER\S-1-5-21-4204088417-295494685-3788373613-1005\$98ad7842c027c8aa8652993848f8330a\n.) Good: (shell32.dll) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

>>>>>>>>>>>>>>>>>>>>>>>>>>>

Re ran malware after cleaning. Here is the log .

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.10.21.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
sean :: LAPTOP02 [administrator]

21/10/2012 12:27:38
mbam-log-2012-10-21 (12-27-38).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 235601
Time elapsed: 5 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

>>>>>>>>>>>>>>>>>

At the moment my laptop is booting up as normal. Any comments as to hosekeeping would be appreciated.

Regards

Sean

Blade81

2012-10-21, 21:37

Hi,

Seems that you had newer variant of zeroaccess there. Let's run ComboFix one more time. Let it update itself when prompted and post back the log. If nothing bad shows up there (and symptoms stay away) I'll post you a list of the final steps.

cobolguy

2012-10-21, 22:45

Hi there

Log as requested.

ComboFix 12-10-21.02 - sean 21/10/2012 21:26:14.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1471.913 [GMT 1:00]
Running from: c:\documents and settings\sean\My Documents\ComboFix.exe
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\sean\Application Data\Atna
c:\documents and settings\sean\Application Data\Atna\giacr.byb
c:\documents and settings\sean\Application Data\Desktopicon
c:\documents and settings\sean\Application Data\gf.tmp
c:\documents and settings\sean\Application Data\PriceGong
c:\documents and settings\sean\Application Data\PriceGong\Data\1.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\a.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\b.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\c.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\d.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\e.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\f.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\g.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\h.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\i.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\j.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\k.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\l.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\m.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\sean\Application Data\PriceGong\Data\n.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\o.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\p.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\q.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\r.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\s.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\t.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\u.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\v.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\w.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\wlu.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\x.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\y.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\z.txt
c:\documents and settings\sean\Application Data\Xaevm
c:\documents and settings\sean\Application Data\Xaevm\vike.gue
c:\documents and settings\sean\Local Settings\Application Data\assembly\tmp
c:\documents and settings\sean\Recent\Seans new CV v14 technical.doc
c:\documents and settings\sean\Recent\Seans new CV v15 technical.doc
c:\documents and settings\sean\Recent\Seans new CV v16 technical.doc
.
.
((((((((((((((((((((((((( Files Created from 2012-09-21 to 2012-10-21 )))))))))))))))))))))))))))))))
.
.
2012-10-21 20:14 . 2012-10-21 20:14 -------- d-----w- c:\documents and settings\sean\Local Settings\Application Data\FLV_Runner
2012-10-21 20:14 . 2012-10-21 20:14 -------- d-----w- c:\program files\FLV_Runner
2012-10-21 19:26 . 2012-10-21 19:26 -------- d-----w- c:\program files\WiseConvert
2012-10-21 19:23 . 2012-10-21 19:23 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-21 19:23 . 2012-10-21 19:23 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-21 19:06 . 2012-10-21 19:06 -------- d-----w- c:\documents and settings\sean\Application Data\Avira
2012-10-21 19:00 . 2012-10-01 16:14 134184 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-10-21 19:00 . 2012-09-24 08:58 36552 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-10-21 19:00 . 2012-09-13 09:58 83792 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-10-21 19:00 . 2012-10-21 19:00 -------- d-----w- c:\program files\Avira
2012-10-21 19:00 . 2012-10-21 19:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2012-10-20 23:00 . 2012-10-20 23:00 -------- d-----w- C:\photos
2012-10-20 11:03 . 2012-10-21 20:06 -------- d-----w- c:\documents and settings\sean\.javaws
2012-10-20 11:03 . 2012-10-20 11:03 -------- d-----w- c:\program files\Java Web Start
2012-10-20 11:02 . 2003-12-07 21:54 229487 ----a-w- c:\windows\system32\jpicpl32.cpl
2012-10-20 11:02 . 2012-10-20 11:02 -------- d-----w- c:\program files\Java
2012-10-16 16:45 . 2012-10-16 16:45 -------- d-----w- C:\tdskiller
2012-10-14 20:05 . 2012-10-14 20:04 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-10-08 20:46 . 2012-10-16 17:05 -------- d-----w- C:\logfiles
2012-10-05 22:31 . 2012-10-05 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-10-05 06:21 . 2012-10-05 06:21 -------- d-----w- c:\documents and settings\sandra\Application Data\Malwarebytes
2012-10-05 00:21 . 2012-10-07 16:32 -------- d-----w- c:\documents and settings\sean\Application Data\Ecgyaf
2012-10-05 00:21 . 2012-10-15 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\1B61202FF1FA8DB800491B60D75D1B70
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-14 20:04 . 2010-04-15 17:12 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-29 18:54 . 2009-04-28 20:33 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2003-08-27 14:19 . 2008-11-10 17:10 36963 -c--a-r- c:\program files\Common Files\SM1updtr.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{3bbd3c14-4c16-4989-8366-95bc9179779d}"= "c:\program files\FLV_Runner\prxtbFLV_.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{3bbd3c14-4c16-4989-8366-95bc9179779d}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3bbd3c14-4c16-4989-8366-95bc9179779d}]
2011-05-09 09:49 176936 ----a-w- c:\program files\FLV_Runner\prxtbFLV_.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3bbd3c14-4c16-4989-8366-95bc9179779d}"= "c:\program files\FLV_Runner\prxtbFLV_.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{3bbd3c14-4c16-4989-8366-95bc9179779d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3BBD3C14-4C16-4989-8366-95BC9179779D}"= "c:\program files\FLV_Runner\prxtbFLV_.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{3bbd3c14-4c16-4989-8366-95bc9179779d}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-25 786521]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2007-07-05 1040384]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-09-25 386336]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
backup=c:\windows\pss\Monitor Apache Servers.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PC Details.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PC Details.lnk
backup=c:\windows\pss\PC Details.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^sean^Start Menu^Programs^Startup^CCC.lnk]
path=c:\documents and settings\sean\Start Menu\Programs\Startup\CCC.lnk
backup=c:\windows\pss\CCC.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^sean^Start Menu^Programs^Startup^Secunia PSI.lnk]
path=c:\documents and settings\sean\Start Menu\Programs\Startup\Secunia PSI.lnk
backup=c:\windows\pss\Secunia PSI.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABLKSR]
2006-01-02 18:14 61440 -c--a-w- c:\windows\ABLKSR\ABLKSR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACMON]
2007-07-10 09:59 851968 -c--a-w- c:\program files\ASUS\Splendid\ACMON.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACU]
2007-04-17 00:06 372825 ----a-w- c:\program files\Atheros\ACU.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-11 19:00 919008 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-07-31 11:20 38872 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 02:43 69632 -c--a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Screen Saver Protector]
2007-12-20 19:46 33136 -c--a-w- c:\windows\ASScrPro.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUSTPE]
2007-01-16 15:13 106496 -c--a-w- c:\windows\system32\ASUSTPE.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 00:12 110592 ----a-w- c:\windows\system32\bthprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CameraFixer]
2005-10-03 10:23 20480 ------w- c:\windows\CameraFixer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DrvMon.exe]
2004-11-29 09:55 53248 -c----w- c:\windows\system32\DrvMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R285 Series]
2007-04-13 06:00 182272 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATICKE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HTC Sync Loader]
2012-04-17 14:05 651264 ----a-w- c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JoinMEUIExec]
2009-03-10 17:50 131072 -c--a-w- c:\program files\PC Suite\JoinMEUIExec.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\O2]
2008-03-28 22:47 198184 -c--a-w- c:\program files\O2\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power_Gear]
2006-07-26 17:01 90112 -c--a-w- c:\program files\ASUS\Power4 Gear\BatteryLife.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 16:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-01-12 02:01 32768 -c--a-w- c:\program files\ASUSTek\ASUSDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2005-03-08 21:13 1695744 -c--a-w- c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-10-30 03:49 16269312 -c--a-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-07-13 12:33 17418928 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 02:04 2879488 -c--a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2006-11-22 01:31 630784 -c--a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd3]
2006-09-19 08:07 827392 ----a-w- c:\windows\vsnpstd3.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
2012-07-14 23:46 1192664 ----a-w- c:\program files\Spotify\Data\SpotifyWebHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 12:35 90112 -c--a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-07-05 22:28 202256 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnpstd3]
2005-11-04 14:05 90112 ----a-w- c:\windows\tsnpstd3.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"SMTPSVC"=2 (0x2)
"w3svc"=2 (0x2)
"IISADMIN"=2 (0x2)
"Apache2.2"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"JoinMEUI Assistant Service"=2 (0x2)
"Secunia PSI Agent"=3 (0x3)
"Secunia Update Agent"=2 (0x2)
"SupportSoft RemoteAssist"=3 (0x3)
"sprtsvc_O2"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [02/01/2010 13:37 691696]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [21/10/2012 20:00 36552]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [21/10/2012 20:00 84256]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [15/09/2011 12:06 88576]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [28/07/2010 21:08 27632]
S1 C2SCSI;C2SCSI;c:\windows\system32\drivers\c2scsi.sys [28/05/2009 22:33 230272]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [31/03/2012 23:51 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [22/06/2010 18:01 21248]
S3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [28/07/2010 20:17 9728]
S3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\39624\RapportIaso.sys [28/05/2012 21:35 21520]
S3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgwhsdiag.sys [28/07/2010 20:17 106752]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys [28/07/2010 20:17 106752]
S3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\drivers\zgwhsnmea.sys [28/07/2010 20:17 106752]
S4 JoinMEUI Assistant Service;JoinMEUI Assistant Service;c:\program files\PC Suite\JoinMEAssistantServices.exe [28/07/2010 20:16 242688]
S4 OracleDBConsolesean01;OracleDBConsolesean01;c:\oracle\product\10.1.0\Db_1\bin\nmesrvc.exe --> c:\oracle\product\10.1.0\Db_1\bin\nmesrvc.exe [?]
S4 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;c:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR --> c:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR [?]
S4 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [13/07/2012 13:28 160944]
S4 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [07/06/2007 17:19 202280]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 02230741
*NewlyCreated* - 36200733
*NewlyCreated* - 98876780
*Deregistered* - 02230741
*Deregistered* - 36200733
*Deregistered* - 98876780
*Deregistered* - TrueSight
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4204088417-295494685-3788373613-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2012-10-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4204088417-295494685-3788373613-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2012-10-21 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4204088417-295494685-3788373613-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2012-10-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4204088417-295494685-3788373613-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2012-10-20 c:\windows\Tasks\User_Feed_Synchronization-{99538423-7653-467D-BD42-F6202E57E053}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
Trusted Zone: skillport.com
Trusted Zone: skillsoft.com\support
Trusted Zone: skillwsa.com
TCP: DhcpNameServer = 192.168.1.254
DPF: {32C11E38-E587-4BE9-9ABB-D69158C21CE5} - hxxp://cam.thesandbar.com/activex/decoder/mpeg4_dec.cab
DPF: {4D561B31-49A0-4E2C-8AFF-353468EC669B} - hxxp://www.greasypalm.co.uk/bho/update/GreasyPalm.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://217.22.201.135/activex/AMC.cab
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-02230741.sys
MSConfigStartUp-Google Update - c:\documents and settings\sean\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
MSConfigStartUp-VirtualCloneDrive - c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-21 21:34
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraDb10g_home1TNSListener]
"ImagePath"="c:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR "
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(936)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-10-21 21:37:15
ComboFix-quarantined-files.txt 2012-10-21 20:37
ComboFix2.txt 2012-10-15 17:45
ComboFix3.txt 2012-10-14 19:27
ComboFix4.txt 2012-10-12 18:09
.
Pre-Run: 65,392,584,192 bytes free
Post-Run: 65,562,450,432 bytes free
.
- - End Of File - - EC113C7A085C1FAFD3C593112AF20EB9

Blade81

2012-10-22, 12:19

Hi again,

Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\documents and settings\sean\Application Data\Ecgyaf
c:\documents and settings\All Users\Application Data\1B61202FF1FA8DB800491B60D75D1B70

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log.

cobolguy

2012-10-22, 19:25

Hi there

Ran as instructed

Log below

ComboFix 12-10-22.01 - sean 22/10/2012 18:08:30.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1471.819 [GMT 1:00]
Running from: c:\documents and settings\sean\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\sean\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\1B61202FF1FA8DB800491B60D75D1B70
c:\documents and settings\All Users\Application Data\1B61202FF1FA8DB800491B60D75D1B70\1B61202FF1FA8DB800491B60D75D1B70
c:\documents and settings\All Users\Application Data\1B61202FF1FA8DB800491B60D75D1B70\1B61202FF1FA8DB800491B60D75D1B70.ico
c:\documents and settings\All Users\Application Data\1B61202FF1FA8DB800491B60D75D1B70\Thumbs.db
c:\documents and settings\sean\Application Data\Ecgyaf
c:\documents and settings\sean\Application Data\PriceGong
c:\documents and settings\sean\Application Data\PriceGong\Data\1.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\a.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\b.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\c.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\d.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\e.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\f.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\g.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\h.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\i.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\j.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\k.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\l.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\m.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\n.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\o.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\p.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\q.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\r.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\s.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\t.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\u.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\v.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\w.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\wlu.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\x.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\y.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\z.txt
.
.
((((((((((((((((((((((((( Files Created from 2012-09-22 to 2012-10-22 )))))))))))))))))))))))))))))))
.
.
2012-10-21 21:29 . 2012-10-21 21:29 -------- d-----w- c:\program files\Trusteer
2012-10-21 19:26 . 2012-10-21 19:26 -------- d-----w- c:\program files\WiseConvert
2012-10-21 19:23 . 2012-10-21 19:23 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-21 19:23 . 2012-10-21 19:23 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-21 19:06 . 2012-10-21 19:06 -------- d-----w- c:\documents and settings\sean\Application Data\Avira
2012-10-21 19:00 . 2012-10-01 16:14 134184 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-10-21 19:00 . 2012-09-24 08:58 36552 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-10-21 19:00 . 2012-09-13 09:58 83792 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-10-21 19:00 . 2012-10-21 19:00 -------- d-----w- c:\program files\Avira
2012-10-21 19:00 . 2012-10-21 19:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2012-10-20 23:00 . 2012-10-20 23:00 -------- d-----w- C:\photos
2012-10-20 11:03 . 2012-10-21 20:06 -------- d-----w- c:\documents and settings\sean\.javaws
2012-10-20 11:03 . 2012-10-20 11:03 -------- d-----w- c:\program files\Java Web Start
2012-10-20 11:02 . 2003-12-07 21:54 229487 ----a-w- c:\windows\system32\jpicpl32.cpl
2012-10-20 11:02 . 2012-10-20 11:02 -------- d-----w- c:\program files\Java
2012-10-16 16:45 . 2012-10-16 16:45 -------- d-----w- C:\tdskiller
2012-10-14 20:05 . 2012-10-14 20:04 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-10-08 20:46 . 2012-10-16 17:05 -------- d-----w- C:\logfiles
2012-10-05 22:31 . 2012-10-05 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-10-05 06:21 . 2012-10-05 06:21 -------- d-----w- c:\documents and settings\sandra\Application Data\Malwarebytes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-14 20:04 . 2010-04-15 17:12 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-29 18:54 . 2009-04-28 20:33 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-22 15:34 . 2012-09-22 15:34 65848 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2003-08-27 14:19 . 2008-11-10 17:10 36963 -c--a-r- c:\program files\Common Files\SM1updtr.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-25 786521]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2007-07-05 1040384]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-09-25 386336]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
backup=c:\windows\pss\Monitor Apache Servers.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PC Details.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PC Details.lnk
backup=c:\windows\pss\PC Details.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^sean^Start Menu^Programs^Startup^CCC.lnk]
path=c:\documents and settings\sean\Start Menu\Programs\Startup\CCC.lnk
backup=c:\windows\pss\CCC.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^sean^Start Menu^Programs^Startup^Secunia PSI.lnk]
path=c:\documents and settings\sean\Start Menu\Programs\Startup\Secunia PSI.lnk
backup=c:\windows\pss\Secunia PSI.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABLKSR]
2006-01-02 18:14 61440 -c--a-w- c:\windows\ABLKSR\ABLKSR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACMON]
2007-07-10 09:59 851968 -c--a-w- c:\program files\ASUS\Splendid\ACMON.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACU]
2007-04-17 00:06 372825 ----a-w- c:\program files\Atheros\ACU.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-11 19:00 919008 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-07-31 11:20 38872 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 02:43 69632 -c--a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Screen Saver Protector]
2007-12-20 19:46 33136 -c--a-w- c:\windows\ASScrPro.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUSTPE]
2007-01-16 15:13 106496 -c--a-w- c:\windows\system32\ASUSTPE.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 00:12 110592 ----a-w- c:\windows\system32\bthprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CameraFixer]
2005-10-03 10:23 20480 ------w- c:\windows\CameraFixer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DrvMon.exe]
2004-11-29 09:55 53248 -c----w- c:\windows\system32\DrvMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R285 Series]
2007-04-13 06:00 182272 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATICKE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HTC Sync Loader]
2012-04-17 14:05 651264 ----a-w- c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JoinMEUIExec]
2009-03-10 17:50 131072 -c--a-w- c:\program files\PC Suite\JoinMEUIExec.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\O2]
2008-03-28 22:47 198184 -c--a-w- c:\program files\O2\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power_Gear]
2006-07-26 17:01 90112 -c--a-w- c:\program files\ASUS\Power4 Gear\BatteryLife.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 16:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-01-12 02:01 32768 -c--a-w- c:\program files\ASUSTek\ASUSDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2005-03-08 21:13 1695744 -c--a-w- c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-10-30 03:49 16269312 -c--a-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-07-13 12:33 17418928 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 02:04 2879488 -c--a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2006-11-22 01:31 630784 -c--a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd3]
2006-09-19 08:07 827392 ----a-w- c:\windows\vsnpstd3.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
2012-07-14 23:46 1192664 ----a-w- c:\program files\Spotify\Data\SpotifyWebHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 12:35 90112 -c--a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-07-05 22:28 202256 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnpstd3]
2005-11-04 14:05 90112 ----a-w- c:\windows\tsnpstd3.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"SMTPSVC"=2 (0x2)
"w3svc"=2 (0x2)
"IISADMIN"=2 (0x2)
"Apache2.2"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"JoinMEUI Assistant Service"=2 (0x2)
"Secunia PSI Agent"=3 (0x3)
"Secunia Update Agent"=2 (0x2)
"SupportSoft RemoteAssist"=3 (0x3)
"sprtsvc_O2"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [22/09/2012 16:34 65848]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [02/01/2010 13:37 691696]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [21/10/2012 20:00 36552]
R1 C2SCSI;C2SCSI;c:\windows\system32\drivers\c2scsi.sys [28/05/2009 22:33 230272]
R1 RapportCerberus_42020;RapportCerberus_42020;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_42020.sys [10/08/2012 19:07 228376]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [22/09/2012 16:34 71480]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [22/09/2012 16:34 166840]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [21/10/2012 20:00 84256]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [15/09/2011 12:06 88576]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [22/09/2012 16:34 976728]
R3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\39624\RapportIaso.sys [28/05/2012 21:35 21520]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [28/07/2010 21:08 27632]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [31/03/2012 23:51 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [22/06/2010 18:01 21248]
S3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [28/07/2010 20:17 9728]
S3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgwhsdiag.sys [28/07/2010 20:17 106752]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys [28/07/2010 20:17 106752]
S3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\drivers\zgwhsnmea.sys [28/07/2010 20:17 106752]
S4 JoinMEUI Assistant Service;JoinMEUI Assistant Service;c:\program files\PC Suite\JoinMEAssistantServices.exe [28/07/2010 20:16 242688]
S4 OracleDBConsolesean01;OracleDBConsolesean01;c:\oracle\product\10.1.0\Db_1\bin\nmesrvc.exe --> c:\oracle\product\10.1.0\Db_1\bin\nmesrvc.exe [?]
S4 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;c:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR --> c:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR [?]
S4 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [13/07/2012 13:28 160944]
S4 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [07/06/2007 17:19 202280]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - RAPPORTIASO
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-22 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4204088417-295494685-3788373613-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2012-10-22 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4204088417-295494685-3788373613-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2012-10-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4204088417-295494685-3788373613-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2012-10-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4204088417-295494685-3788373613-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2012-10-22 c:\windows\Tasks\User_Feed_Synchronization-{99538423-7653-467D-BD42-F6202E57E053}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
Trusted Zone: skillport.com
Trusted Zone: skillsoft.com\support
Trusted Zone: skillwsa.com
TCP: DhcpNameServer = 192.168.1.254
DPF: {32C11E38-E587-4BE9-9ABB-D69158C21CE5} - hxxp://cam.thesandbar.com/activex/decoder/mpeg4_dec.cab
DPF: {4D561B31-49A0-4E2C-8AFF-353468EC669B} - hxxp://www.greasypalm.co.uk/bho/update/GreasyPalm.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://217.22.201.135/activex/AMC.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-22 18:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraDb10g_home1TNSListener]
"ImagePath"="c:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR "
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(984)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-10-22 18:20:05
ComboFix-quarantined-files.txt 2012-10-22 17:20
ComboFix2.txt 2012-10-21 20:37
ComboFix3.txt 2012-10-15 17:45
ComboFix4.txt 2012-10-14 19:27
ComboFix5.txt 2012-10-22 17:05
.
Pre-Run: 65,354,385,920 bytes free
Post-Run: 65,357,259,264 bytes free
.
- - End Of File - - 8E5540053BAEAB2D188F5251F6485B70

Blade81

2012-10-22, 20:20

Good. Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.

THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis

Now lets uninstall ComboFix:

Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK

UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.

Download and run Secunia Personal Software Inspector (PSI) (http://secunia.com/vulnerability_scanning/personal/) and fix its findings. Leave the program installed so you'll stay alarmed about vulnerable components in future too.

Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:

cobolguy

2012-10-23, 22:52

Well Blade, think its removed now, what ever it was. Machine is responding as expected now. Interrupts not eating the cpu. I'm glad I persevered with trying to resolve the issue. Nearly got to the point where I was going to drop the disk partition and rebuild.

Anyway, my windows o/s system is up to date now. I also regularly run Secunia, thanks for the info.

I've remove Combofix and the log files.

Big thank you for your support and help. :thanks:

Cheers.

Kindest regards

Sean

Blade81

2012-10-24, 06:33

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.