Infected with system progressive protection

cobolguy · Oct 21, 2012

after combofix

Hi there

Log as requested.

ComboFix 12-10-21.02 - sean 21/10/2012 21:26:14.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1471.913 [GMT 1:00]
Running from: c:\documents and settings\sean\My Documents\ComboFix.exe
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\sean\Application Data\Atna
c:\documents and settings\sean\Application Data\Atna\giacr.byb
c:\documents and settings\sean\Application Data\Desktopicon
c:\documents and settings\sean\Application Data\gf.tmp
c:\documents and settings\sean\Application Data\PriceGong
c:\documents and settings\sean\Application Data\PriceGong\Data\1.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\a.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\b.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\c.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\d.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\e.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\f.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\g.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\h.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\i.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\j.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\k.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\l.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\m.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\sean\Application Data\PriceGong\Data\n.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\o.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\p.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\q.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\r.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\s.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\t.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\u.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\v.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\w.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\wlu.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\x.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\y.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\z.txt
c:\documents and settings\sean\Application Data\Xaevm
c:\documents and settings\sean\Application Data\Xaevm\vike.gue
c:\documents and settings\sean\Local Settings\Application Data\assembly\tmp
c:\documents and settings\sean\Recent\Seans new CV v14 technical.doc
c:\documents and settings\sean\Recent\Seans new CV v15 technical.doc
c:\documents and settings\sean\Recent\Seans new CV v16 technical.doc
.
.
((((((((((((((((((((((((( Files Created from 2012-09-21 to 2012-10-21 )))))))))))))))))))))))))))))))
.
.
2012-10-21 20:14 . 2012-10-21 20:14 -------- d-----w- c:\documents and settings\sean\Local Settings\Application Data\FLV_Runner
2012-10-21 20:14 . 2012-10-21 20:14 -------- d-----w- c:\program files\FLV_Runner
2012-10-21 19:26 . 2012-10-21 19:26 -------- d-----w- c:\program files\WiseConvert
2012-10-21 19:23 . 2012-10-21 19:23 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-21 19:23 . 2012-10-21 19:23 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-21 19:06 . 2012-10-21 19:06 -------- d-----w- c:\documents and settings\sean\Application Data\Avira
2012-10-21 19:00 . 2012-10-01 16:14 134184 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-10-21 19:00 . 2012-09-24 08:58 36552 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-10-21 19:00 . 2012-09-13 09:58 83792 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-10-21 19:00 . 2012-10-21 19:00 -------- d-----w- c:\program files\Avira
2012-10-21 19:00 . 2012-10-21 19:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2012-10-20 23:00 . 2012-10-20 23:00 -------- d-----w- C:\photos
2012-10-20 11:03 . 2012-10-21 20:06 -------- d-----w- c:\documents and settings\sean\.javaws
2012-10-20 11:03 . 2012-10-20 11:03 -------- d-----w- c:\program files\Java Web Start
2012-10-20 11:02 . 2003-12-07 21:54 229487 ----a-w- c:\windows\system32\jpicpl32.cpl
2012-10-20 11:02 . 2012-10-20 11:02 -------- d-----w- c:\program files\Java
2012-10-16 16:45 . 2012-10-16 16:45 -------- d-----w- C:\tdskiller
2012-10-14 20:05 . 2012-10-14 20:04 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-10-08 20:46 . 2012-10-16 17:05 -------- d-----w- C:\logfiles
2012-10-05 22:31 . 2012-10-05 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-10-05 06:21 . 2012-10-05 06:21 -------- d-----w- c:\documents and settings\sandra\Application Data\Malwarebytes
2012-10-05 00:21 . 2012-10-07 16:32 -------- d-----w- c:\documents and settings\sean\Application Data\Ecgyaf
2012-10-05 00:21 . 2012-10-15 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\1B61202FF1FA8DB800491B60D75D1B70
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-14 20:04 . 2010-04-15 17:12 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-29 18:54 . 2009-04-28 20:33 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2003-08-27 14:19 . 2008-11-10 17:10 36963 -c--a-r- c:\program files\Common Files\SM1updtr.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{3bbd3c14-4c16-4989-8366-95bc9179779d}"= "c:\program files\FLV_Runner\prxtbFLV_.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{3bbd3c14-4c16-4989-8366-95bc9179779d}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3bbd3c14-4c16-4989-8366-95bc9179779d}]
2011-05-09 09:49 176936 ----a-w- c:\program files\FLV_Runner\prxtbFLV_.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3bbd3c14-4c16-4989-8366-95bc9179779d}"= "c:\program files\FLV_Runner\prxtbFLV_.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{3bbd3c14-4c16-4989-8366-95bc9179779d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3BBD3C14-4C16-4989-8366-95BC9179779D}"= "c:\program files\FLV_Runner\prxtbFLV_.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{3bbd3c14-4c16-4989-8366-95bc9179779d}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-25 786521]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2007-07-05 1040384]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-09-25 386336]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
backup=c:\windows\pss\Monitor Apache Servers.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PC Details.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PC Details.lnk
backup=c:\windows\pss\PC Details.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^sean^Start Menu^Programs^Startup^CCC.lnk]
path=c:\documents and settings\sean\Start Menu\Programs\Startup\CCC.lnk
backup=c:\windows\pss\CCC.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^sean^Start Menu^Programs^Startup^Secunia PSI.lnk]
path=c:\documents and settings\sean\Start Menu\Programs\Startup\Secunia PSI.lnk
backup=c:\windows\pss\Secunia PSI.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABLKSR]
2006-01-02 18:14 61440 -c--a-w- c:\windows\ABLKSR\ABLKSR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACMON]
2007-07-10 09:59 851968 -c--a-w- c:\program files\ASUS\Splendid\ACMON.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACU]
2007-04-17 00:06 372825 ----a-w- c:\program files\Atheros\ACU.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-11 19:00 919008 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-07-31 11:20 38872 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 02:43 69632 -c--a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Screen Saver Protector]
2007-12-20 19:46 33136 -c--a-w- c:\windows\ASScrPro.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUSTPE]
2007-01-16 15:13 106496 -c--a-w- c:\windows\system32\ASUSTPE.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 00:12 110592 ----a-w- c:\windows\system32\bthprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CameraFixer]
2005-10-03 10:23 20480 ------w- c:\windows\CameraFixer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DrvMon.exe]
2004-11-29 09:55 53248 -c----w- c:\windows\system32\DrvMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R285 Series]
2007-04-13 06:00 182272 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATICKE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HTC Sync Loader]
2012-04-17 14:05 651264 ----a-w- c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JoinMEUIExec]
2009-03-10 17:50 131072 -c--a-w- c:\program files\PC Suite\JoinMEUIExec.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\O2]
2008-03-28 22:47 198184 -c--a-w- c:\program files\O2\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power_Gear]
2006-07-26 17:01 90112 -c--a-w- c:\program files\ASUS\Power4 Gear\BatteryLife.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 16:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-01-12 02:01 32768 -c--a-w- c:\program files\ASUSTek\ASUSDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2005-03-08 21:13 1695744 -c--a-w- c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-10-30 03:49 16269312 -c--a-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-07-13 12:33 17418928 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 02:04 2879488 -c--a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2006-11-22 01:31 630784 -c--a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd3]
2006-09-19 08:07 827392 ----a-w- c:\windows\vsnpstd3.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
2012-07-14 23:46 1192664 ----a-w- c:\program files\Spotify\Data\SpotifyWebHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 12:35 90112 -c--a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-07-05 22:28 202256 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnpstd3]
2005-11-04 14:05 90112 ----a-w- c:\windows\tsnpstd3.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"SMTPSVC"=2 (0x2)
"w3svc"=2 (0x2)
"IISADMIN"=2 (0x2)
"Apache2.2"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"JoinMEUI Assistant Service"=2 (0x2)
"Secunia PSI Agent"=3 (0x3)
"Secunia Update Agent"=2 (0x2)
"SupportSoft RemoteAssist"=3 (0x3)
"sprtsvc_O2"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [02/01/2010 13:37 691696]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [21/10/2012 20:00 36552]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [21/10/2012 20:00 84256]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [15/09/2011 12:06 88576]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [28/07/2010 21:08 27632]
S1 C2SCSI;C2SCSI;c:\windows\system32\drivers\c2scsi.sys [28/05/2009 22:33 230272]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [31/03/2012 23:51 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [22/06/2010 18:01 21248]
S3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [28/07/2010 20:17 9728]
S3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\39624\RapportIaso.sys [28/05/2012 21:35 21520]
S3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgwhsdiag.sys [28/07/2010 20:17 106752]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys [28/07/2010 20:17 106752]
S3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\drivers\zgwhsnmea.sys [28/07/2010 20:17 106752]
S4 JoinMEUI Assistant Service;JoinMEUI Assistant Service;c:\program files\PC Suite\JoinMEAssistantServices.exe [28/07/2010 20:16 242688]
S4 OracleDBConsolesean01;OracleDBConsolesean01;c:\oracle\product\10.1.0\Db_1\bin\nmesrvc.exe --> c:\oracle\product\10.1.0\Db_1\bin\nmesrvc.exe [?]
S4 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;c:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR --> c:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR [?]
S4 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [13/07/2012 13:28 160944]
S4 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [07/06/2007 17:19 202280]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 02230741
*NewlyCreated* - 36200733
*NewlyCreated* - 98876780
*Deregistered* - 02230741
*Deregistered* - 36200733
*Deregistered* - 98876780
*Deregistered* - TrueSight
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4204088417-295494685-3788373613-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2012-10-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4204088417-295494685-3788373613-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2012-10-21 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4204088417-295494685-3788373613-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2012-10-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4204088417-295494685-3788373613-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2012-10-20 c:\windows\Tasks\User_Feed_Synchronization-{99538423-7653-467D-BD42-F6202E57E053}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
Trusted Zone: skillport.com
Trusted Zone: skillsoft.com\support
Trusted Zone: skillwsa.com
TCP: DhcpNameServer = 192.168.1.254
DPF: {32C11E38-E587-4BE9-9ABB-D69158C21CE5} - hxxp://cam.thesandbar.com/activex/decoder/mpeg4_dec.cab
DPF: {4D561B31-49A0-4E2C-8AFF-353468EC669B} - hxxp://www.greasypalm.co.uk/bho/update/GreasyPalm.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://217.22.201.135/activex/AMC.cab
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-02230741.sys
MSConfigStartUp-Google Update - c:\documents and settings\sean\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
MSConfigStartUp-VirtualCloneDrive - c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-21 21:34
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraDb10g_home1TNSListener]
"ImagePath"="c:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR "
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(936)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-10-21 21:37:15
ComboFix-quarantined-files.txt 2012-10-21 20:37
ComboFix2.txt 2012-10-15 17:45
ComboFix3.txt 2012-10-14 19:27
ComboFix4.txt 2012-10-12 18:09
.
Pre-Run: 65,392,584,192 bytes free
Post-Run: 65,562,450,432 bytes free
.
- - End Of File - - EC113C7A085C1FAFD3C593112AF20EB9

Blade81 · Oct 22, 2012

Hi again,

Open notepad and copy/paste the text in the quotebox below into it:

Code:

Folder::
c:\documents and settings\sean\Application Data\Ecgyaf
c:\documents and settings\All Users\Application Data\1B61202FF1FA8DB800491B60D75D1B70

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log.

cobolguy · Oct 22, 2012

combo log file

Hi there

Ran as instructed

Log below

ComboFix 12-10-22.01 - sean 22/10/2012 18:08:30.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1471.819 [GMT 1:00]
Running from: c:\documents and settings\sean\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\sean\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\1B61202FF1FA8DB800491B60D75D1B70
c:\documents and settings\All Users\Application Data\1B61202FF1FA8DB800491B60D75D1B70\1B61202FF1FA8DB800491B60D75D1B70
c:\documents and settings\All Users\Application Data\1B61202FF1FA8DB800491B60D75D1B70\1B61202FF1FA8DB800491B60D75D1B70.ico
c:\documents and settings\All Users\Application Data\1B61202FF1FA8DB800491B60D75D1B70\Thumbs.db
c:\documents and settings\sean\Application Data\Ecgyaf
c:\documents and settings\sean\Application Data\PriceGong
c:\documents and settings\sean\Application Data\PriceGong\Data\1.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\a.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\b.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\c.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\d.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\e.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\f.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\g.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\h.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\i.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\j.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\k.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\l.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\m.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\n.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\o.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\p.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\q.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\r.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\s.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\t.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\u.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\v.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\w.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\wlu.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\x.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\y.txt
c:\documents and settings\sean\Application Data\PriceGong\Data\z.txt
.
.
((((((((((((((((((((((((( Files Created from 2012-09-22 to 2012-10-22 )))))))))))))))))))))))))))))))
.
.
2012-10-21 21:29 . 2012-10-21 21:29 -------- d-----w- c:\program files\Trusteer
2012-10-21 19:26 . 2012-10-21 19:26 -------- d-----w- c:\program files\WiseConvert
2012-10-21 19:23 . 2012-10-21 19:23 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-21 19:23 . 2012-10-21 19:23 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-21 19:06 . 2012-10-21 19:06 -------- d-----w- c:\documents and settings\sean\Application Data\Avira
2012-10-21 19:00 . 2012-10-01 16:14 134184 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-10-21 19:00 . 2012-09-24 08:58 36552 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-10-21 19:00 . 2012-09-13 09:58 83792 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-10-21 19:00 . 2012-10-21 19:00 -------- d-----w- c:\program files\Avira
2012-10-21 19:00 . 2012-10-21 19:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2012-10-20 23:00 . 2012-10-20 23:00 -------- d-----w- C:\photos
2012-10-20 11:03 . 2012-10-21 20:06 -------- d-----w- c:\documents and settings\sean\.javaws
2012-10-20 11:03 . 2012-10-20 11:03 -------- d-----w- c:\program files\Java Web Start
2012-10-20 11:02 . 2003-12-07 21:54 229487 ----a-w- c:\windows\system32\jpicpl32.cpl
2012-10-20 11:02 . 2012-10-20 11:02 -------- d-----w- c:\program files\Java
2012-10-16 16:45 . 2012-10-16 16:45 -------- d-----w- C:\tdskiller
2012-10-14 20:05 . 2012-10-14 20:04 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-10-08 20:46 . 2012-10-16 17:05 -------- d-----w- C:\logfiles
2012-10-05 22:31 . 2012-10-05 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-10-05 06:21 . 2012-10-05 06:21 -------- d-----w- c:\documents and settings\sandra\Application Data\Malwarebytes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-14 20:04 . 2010-04-15 17:12 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-29 18:54 . 2009-04-28 20:33 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-22 15:34 . 2012-09-22 15:34 65848 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2003-08-27 14:19 . 2008-11-10 17:10 36963 -c--a-r- c:\program files\Common Files\SM1updtr.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-25 786521]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2007-07-05 1040384]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-09-25 386336]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
backup=c:\windows\pss\Monitor Apache Servers.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PC Details.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PC Details.lnk
backup=c:\windows\pss\PC Details.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^sean^Start Menu^Programs^Startup^CCC.lnk]
path=c:\documents and settings\sean\Start Menu\Programs\Startup\CCC.lnk
backup=c:\windows\pss\CCC.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^sean^Start Menu^Programs^Startup^Secunia PSI.lnk]
path=c:\documents and settings\sean\Start Menu\Programs\Startup\Secunia PSI.lnk
backup=c:\windows\pss\Secunia PSI.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABLKSR]
2006-01-02 18:14 61440 -c--a-w- c:\windows\ABLKSR\ABLKSR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACMON]
2007-07-10 09:59 851968 -c--a-w- c:\program files\ASUS\Splendid\ACMON.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACU]
2007-04-17 00:06 372825 ----a-w- c:\program files\Atheros\ACU.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-11 19:00 919008 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-07-31 11:20 38872 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 02:43 69632 -c--a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Screen Saver Protector]
2007-12-20 19:46 33136 -c--a-w- c:\windows\ASScrPro.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUSTPE]
2007-01-16 15:13 106496 -c--a-w- c:\windows\system32\ASUSTPE.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 00:12 110592 ----a-w- c:\windows\system32\bthprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CameraFixer]
2005-10-03 10:23 20480 ------w- c:\windows\CameraFixer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DrvMon.exe]
2004-11-29 09:55 53248 -c----w- c:\windows\system32\DrvMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R285 Series]
2007-04-13 06:00 182272 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATICKE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HTC Sync Loader]
2012-04-17 14:05 651264 ----a-w- c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JoinMEUIExec]
2009-03-10 17:50 131072 -c--a-w- c:\program files\PC Suite\JoinMEUIExec.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\O2]
2008-03-28 22:47 198184 -c--a-w- c:\program files\O2\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power_Gear]
2006-07-26 17:01 90112 -c--a-w- c:\program files\ASUS\Power4 Gear\BatteryLife.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 16:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-01-12 02:01 32768 -c--a-w- c:\program files\ASUSTek\ASUSDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2005-03-08 21:13 1695744 -c--a-w- c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-10-30 03:49 16269312 -c--a-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-07-13 12:33 17418928 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 02:04 2879488 -c--a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2006-11-22 01:31 630784 -c--a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd3]
2006-09-19 08:07 827392 ----a-w- c:\windows\vsnpstd3.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
2012-07-14 23:46 1192664 ----a-w- c:\program files\Spotify\Data\SpotifyWebHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 12:35 90112 -c--a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-07-05 22:28 202256 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnpstd3]
2005-11-04 14:05 90112 ----a-w- c:\windows\tsnpstd3.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"SMTPSVC"=2 (0x2)
"w3svc"=2 (0x2)
"IISADMIN"=2 (0x2)
"Apache2.2"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"JoinMEUI Assistant Service"=2 (0x2)
"Secunia PSI Agent"=3 (0x3)
"Secunia Update Agent"=2 (0x2)
"SupportSoft RemoteAssist"=3 (0x3)
"sprtsvc_O2"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [22/09/2012 16:34 65848]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [02/01/2010 13:37 691696]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [21/10/2012 20:00 36552]
R1 C2SCSI;C2SCSI;c:\windows\system32\drivers\c2scsi.sys [28/05/2009 22:33 230272]
R1 RapportCerberus_42020;RapportCerberus_42020;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_42020.sys [10/08/2012 19:07 228376]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [22/09/2012 16:34 71480]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [22/09/2012 16:34 166840]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [21/10/2012 20:00 84256]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [15/09/2011 12:06 88576]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [22/09/2012 16:34 976728]
R3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\39624\RapportIaso.sys [28/05/2012 21:35 21520]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [28/07/2010 21:08 27632]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [31/03/2012 23:51 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [22/06/2010 18:01 21248]
S3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [28/07/2010 20:17 9728]
S3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgwhsdiag.sys [28/07/2010 20:17 106752]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys [28/07/2010 20:17 106752]
S3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\drivers\zgwhsnmea.sys [28/07/2010 20:17 106752]
S4 JoinMEUI Assistant Service;JoinMEUI Assistant Service;c:\program files\PC Suite\JoinMEAssistantServices.exe [28/07/2010 20:16 242688]
S4 OracleDBConsolesean01;OracleDBConsolesean01;c:\oracle\product\10.1.0\Db_1\bin\nmesrvc.exe --> c:\oracle\product\10.1.0\Db_1\bin\nmesrvc.exe [?]
S4 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;c:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR --> c:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR [?]
S4 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [13/07/2012 13:28 160944]
S4 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [07/06/2007 17:19 202280]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - RAPPORTIASO
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-22 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4204088417-295494685-3788373613-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2012-10-22 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4204088417-295494685-3788373613-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2012-10-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4204088417-295494685-3788373613-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2012-10-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4204088417-295494685-3788373613-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2012-10-22 c:\windows\Tasks\User_Feed_Synchronization-{99538423-7653-467D-BD42-F6202E57E053}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
Trusted Zone: skillport.com
Trusted Zone: skillsoft.com\support
Trusted Zone: skillwsa.com
TCP: DhcpNameServer = 192.168.1.254
DPF: {32C11E38-E587-4BE9-9ABB-D69158C21CE5} - hxxp://cam.thesandbar.com/activex/decoder/mpeg4_dec.cab
DPF: {4D561B31-49A0-4E2C-8AFF-353468EC669B} - hxxp://www.greasypalm.co.uk/bho/update/GreasyPalm.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://217.22.201.135/activex/AMC.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-22 18:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraDb10g_home1TNSListener]
"ImagePath"="c:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR "
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(984)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-10-22 18:20:05
ComboFix-quarantined-files.txt 2012-10-22 17:20
ComboFix2.txt 2012-10-21 20:37
ComboFix3.txt 2012-10-15 17:45
ComboFix4.txt 2012-10-14 19:27
ComboFix5.txt 2012-10-22 17:05
.
Pre-Run: 65,354,385,920 bytes free
Post-Run: 65,357,259,264 bytes free
.
- - End Of File - - 8E5540053BAEAB2D188F5251F6485B70

Blade81 · Oct 22, 2012

Good. Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.

THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis

Now lets uninstall ComboFix:

Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK

UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

Download and run Secunia Personal Software Inspector (PSI) and fix its findings. Leave the program installed so you'll stay alarmed about vulnerable components in future too.

Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade

cobolguy · Oct 23, 2012

Thank you

Well Blade, think its removed now, what ever it was. Machine is responding as expected now. Interrupts not eating the cpu. I'm glad I persevered with trying to resolve the issue. Nearly got to the point where I was going to drop the disk partition and rebuild.

Anyway, my windows o/s system is up to date now. I also regularly run Secunia, thanks for the info.

I've remove Combofix and the log files.

Big thank you for your support and help. :thanks:

Cheers.

Kindest regards

Sean

Blade81 · Oct 24, 2012

You're welcome

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.

Infected with system progressive protection

cobolguy

New member

Blade81

Security Expert: Emeritus

cobolguy

New member

Blade81

Security Expert: Emeritus

cobolguy

New member

Blade81

Security Expert: Emeritus