ComboFix 13-07-18.04 - sdgftr 19.07.2013 22:12:04.1.

2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.997.181 [GMT 3:00]
Running from: c:\documents and settings\sdgftr\My Documents\Downloads\ComboFix.e
xe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))
)))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\20263e3142373b5d5b46355d413
b5f_c
c:\documents and settings\All Users\Application Data\ACD Systems\ACDSee\ImageDB.
ddf
c:\documents and settings\All Users\Application Data\cONttINueToosavveo
c:\documents and settings\All Users\Application Data\cONttINueToosavveo\519f05df
144ee.dll
c:\documents and settings\All Users\Application Data\cONttINueToosavveo\519f05df
144ee.tlb
c:\documents and settings\All Users\Application Data\cONttINueToosavveo\data\cON
ttINueToosavveo.dat
c:\documents and settings\All Users\Application Data\cONttINueToosavveo\settings
.ini
c:\documents and settings\All Users\Application Data\cONttINueToosavveo\uninstal
l.exe
c:\documents and settings\All Users\Start Menu\Programs\cONttINueToosavveo
c:\documents and settings\All Users\Start Menu\Programs\cONttINueToosavveo\cONtt
INueToosavveo.lnk
c:\documents and settings\All Users\Start Menu\Programs\cONttINueToosavveo\Unins
tall.lnk
c:\documents and settings\sdgftr\Application Data\DefaultTab\DefaultTab
c:\documents and settings\sdgftr\Application Data\DefaultTab\DefaultTab\uninstal
ldt.exe
c:\program files\BasicServe
c:\program files\BasicServe\basicserve.dll
c:\program files\BasicServe\basicserve.exe
c:\program files\BasicServe\BasicServe_deleted_\basicserve.dll
c:\program files\BasicServe\BasicServe_deleted_\basicserve.exe
c:\program files\BasicServe\uninstall.exe
c:\program files\DefaultTab
c:\program files\DefaultTab\DefaultTab.crx
c:\program files\DefaultTab\DefaultTabSearch.exe
c:\program files\DefaultTab\uid
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))
))))))))))))))))))))))))))))))
.
.
-------\Legacy_DEFAULTTABSEARCH
-------\Service_DefaultTabSearch
-------\Legacy_BasicServe_Service
-------\Legacy_BasicServe_Service
-------\Service_BasicServe Service
-------\Service_BasicServe Service
.
.
((((((((((((((((((((((((( Files Created from 2013-06-19 to 2013-07-19 )))))))
))))))))))))))))))))))))
.

.
2013-07-19 19:10 . 2013-07-19 19:10
-------d-----wc:\docum
ents and settings\All Users\Application Data\AVAST Software
2013-07-19 18:48 . 2013-07-19 18:50
-------d-----wc:\docum
ents and settings\All Users\Application Data\BasicServe
2013-07-19 18:47 . 2013-07-19 18:47
-------d-----wc:\progr
am files\SimilarSites
2013-07-19 18:47 . 2013-07-19 18:47
-------d-----wc:\docum
ents and settings\sdgftr\Application Data\SimilarSites
2013-07-19 18:47 . 2013-07-19 18:47
-------d-----wc:\docum
ents and settings\sdgftr\Application Data\WebCake
2013-07-19 18:47 . 2013-07-19 18:47
-------d-----wc:\progr
am files\WebCake
2013-07-18 20:13 . 2013-07-18 20:13
-------d-----wC:\MSI
2013-07-15 19:02 . 2013-07-15 19:02
-------d-----wC:\Outpu
t
2013-07-15 19:02 . 2013-07-15 19:02
-------d-----wC:\PDFPa
sswordRemover
2013-07-09 02:27 . 2013-07-13 02:00
-------d-----wc:\progr
am files\PokerStars.EU
2013-07-05 19:00 . 2013-07-05 19:00
-------d--h--wc:\windo
ws\PIF
2013-07-03 03:47 . 2013-07-03 03:54
-------d-----wc:\docum
ents and settings\sdgftr\Application Data\TeamViewer
2013-06-27 22:59 . 2013-06-27 22:59
-------d-----wc:\progr
am files\ExpressPCB
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))
)))))))))))))))))))))))))))))))
.
2013-06-13 08:05 . 2008-03-10 11:12
71048 ----a-wc:\windows\syste
m32\FlashPlayerCPLApp.cpl
2013-06-13 08:05 . 2008-03-10 11:12
692104 ----a-wc:\windows\syste
m32\FlashPlayerApp.exe
2013-06-13 08:05 . 2013-06-12 06:05
9089416 ----a-wc:\windows\syste
m32\FlashPlayerInstaller.exe
2013-05-23 10:43 . 2013-05-23 10:43
73728 ----a-rc:\documents and
settings\sdgftr\Application Data\Microsoft\Installer\{7130468A-F53F-4698-8C09-A
339EA3B05E6}\NewShortcut47_74B9CE5DF1F4447F982DCA29A461B529.exe
2013-05-23 10:43 . 2013-05-23 10:43
73728 ----a-rc:\documents and
settings\sdgftr\Application Data\Microsoft\Installer\{7130468A-F53F-4698-8C09-A
339EA3B05E6}\NewShortcut46_74B9CE5DF1F4447F982DCA29A461B529.exe
2013-05-23 10:43 . 2013-05-23 10:43
53248 ----a-rc:\documents and
settings\sdgftr\Application Data\Microsoft\Installer\{7130468A-F53F-4698-8C09-A
339EA3B05E6}\ARPPRODUCTICON.exe
2013-05-23 10:43 . 2013-05-23 10:43
49152 ----a-rc:\documents and
settings\sdgftr\Application Data\Microsoft\Installer\{7130468A-F53F-4698-8C09-A
339EA3B05E6}\Uninstall_QA_OTI_H_FE5D756F71E147C4972AD6775344B40B.exe
2013-05-23 10:43 . 2013-05-23 10:43
49152 ----a-rc:\documents and
settings\sdgftr\Application Data\Microsoft\Installer\{7130468A-F53F-4698-8C09-A
339EA3B05E6}\NewShortcut2_1C7B7089989A424FB39D41A32581C775.exe
2013-05-22 10:26 . 2013-05-22 10:26
33824 ----a-wc:\windows\syste
m32\drivers\oreans32.sys
.
.
------- Sigcheck ------Note: Unsigned files aren't necessarily malware.
.

[-] 2010-05-31 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512]

. . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))
)))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WebCake Desktop"="c:\documents and settings\sdgftr\Application Data\WebCake\Web
CakeDesktop.exe" [2013-06-21 47896]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"D-Link AirPlus XtremeG DWL-G520"="c:\program files\D-Link\AirPlus XtremeG DWL-G
520\AirPlusCFG.exe" [2008-10-06 1331200]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.s
ys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^St
artup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reade
r Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFa
ultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2
Service]
2007-01-19 09:49
49152 ----a-wc:\program files\ANI\ANIWZCS2 Se
rvice\WZCSLDR2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atchk]
2007-06-12 15:09
408344 ----a-wc:\program files\Intel\AMT\atchk
.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.e
xe]
2008-04-14 02:42
15360 ----a-wc:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysC
mds]
2007-09-11 06:51
166424 ----a-wc:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray
]
2007-09-11 06:52
141848 ----a-wc:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSU_agen
t]
2012-02-28 12:53
190768 ----a-wc:\program files\Nokia\Nokia Sof
tware Updater\nsu3ui_agent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeSy
ncProcess]

2010-03-16 00:58
718208 ----a-wc:\program files\Microsoft Offic
e\Office14\MSOSYNC.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite
Tray]
2012-06-26 10:10
1516632 ----a-wc:\program files\Nokia\Nokia PC
Suite 7\PCSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persiste
nce]
2007-09-11 06:51
137752 ----a-wc:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX
PnP]
2007-05-08 07:28
1015808 ----a-wc:\program files\Analog Devices\
Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaU
pdateSched]
2007-07-12 02:00
132496 ----a-wc:\program files\Java\jre1.6.0_0
2\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WLAN CAR
D WLAN Monitor]
2003-12-26 10:26
630784 ----a-wc:\program files\WLAN CARD\WlanM
on.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Authoriz
edApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Nokia\\Phoenix\\phoenix.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Fuse\\FuseService.exe"=
"c:\\Program Files\\ODEON\\JAF\\JCOP.EXE"=
"d:\\gabi\\Documents\\utorrent.exe"=
"c:\\Documents and Settings\\sdgftr\\Application Data\\uTorrent\\uTorrent.exe"=
.
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [5/22/2013 1:26 PM
33824]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\progra
m files\Intel\AMT\UNS.exe [3/10/2008 2:06 PM 2521880]
R2 WebCake Desktop Updater;WebCake Desktop Updater;c:\program files\WebCake\WebC
akeDesktop.Updater.exe [7/19/2013 9:47 PM 23552]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system
32\drivers\A3AB.sys [3/10/2008 2:07 PM 547744]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu
.sys [5/14/2013 4:56 PM 137600]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sy
s [5/14/2013 4:56 PM 8576]
.
--- Other Services/Drivers In Memory --.
*NewlyCreated* - WS2IFSL
.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D3

45-D564-463c-AFF1-A69D9E530F96}]
2013-07-15 21:43
1173456 ----a-wc:\program files\Google\Chrome\A
pplication\28.0.1500.72\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2008-03-10 08
:05]
.
2013-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-03-28 13:15]
.
2013-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-03-28 13:15]
.
.
------- Supplementary Scan ------.
uStart Page = hxxp://www1.delta-search.com/?affID=119776&tt=gc_&babsrc=HP_ss&mnt
rId=486C0022B0EA5C35
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
.
- - - - ORPHANS REMOVED - - - .
BHO-{14B5A8D7-C850-84B6-6756-F2FF29810D2E} - c:\documents and settings\All Users
\Application Data\cONttINueToosavveo\519f05df144ee.dll
HKLM-Explorer_Run-40473 - c:\docume~1\ALLUSE~1\LOCALS~1\Temp\ccagra.exe
MSConfigStartUp-Normal WLAN Monitor - c:\program files\Normal\WLAN Monitor\WLANm
on.exe
AddRemove-BasicServe - c:\program files\BasicServe\uninstall.exe
AddRemove-DefaultTab - c:\documents and settings\sdgftr\Application Data\Default
Tab\DefaultTab\uninstalldt.exe
AddRemove-{C1C6816E-CBB3-A748-85F9-A8B47B68985B} - c:\documents and settings\All
Users\Application Data\cONttINueToosavveo\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http:/
/www.gmer.net
Rootkit scan 2013-07-19 22:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS --------------------.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66
}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700
_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66
}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66
}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66
}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C
9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C
9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C
9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes --------------------.
- - - - - - - > 'explorer.exe'(520)
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll
.
------------------------ Other Running Processes -----------------------.
c:\program files\Google\Update\1.3.21.153\GoogleCrashHandler.exe
c:\program files\Intel\AMT\atchksrv.exe
c:\windows\system32\crypserv.exe
c:\program files\Intel\AMT\LMS.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2013-07-19 22:20:03 - machine was rebooted
ComboFix-quarantined-files.txt 2013-07-19 19:20
.
Pre-Run: 46.876.160.000 bytes free
Post-Run: 47.465.299.968 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional"
/noexecute=optin /fastdetect
.
- - End Of File - - 4436C615CE0A89892886C20AB886330F
8F558EB6672622401DA993E1E865C861