PDA

View Full Version : An infection that I can't find.



rdomingu
2013-03-14, 00:10
Hello,
New to this forum.
I am infected with something which I cannot seem to find. I am hoping someone can assist me with locating this/these infections and ridding my box of them. I am running Win XP SP3 and current on all patches. I have run Kaspersky scans (full, vulnerability, critical area and root kit), Sophos stand alone (Sav32cli), SB Search n Destroy 2, RootAlyzer, SuperAntiSpyware, HijackThis, Combofix and MalwareBytes....all with current updates....with no significant results. I have run these all under normal boot and some under safe mode with no difference in results. After a boot-up, box runs good but eventually slows to a crawl with CPU usage at 100%. Running a manual Windows Update will take a LONG time to complete. I have to wait about 30 seconds when creating a new folder, in order to give it a name. I am a presently unemployed desktop support analyst and have alot of disinfecting experience, but this one, being on my own personal box, is REALLY making me feel incompetent!!! I have backups, but they are infected as well so I can't just restore. It would be a simple re-image normally, but I can't do that with my box....much too much stuff on it. I would greatly appreciate your assistance with this one. Thanks in advance for your hopeful assistance. Below are the requested logs:


DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_38
Run by Ray at 15:52:50 on 2013-03-13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2056 [GMT -4:00]
.
AV: Kaspersky Anti-Virus *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *Disabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\nvwmi.exe
D:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\EaseUS\Todo Backup\bin\Agent.exe
C:\Program Files\EaseUS\Todo Backup\bin\GuardAgent.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
D:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\locator.exe
D:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\SYSTEM32\DWRCST.exe
D:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\EaseUS\Todo Backup\bin\EuWatch.exe
C:\Program Files\EaseUS\Todo Backup\bin\TrayNotify.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe
D:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HyperSnap-DX 5\HprSnap5.exe
C:\Program Files\HyperSnap-DX 5\HprSnap5.exe
C:\Program Files\Plextor\PlexUTILITIES\PlexRadar.exe
C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
C:\Program Files\Efficient Reminder Free\EfficientReminderFree.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\nvwmi.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k WINRM
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.optimum.net/
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - d:\program files\spybot - search & destroy 2\SDHelper.dll
BHO: Content Blocker Plugin: {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - c:\program files\kaspersky lab\kaspersky anti-virus 2013\ieext\contentblocker\ie_content_blocker_plugin.dll
BHO: Virtual Keyboard Plugin: {73455575-E40C-433C-9784-C78DC7761455} - c:\program files\kaspersky lab\kaspersky anti-virus 2013\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: URL Advisor Plugin: {E33CF602-D945-461A-83F0-819F76A199F8} - c:\program files\kaspersky lab\kaspersky anti-virus 2013\ieext\urladvisor\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SandboxieControl] "d:\program files\sandboxie\SbieCtrl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [EaseUs Watch] "c:\program files\easeus\todo backup\bin\EuWatch.exe"
mRun: [EaseUs Tray] "c:\program files\easeus\todo backup\bin\TrayNotify.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2013\avp.exe"
mRun: [SDTray] "d:\program files\spybot - search & destroy 2\SDTray.exe"
StartupFolder: c:\docume~1\ray\startm~1\programs\startup\effici~1.lnk - c:\program files\efficient reminder free\EfficientReminderFree.exe
StartupFolder: c:\docume~1\ray\startm~1\programs\startup\erunta~1.lnk - d:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\ray\startm~1\programs\startup\plexra~1.lnk - c:\program files\plextor\plexutilities\PlexRadar.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\del_temp.vbs
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hypers~1.lnk - c:\program files\hypersnap-dx 5\HprSnap5.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\plexra~1.lnk - c:\program files\plextor\plexutilities\PlexRadar.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\watch.lnk - c:\program files\mustek 1200 ub plus\driver\WATCH.exe
uPolicies-Explorer: NoWindowsUpdate = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:383
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoWindowsUpdate = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\program files\spybot - search & destroy 2\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://amer-ml33.amer.csc.com/dwa85W.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1296519865546
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1362800798828
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1353104195093
DPF: {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} - hxxps://lowes.2020.net/planner/Core/Player/2020PlayerAX_WEB_Win32.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_38-windows-i586.cab
TCP: NameServer = 167.206.254.2 167.206.254.1
TCP: Interfaces\{9C3AA36C-E157-4013-9946-690262E89D96} : DHCPNameServer = 167.206.254.2 167.206.254.1
TCP: Interfaces\{9E3725C9-9785-4641-AB27-3C257B07A781} : DHCPNameServer = 167.206.254.1 167.206.254.2
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: klogon - c:\windows\system32\klogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ray\application data\mozilla\firefox\profiles\6cr6okv0.default\
FF - prefs.js: browser.search.selectedEngine - Delta Search
FF - prefs.js: browser.startup.homepage - hxxp://www.delta-search.com/?affID=119776&tt=050412_30b&babsrc=HP_ss&mntrId=1fde8a400000000000000022152aced0
FF - prefs.js: network.proxy.type - 4
FF - ExtSQL: 2013-01-25 11:03; {CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}; c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}
FF - ExtSQL: 2013-02-14 11:38; torntv2@torntv.com; c:\documents and settings\ray\application data\mozilla\firefox\profiles\6cr6okv0.default\extensions\torntv2@torntv.com.xpi
FF - ExtSQL: !HIDDEN! 2011-01-31 18:23; smartwebprinting@hp.com; c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.delta.tlbrSrchUrl -
FF - user.js: extensions.delta.id - 1fde8a400000000000000022152aced0
FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
FF - user.js: extensions.delta.instlDay - 15750
FF - user.js: extensions.delta.vrsn - 1.8.10.0
FF - user.js: extensions.delta.vrsni - 1.8.10.0
FF - user.js: extensions.delta.vrsnTs - 1.8.10.011:39:40
FF - user.js: extensions.delta.prtnrId - delta
FF - user.js: extensions.delta.prdct - delta
FF - user.js: extensions.delta.aflt - babsst
FF - user.js: extensions.delta.smplGrp - none
FF - user.js: extensions.delta.tlbrId - base
FF - user.js: extensions.delta.instlRef - sst
FF - user.js: extensions.delta.dfltLng - en
FF - user.js: extensions.delta.excTlbr - false
FF - user.js: extensions.delta.admin - false
FF - user.js: extensions.delta.autoRvrt - false
FF - user.js: extensions.delta.rvrt - false
FF - user.js: extensions.delta.newTab - false
.
============= SERVICES / DRIVERS ===============
.
R0 asahxp32;asahxp32;c:\windows\system32\drivers\asahxp32.sys [2011-5-6 41696]
R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [2013-1-26 50248]
R0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [2013-1-26 40648]
R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2012-6-19 136024]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2013-3-7 33112]
R1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [2013-1-26 14920]
R1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [2013-1-26 185672]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2012-11-24 586584]
R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [2012-11-24 43608]
R1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [2012-8-13 144344]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2011-5-12 18816]
R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky anti-virus 2013\avp.exe -r --> c:\program files\kaspersky lab\kaspersky anti-virus 2013\avp.exe -r [?]
R2 EaseUS Agent;EaseUS Agent Service;c:\program files\easeus\todo backup\bin\Agent.exe [2013-1-26 68168]
R2 Guard Agent;Guard Agent Service;c:\program files\easeus\todo backup\bin\GuardAgent.exe [2013-1-26 23624]
R2 NVWMI;NVIDIA WMI Provider;c:\windows\system32\nvwmi.exe [1999-12-31 664424]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;d:\program files\spybot - search & destroy 2\SDFSSvc.exe [2013-3-12 1103392]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;d:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2013-3-12 1369624]
R2 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-13 14336]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2012-6-27 35672]
R3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [2012-11-24 24408]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2012-11-24 24920]
R3 SbieDrv;SbieDrv;d:\program files\sandboxie\SbieDrv.sys [2012-12-16 157776]
S0 fnvu;fnvu;c:\windows\system32\drivers\behy.sys --> c:\windows\system32\drivers\behy.sys [?]
S2 gupdate1c987ea6b15f84e;Google Update Service (gupdate1c987ea6b15f84e);c:\program files\google\update\GoogleUpdate.exe [2011-3-6 136176]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;d:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2013-3-12 168384]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2011-2-1 79360]
S3 Creative Media Toolbox 6 Licensing Service;Creative Media Toolbox 6 Licensing Service;c:\program files\common files\creative labs shared\service\MT6Licensing.exe [2011-2-1 79360]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2008-12-29 171032]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-12-29 171032]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2008-12-29 1324056]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-12-29 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2008-12-29 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-12-29 72728]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2013-1-27 23456]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2012-12-21 13896]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2012-12-21 9160]
S3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\drivers\mcvidrv.sys [2012-10-10 34432]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2013-3-8 35144]
S3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv.sys [2012-10-10 25088]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2010-12-13 30576]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [2013-1-14 13024]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S4 AZULWXOPZZH;AZULWXOPZZH;c:\docume~1\ray\locals~1\temp\azulwxopzzh.exe --> c:\docume~1\ray\locals~1\temp\AZULWXOPZZH.exe [?]
S4 TSJSRS;TSJSRS;c:\docume~1\ray\locals~1\temp\tsjsrs.exe --> c:\docume~1\ray\locals~1\temp\TSJSRS.exe [?]
S4 ZWKKQGF;ZWKKQGF;c:\docume~1\ray\locals~1\temp\zwkkqgf.exe --> c:\docume~1\ray\locals~1\temp\ZWKKQGF.exe [?]
.
=============== File Associations ===============
.
FileExt: .reg: regfile=regedit.exe "%1" [UserChoice]
ShellExec: CORELPNT.EXE: CANCEL=c:\corel40\programs\CORELPNT.EXE
ShellExec: CORELPNT.EXE: OPEN=c:\corel40\programs\CORELPNT.EXE
ShellExec: CORELPNT.EXE: PRINT=c:\corel40\programs\CORELPNT.EXE
ShellExec: dreamweaver.exe: Open="c:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe", "%1"
.
=============== Created Last 30 ================
.
2013-03-13 14:53:55 12928 ------w- c:\windows\system32\dllcache\usb8023x.sys
2013-03-13 14:53:55 12928 ------w- c:\windows\system32\dllcache\usb8023.sys
2013-03-12 14:21:49 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2013-03-12 14:21:24 15224 ----a-w- c:\windows\system32\sdnclean.exe
2013-03-12 00:16:58 8461312 ------w- c:\windows\system32\dllcache\shell32.dll
2013-03-10 20:31:06 -------- d-----w- C:\Sophos
2013-03-09 00:22:39 -------- d-----w- C:\Escort
2013-03-08 23:42:22 -------- d-----w- c:\windows\system32\wbem\repository\FS
2013-03-08 23:42:22 -------- d-----w- c:\windows\system32\wbem\Repository
2013-03-08 23:36:06 -------- d-----w- c:\program files\PC HealthBoost
2013-03-08 19:30:33 -------- d-sh--w- c:\windows\Installer
2013-03-08 16:58:20 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-03-08 04:34:24 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-08 04:34:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware(2)
2013-03-08 04:34:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-03-08 00:19:13 630272 ----a-w- c:\windows\system32\dllcache\msfeeds.dll
2013-03-08 00:19:13 55296 ----a-w- c:\windows\system32\dllcache\msfeedsbs.dll
2013-03-08 00:19:12 247808 ----a-w- c:\windows\system32\dllcache\ieproxy.dll
2013-03-08 00:19:12 12800 ----a-w- c:\windows\system32\dllcache\xpshims.dll
2013-03-08 00:19:11 743424 ----a-w- c:\windows\system32\dllcache\iedvtool.dll
2013-03-08 00:19:11 522240 ----a-w- c:\windows\system32\dllcache\jsdbgui.dll
2013-03-08 00:19:11 2004992 ----a-w- c:\windows\system32\dllcache\iertutil.dll
2013-03-08 00:19:09 11111424 ----a-w- c:\windows\system32\dllcache\ieframe.dll
2013-03-07 20:48:36 -------- d-----r- C:\Sandbox
2013-03-07 18:46:02 33112 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-03-07 17:15:49 -------- d-----w- c:\documents and settings\ray\DoctorWeb
2013-03-07 17:11:45 52232 ----a-w- c:\windows\system32\drivers\REGSYS701.SYS
2013-03-07 15:54:05 -------- d-----w- C:\Deleted Autoruns
.
==================== Find3M ====================
.
2013-03-09 20:16:21 71024 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-09 20:16:21 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-08 23:02:02 13024 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
2013-02-27 19:08:13 16473456 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2013-02-12 00:32:23 12928 ----a-w- c:\windows\system32\drivers\usb8023x.sys
2013-02-12 00:32:23 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-05 20:05:47 916480 ----a-w- c:\windows\system32\wininet.dll
2013-02-05 20:05:46 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-02-05 20:05:46 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-02-05 05:53:57 385024 ----a-w- c:\windows\system32\html.iec
2013-01-28 02:36:28 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
2013-01-26 04:35:50 19528 ----a-w- c:\windows\system32\fbnative.exe
2013-01-26 04:35:38 185672 ----a-w- c:\windows\system32\drivers\EuFdDisk.sys
2013-01-26 04:35:34 40648 ----a-w- c:\windows\system32\drivers\EUBKMON.sys
2013-01-26 04:35:28 14920 ----a-w- c:\windows\system32\drivers\eudskacs.sys
2013-01-26 04:35:24 50248 ----a-w- c:\windows\system32\drivers\eubakup.sys
2013-01-26 03:55:44 552448 ----a-w- c:\windows\system32\oleaut32.dll
2013-01-25 16:02:54 73728 ----a-w- c:\windows\system32\javacpl.cpl
2013-01-25 16:02:53 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-01-25 16:02:53 473072 ----a-w- c:\windows\system32\deployJava1.dll
2013-01-07 01:19:45 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-07 00:37:01 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20:00 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-01-02 06:49:10 148992 ----a-w- c:\windows\system32\mpg2splt.ax
2013-01-02 06:49:10 1292288 ----a-w- c:\windows\system32\quartz.dll
2012-12-21 22:20:40 2468520 ----a-w- c:\windows\system32\BootMan.exe
2012-12-21 18:54:00 13896 ----a-w- c:\windows\system32\epmntdrv.sys
2012-12-21 18:53:58 9160 ----a-w- c:\windows\system32\EuGdiDrv.sys
2012-12-21 18:53:58 87112 ----a-w- c:\windows\system32\setupempdrv03.exe
2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll
.
============= FINISH: 15:53:48.35 ===============




aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2013-03-13 16:00:21
-----------------------------
16:00:21.437 OS Version: Windows 5.1.2600 Service Pack 3
16:00:21.437 Number of processors: 2 586 0x403
16:00:21.437 ComputerName: RIGHTWINXP UserName: Ray
16:00:31.265 Initialize success
16:02:41.437 AVAST engine defs: 13031301
16:03:12.015 Disk 0 \Device\Harddisk0\DR0 -> \Device\00000083
16:03:12.015 Disk 0 Vendor: ST3500630AS 3.AAE Size: 476940MB BusType: 3
16:03:12.031 Disk 1 \Device\Harddisk1\DR1 -> \Device\00000084
16:03:12.031 Disk 1 Vendor: SAMSUNG_HD103SI 1AG01118 Size: 953869MB BusType: 3
16:03:12.031 Disk 2 \Device\Harddisk2\DR2 -> \Device\00000087
16:03:12.031 Disk 2 Vendor: WDC_WD1002FAEX-00Z3A0 05.01D05 Size: 953869MB BusType: 3
16:03:12.031 Disk 3 \Device\Harddisk3\DR3 -> \Device\Scsi\JRAID1Port4Path0Target0Lun0
16:03:12.031 Disk 3 Vendor: SATA____ Size: 953869MB BusType: 1
16:03:12.031 Disk 4 (boot) \Device\Harddisk4\DR4 -> \Device\Scsi\asahxp321Port5Path0Target0Lun0
16:03:12.031 Disk 4 Vendor: KINGSTON 502A Size: 114473MB BusType: 3
16:03:12.046 Disk 4 MBR read successfully
16:03:12.046 Disk 4 MBR scan
16:03:12.046 Disk 4 Windows 7 default MBR code
16:03:12.046 Disk 4 Partition 1 80 (A) 07 HPFS/NTFS NTFS 114472 MB offset 63
16:03:12.062 Disk 4 scanning sectors +234440759
16:03:12.078 Disk 4 scanning C:\WINDOWS\system32\drivers
16:03:24.109 Service scanning
16:03:31.765 Service KL1 C:\WINDOWS\system32\DRIVERS\kl1.sys **LOCKED** 5
16:03:31.875 Service klim5 C:\WINDOWS\system32\DRIVERS\klim5.sys **LOCKED** 5
16:03:31.906 Service klkbdflt C:\WINDOWS\system32\DRIVERS\klkbdflt.sys **LOCKED** 5
16:03:31.921 Service klmouflt C:\WINDOWS\system32\DRIVERS\klmouflt.sys **LOCKED** 5
16:03:31.937 Service kltdi C:\WINDOWS\system32\DRIVERS\kltdi.sys **LOCKED** 5
16:03:31.984 Service kneps C:\WINDOWS\system32\DRIVERS\kneps.sys **LOCKED** 5
16:03:42.937 Modules scanning
16:03:46.406 Disk 4 trace - called modules:
16:03:46.421 ntkrnlpa.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll asahxp32.sys
16:03:46.421 1 nt!IofCallDriver -> \Device\Harddisk4\DR4[0x8b2e3030]
16:03:46.421 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\Scsi\asahxp321Port5Path0Target0Lun0[0x8b2d2030]
16:03:46.843 AVAST engine scan C:\WINDOWS
16:03:51.593 AVAST engine scan C:\WINDOWS\system32
16:07:32.765 AVAST engine scan C:\WINDOWS\system32\drivers
16:07:53.453 AVAST engine scan C:\Documents and Settings\Ray
16:15:11.843 File: C:\Documents and Settings\Ray\My Documents\Diagnostic Tools\Security Tool Service Killer\rkill.com **INFECTED** Win32:Malware-gen
16:19:08.515 AVAST engine scan C:\Documents and Settings\All Users
16:21:23.359 Scan finished successfully
17:18:19.328 Disk 4 MBR has been saved successfully to "C:\Documents and Settings\Ray\Desktop\DISINFECTION TOOLS 3-12-2013\AswMBR\MBR.dat"
17:18:19.343 The log file has been saved successfully to "C:\Documents and Settings\Ray\Desktop\DISINFECTION TOOLS 3-12-2013\AswMBR\aswMBR.txt"

shelf life
2013-03-22, 00:36
hi rdomingu,

From the tools you have run already there's not much left to run, other than repeating it.
Usually malware will present different signs other than just slowing to a crawl as you describe, after all it needs and wants a somewhat functioning computer to be successful.
What I am getting at is not all problems are malware related. Could be a software or hardware issue. It becomes a process of elimination.
We can repeat running some tools as a check for malware if you want. If all looks good then you should visit another forum.

rdomingu
2013-03-22, 03:43
Hi Shelf Life,
Thanks for your response. I would not mind redoing the scans or whatever u may suggest. Just link me up and give me the directions and off I will go...!!! But first, after a week of running things and investigating logs and burning out Google, I found that by DESELECTING "BMGX" in my System Configuration Utility (XP Pro) Services tab, that my box now "appears" to be running well. My investigations suggest this being a Trojan but I don't know what kind nor how to figure it out and completely remove it. As of now it is just disabled. So I will gladly wait for and follow your advice. Could a ROOTKIT be the issue????

Ray:confused::confused::confused::thanks:

shelf life
2013-03-22, 15:13
hi,

Ok. Lets see if combofix can dig up anything. Double click the icon and if a update is available it will update then run. When its done you can save the log file and copy/paste it in your reply. You can also find a copy in your root drive, usually C:\ combofix.txt
Before you use it you should read through the guide. (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

rdomingu
2013-03-22, 15:38
hi,

Ok. Lets see if combofix can dig up anything. Double click the icon and if a update is available it will update then run. When its done you can save the log file and copy/paste it in your reply. You can also find a copy in your root drive, usually C:\ combofix.txt
Before you use it you should read through the guide. (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

I see no ICON

rdomingu
2013-03-22, 18:21
Hi,
I ran 3 logs. 1 as administrator in safe mode, 1 using my profile as "ray" in safe mode and the final one using my profile as "ray" in normal boot mode still with the "BMGX" service disabled. Below are the results of # 3 and attached are the results of 1 & 2. Hope they are helpfull.

Thanks,
Ray


As "ray" in normal boot mode:

ComboFix 13-03-21.02 - Ray 03/22/2013 11:08:57.24.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2312 [GMT -4:00]
Running from: c:\documents and settings\Ray\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
.
((((((((((((((((((((((((( Files Created from 2013-02-22 to 2013-03-22 )))))))))))))))))))))))))))))))
.
.
2013-03-22 14:42 . 2013-03-22 14:55 -------- d-----w- C:\ComboFix Logs 3-22-2013
2013-03-19 21:59 . 2013-03-19 21:59 -------- d-----w- C:\CLEAN BOOT
2013-03-19 21:09 . 2013-03-19 21:04 678912 ----a-w- C:\MicrosoftFixit50598.msi
2013-03-18 19:16 . 2013-03-18 19:16 -------- d-----w- C:\CFScanner
2013-03-17 18:51 . 2013-03-17 18:51 -------- d-----w- C:\sh4ldr
2013-03-10 20:31 . 2013-03-10 20:32 -------- d-----w- C:\Sophos
2013-03-09 00:22 . 2013-03-09 00:23 -------- d-----w- C:\Escort
2013-03-07 20:48 . 2013-03-07 20:48 -------- d-----r- C:\Sandbox
2013-03-07 17:06 . 2013-03-07 17:06 -------- d-----w- C:\rsit
2013-03-07 15:54 . 2013-03-07 15:54 -------- d-----w- C:\Deleted Autoruns
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-08 23:02 . 2013-01-14 15:23 13024 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
2013-02-12 00:32 . 2008-04-13 17:56 12928 ----a-w- c:\windows\system32\drivers\usb8023x.sys
2013-02-12 00:32 . 2008-04-13 17:56 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-05 20:05 . 2012-12-26 20:16 916480 ----a-w- c:\windows\system32\wininet.dll
2013-02-05 20:05 . 2012-12-26 20:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-02-05 20:05 . 2012-12-26 20:16 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-02-05 05:53 . 2012-12-24 06:40 385024 ----a-w- c:\windows\system32\html.iec
2013-01-28 02:36 . 2013-01-28 02:36 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
2013-01-26 04:35 . 2013-01-26 04:35 19528 ----a-w- c:\windows\system32\fbnative.exe
2013-01-26 04:35 . 2013-01-26 04:35 185672 ----a-w- c:\windows\system32\drivers\EuFdDisk.sys
2013-01-26 04:35 . 2013-01-26 04:35 40648 ----a-w- c:\windows\system32\drivers\EUBKMON.sys
2013-01-26 04:35 . 2013-01-26 04:35 14920 ----a-w- c:\windows\system32\drivers\eudskacs.sys
2013-01-26 04:35 . 2013-01-26 04:35 50248 ----a-w- c:\windows\system32\drivers\eubakup.sys
2013-01-26 03:55 . 2013-01-26 03:55 552448 ----a-w- c:\windows\system32\oleaut32.dll
2013-01-25 16:02 . 2013-01-25 16:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2013-01-25 16:02 . 2013-01-25 16:02 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-01-25 16:02 . 2013-01-25 16:02 473072 ----a-w- c:\windows\system32\deployJava1.dll
2013-01-07 01:19 . 2013-01-07 01:19 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-07 00:37 . 2013-01-07 00:37 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20 . 2013-01-04 01:20 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-01-02 06:49 . 2013-01-02 06:49 148992 ----a-w- c:\windows\system32\mpg2splt.ax
2013-01-02 06:49 . 2013-01-02 06:49 1292288 ----a-w- c:\windows\system32\quartz.dll
2012-06-14 22:20 . 2012-06-14 22:20 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-03-19 2363392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartupDelayer"="d:\program files\r2 Studios\Startup Delayer\Startup Launcher.exe" [2013-03-07 1081856]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"SDTray"="d:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 16270848]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-05-31 15496552]
"EaseUs Watch"="c:\program files\EaseUS\Todo Backup\bin\EuWatch.exe" [2013-01-26 70728]
"EaseUs Tray"="c:\program files\EaseUS\Todo Backup\bin\TrayNotify.exe" [2013-01-26 1372232]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2013-03-05 418024]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe" [2012-11-24 356376]
.
c:\documents and settings\Ray\Start Menu\Programs\Startup\
CProcess.exe [2008-5-22 36352]
Efficient Reminder Free.lnk - c:\program files\Efficient Reminder Free\EfficientReminderFree.exe [2013-1-2 10981888]
PlexRadar.lnk - c:\program files\Plextor\PlexUTILITIES\PlexRadar.exe [2013-1-9 2907136]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
del_temp.vbs [2012-2-23 1914]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
HyperSnap-DX 5.lnk - c:\program files\HyperSnap-DX 5\HprSnap5.exe [2004-10-14 1785856]
PlexRadar.lnk - c:\program files\Plextor\PlexUTILITIES\PlexRadar.exe [2013-1-9 2907136]
Watch.lnk - c:\program files\Mustek 1200 UB Plus\Driver\WATCH.exe [2001-11-23 364544]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Ray^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
path=c:\documents and settings\Ray\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
2006-02-14 12:56 460800 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-11-28 19:13 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-13 23:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXMediaServer]
2012-11-13 18:13 450560 ----a-w- c:\program files\DivX\DivX Media Server\DivXMediaServer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2012-11-01 17:56 1263512 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-12-12 18:57 152544 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X Configure]
2006-10-30 12:44 1953792 ----a-r- c:\windows\system32\JMRaidSetup.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2010-12-13 18:37 135536 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 08:12 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2011-06-19 15:50 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"SpyHunter 4 Service"=2 (0x2)
"SDWSCService"=2 (0x2)
"SDUpdateService"=2 (0x2)
"SDScannerService"=2 (0x2)
"SbieSvc"=2 (0x2)
"ose"=3 (0x3)
"NVWMI"=2 (0x2)
"NVSvc"=2 (0x2)
"Nero BackItUp Scheduler 4.0"=2 (0x2)
"MSCamSvc"=2 (0x2)
"MozillaMaintenance"=3 (0x3)
"LightScribeService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"gusvc"=2 (0x2)
"gupdatem"=3 (0x3)
"gupdate1c987ea6b15f84e"=2 (0x2)
"gupdate"=2 (0x2)
"Guard Agent"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"EaseUS Agent"=2 (0x2)
"DWMRCS"=2 (0x2)
"CTAudSvcService"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"Creative Media Toolbox 6 Licensing Service"=3 (0x3)
"Creative Audio Engine Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AdobeFlashPlayerUpdateSvc"=3 (0x3)
"Adobe LM Service"=2 (0x2)
"BMGXXXXXXXX"=3 (0x3)
"BMGX"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride /**comment**(normally it is \"1\")**comment**/"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\BitLord 2\\Bitlord files\\bitlord.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\Agent.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\TbService.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\TBConsoleUI.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDFiles.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"6346:TCP"= 6346:TCP:Limewire
"6346:UDP"= 6346:UDP:Limewire
.
R0 asahxp32;asahxp32;c:\windows\system32\drivers\asahxp32.sys [5/6/2011 5:13 PM 41696]
R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [1/26/2013 12:35 AM 50248]
R0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [1/26/2013 12:35 AM 40648]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [3/7/2013 2:46 PM 33112]
R1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [1/26/2013 12:35 AM 14920]
R1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [1/26/2013 12:35 AM 185672]
R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [11/24/2012 6:33 PM 43608]
R1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [8/13/2012 5:49 PM 144344]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [5/12/2011 2:05 PM 18816]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [6/27/2012 3:09 PM 35672]
R3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [11/24/2012 6:33 PM 24408]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/24/2012 6:33 PM 24920]
S0 fnvu;fnvu;c:\windows\system32\drivers\behy.sys --> c:\windows\system32\drivers\behy.sys [?]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [12/29/2008 11:14 AM 171032]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [12/29/2008 11:14 AM 171032]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [12/29/2008 11:14 AM 1324056]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [12/29/2008 11:14 AM 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [12/29/2008 11:14 AM 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [12/29/2008 11:14 AM 72728]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [1/27/2013 10:36 PM 23456]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [12/21/2012 2:54 PM 13896]
S3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [5/6/2011 3:57 PM 13904]
S3 EsgScanner;EsgScanner;c:\windows\system32\drivers\EsgScanner.sys [6/22/2012 11:01 AM 19984]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [12/21/2012 2:53 PM 9160]
S3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\drivers\mcvidrv.sys [10/10/2012 11:08 PM 34432]
S3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv.sys [10/10/2012 11:08 PM 25088]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [12/13/2010 2:37 PM 30576]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [6/3/2011 8:36 PM 47360]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [1/14/2013 11:23 AM 13024]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
S4 AZULWXOPZZH;AZULWXOPZZH;c:\docume~1\Ray\LOCALS~1\Temp\AZULWXOPZZH.exe --> c:\docume~1\Ray\LOCALS~1\Temp\AZULWXOPZZH.exe [?]
S4 BMGX;BMGX;c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe --> c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe [?]
S4 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2/1/2011 9:56 PM 79360]
S4 Creative Media Toolbox 6 Licensing Service;Creative Media Toolbox 6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\MT6Licensing.exe [2/1/2011 10:10 PM 79360]
S4 EaseUS Agent;EaseUS Agent Service;c:\program files\EaseUS\Todo Backup\bin\Agent.exe [1/26/2013 12:35 AM 68168]
S4 Guard Agent;Guard Agent Service;c:\program files\EaseUS\Todo Backup\bin\GuardAgent.exe [1/26/2013 12:36 AM 23624]
S4 gupdate1c987ea6b15f84e;Google Update Service (gupdate1c987ea6b15f84e);c:\program files\Google\Update\GoogleUpdate.exe [3/6/2011 12:12 AM 136176]
S4 NVWMI;NVIDIA WMI Provider;c:\windows\system32\nvwmi.exe [12/31/1999 8:00 PM 664424]
S4 SDScannerService;Spybot-S&D 2 Scanner Service;d:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [3/12/2013 10:21 AM 1103392]
S4 SDUpdateService;Spybot-S&D 2 Updating Service;d:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [3/12/2013 10:21 AM 1369624]
S4 SDWSCService;Spybot-S&D 2 Security Center Service;d:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [3/12/2013 10:21 AM 168384]
S4 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [1/14/2013 9:33 PM 769920]
S4 TSJSRS;TSJSRS;c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe --> c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe [?]
S4 ZWKKQGF;ZWKKQGF;c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe --> c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-03-19 15:15 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-27 17:47]
.
2013-03-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2013-03-22 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- d:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2013-03-12 18:08]
.
2013-03-22 c:\windows\Tasks\GlaryInitialize.job
- d:\program files\Glary Utilities New 3-7-13\initialize.exe [2013-03-07 20:58]
.
2013-03-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-09-26 17:28]
.
2013-03-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-06 04:12]
.
2013-03-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-06 04:12]
.
2013-03-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-651377827-2146997909-1003Core.job
- c:\documents and settings\Ray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-25 22:50]
.
2013-03-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-651377827-2146997909-1003UA.job
- c:\documents and settings\Ray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-25 22:50]
.
2013-03-13 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- d:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2013-03-12 18:07]
.
2013-03-12 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- d:\program files\Spybot - Search & Destroy 2\SDScan.exe [2013-03-12 18:07]
.
2013-03-22 c:\windows\Tasks\User_Feed_Synchronization-{795DF606-D83B-4891-BD02-5F2638647941}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.optimum.net/
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uInternet Settings,ProxyOverride = *.local;<local>
TCP: DhcpNameServer = 167.206.254.2 167.206.254.1
DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://amer-ml33.amer.csc.com/dwa85W.cab
DPF: {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} - hxxps://lowes.2020.net/planner/Core/Player/2020PlayerAX_WEB_Win32.cab
FF - ProfilePath - c:\documents and settings\Ray\Application Data\Mozilla\Firefox\Profiles\6cr6okv0.default\
FF - ExtSQL: 2013-01-25 11:03; {CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}; c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}
FF - ExtSQL: 2013-02-14 11:38; torntv2@torntv.com; c:\documents and settings\Ray\Application Data\Mozilla\Firefox\Profiles\6cr6okv0.default\extensions\torntv2@torntv.com.xpi
FF - ExtSQL: !HIDDEN! 2011-01-31 18:23; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - user.js: extensions.delta.tlbrSrchUrl -
FF - user.js: extensions.delta.id - 1fde8a400000000000000022152aced0
FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
FF - user.js: extensions.delta.instlDay - 15750
FF - user.js: extensions.delta.vrsn - 1.8.10.0
FF - user.js: extensions.delta.vrsni - 1.8.10.0
FF - user.js: extensions.delta.vrsnTs - 1.8.10.011:39
FF - user.js: extensions.delta.prtnrId - delta
FF - user.js: extensions.delta.prdct - delta
FF - user.js: extensions.delta.aflt - babsst
FF - user.js: extensions.delta.smplGrp - none
FF - user.js: extensions.delta.tlbrId - base
FF - user.js: extensions.delta.instlRef - sst
FF - user.js: extensions.delta.dfltLng - en
FF - user.js: extensions.delta.excTlbr - false
FF - user.js: extensions.delta.admin - false
FF - user.js: extensions.delta.autoRvrt - false
FF - user.js: extensions.delta.rvrt - false
FF - user.js: extensions.delta.newTab - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-03-22 11:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1264)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(7000)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-03-22 11:19:47
ComboFix-quarantined-files.txt 2013-03-22 15:19
ComboFix2.txt 2013-03-22 14:54
ComboFix3.txt 2013-03-20 19:57
ComboFix4.txt 2013-03-20 17:08
ComboFix5.txt 2013-03-22 15:06
.
Pre-Run: 49,022,193,664 bytes free
Post-Run: 48,989,089,792 bytes free
.
- - End Of File - - F9364BAE093EDA4C26E2267AED60EF21

shelf life
2013-03-22, 23:40
We will use combofix to remove some goodies. Run it in "normal boot" mode

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:



File::
c:\docume~1\Ray\LOCALS~1\Temp\AZULWXOPZZH.exe
c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe
c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe
c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe

Driver::
AZULWXOPZZH
BMGX.exe
TSJSRS.exe
ZWKKQGF.exe



Name the Notepad file CFScript.txt and Save it to your desktop.
Now locate the file you just saved to your desktop (CFScript.txt) and the combofix icon, also on your desktop.

Using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run, reboot and produce a new log
please post the new combofix log in your reply.

After combofix is all done you can do this also;
Click Start>Run then type %temp%
Hit OK. Delete all the files you can.

click Start>Run then type %windir%\temp
hit ok. delete all the files you can

rdomingu
2013-03-23, 16:24
Question....

Should I duplicate running this procedure under the other profiles on the machine or did the infection/threat affect only "my" profile?

Thank you
Ray

Standing by awaiting further instructions....

Below is the log of ComboFix AFTER running the CFScript.txt file:


ComboFix 13-03-21.02 - Ray 03/23/2013 9:38.25.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2130 [GMT -4:00]
Running from: c:\documents and settings\Ray\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ray\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
* Created a new restore point
.
FILE ::
"c:\docume~1\Ray\LOCALS~1\Temp\AZULWXOPZZH.exe"
"c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe"
"c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe"
"c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\EventSystem.log
c:\windows\system32\drivers\RKHit.sys
c:\windows\wininit.ini
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_AZULWXOPZZH
-------\Service_AZULWXOPZZH
.
.
((((((((((((((((((((((((( Files Created from 2013-02-23 to 2013-03-23 )))))))))))))))))))))))))))))))
.
.
2013-03-22 14:42 . 2013-03-22 15:20 -------- d-----w- C:\ComboFix Logs 3-22-2013
2013-03-19 21:59 . 2013-03-19 21:59 -------- d-----w- C:\CLEAN BOOT
2013-03-19 21:09 . 2013-03-19 21:04 678912 ----a-w- C:\MicrosoftFixit50598.msi
2013-03-18 19:16 . 2013-03-18 19:16 -------- d-----w- C:\CFScanner
2013-03-17 18:51 . 2013-03-17 18:51 -------- d-----w- C:\sh4ldr
2013-03-10 20:31 . 2013-03-10 20:32 -------- d-----w- C:\Sophos
2013-03-09 00:22 . 2013-03-09 00:23 -------- d-----w- C:\Escort
2013-03-07 20:48 . 2013-03-07 20:48 -------- d-----r- C:\Sandbox
2013-03-07 17:06 . 2013-03-07 17:06 -------- d-----w- C:\rsit
2013-03-07 15:54 . 2013-03-07 15:54 -------- d-----w- C:\Deleted Autoruns
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-08 23:02 . 2013-01-14 15:23 13024 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
2013-02-12 00:32 . 2008-04-13 17:56 12928 ----a-w- c:\windows\system32\drivers\usb8023x.sys
2013-02-12 00:32 . 2008-04-13 17:56 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-05 20:05 . 2012-12-26 20:16 916480 ----a-w- c:\windows\system32\wininet.dll
2013-02-05 20:05 . 2012-12-26 20:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-02-05 20:05 . 2012-12-26 20:16 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-02-05 05:53 . 2012-12-24 06:40 385024 ----a-w- c:\windows\system32\html.iec
2013-01-28 02:36 . 2013-01-28 02:36 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
2013-01-26 04:35 . 2013-01-26 04:35 19528 ----a-w- c:\windows\system32\fbnative.exe
2013-01-26 04:35 . 2013-01-26 04:35 185672 ----a-w- c:\windows\system32\drivers\EuFdDisk.sys
2013-01-26 04:35 . 2013-01-26 04:35 40648 ----a-w- c:\windows\system32\drivers\EUBKMON.sys
2013-01-26 04:35 . 2013-01-26 04:35 14920 ----a-w- c:\windows\system32\drivers\eudskacs.sys
2013-01-26 04:35 . 2013-01-26 04:35 50248 ----a-w- c:\windows\system32\drivers\eubakup.sys
2013-01-26 03:55 . 2013-01-26 03:55 552448 ----a-w- c:\windows\system32\oleaut32.dll
2013-01-25 16:02 . 2013-01-25 16:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2013-01-25 16:02 . 2013-01-25 16:02 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-01-25 16:02 . 2013-01-25 16:02 473072 ----a-w- c:\windows\system32\deployJava1.dll
2013-01-07 01:19 . 2013-01-07 01:19 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-07 00:37 . 2013-01-07 00:37 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20 . 2013-01-04 01:20 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-01-02 06:49 . 2013-01-02 06:49 148992 ----a-w- c:\windows\system32\mpg2splt.ax
2013-01-02 06:49 . 2013-01-02 06:49 1292288 ----a-w- c:\windows\system32\quartz.dll
2012-06-14 22:20 . 2012-06-14 22:20 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-03-19 2363392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartupDelayer"="d:\program files\r2 Studios\Startup Delayer\Startup Launcher.exe" [2013-03-07 1081856]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"SDTray"="d:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 16270848]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-05-31 15496552]
"EaseUs Watch"="c:\program files\EaseUS\Todo Backup\bin\EuWatch.exe" [2013-01-26 70728]
"EaseUs Tray"="c:\program files\EaseUS\Todo Backup\bin\TrayNotify.exe" [2013-01-26 1372232]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2013-03-05 418024]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe" [2012-11-24 356376]
.
c:\documents and settings\Ray\Start Menu\Programs\Startup\
CProcess.exe [2008-5-22 36352]
Efficient Reminder Free.lnk - c:\program files\Efficient Reminder Free\EfficientReminderFree.exe [2013-1-2 10981888]
PlexRadar.lnk - c:\program files\Plextor\PlexUTILITIES\PlexRadar.exe [2013-1-9 2907136]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
del_temp.vbs [2012-2-23 1914]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
HyperSnap-DX 5.lnk - c:\program files\HyperSnap-DX 5\HprSnap5.exe [2004-10-14 1785856]
PlexRadar.lnk - c:\program files\Plextor\PlexUTILITIES\PlexRadar.exe [2013-1-9 2907136]
Watch.lnk - c:\program files\Mustek 1200 UB Plus\Driver\WATCH.exe [2001-11-23 364544]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Ray^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
path=c:\documents and settings\Ray\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
2006-02-14 12:56 460800 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-11-28 19:13 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-13 23:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXMediaServer]
2012-11-13 18:13 450560 ----a-w- c:\program files\DivX\DivX Media Server\DivXMediaServer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2012-11-01 17:56 1263512 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-12-12 18:57 152544 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X Configure]
2006-10-30 12:44 1953792 ----a-r- c:\windows\system32\JMRaidSetup.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2010-12-13 18:37 135536 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 08:12 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2011-06-19 15:50 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"SpyHunter 4 Service"=2 (0x2)
"SDWSCService"=2 (0x2)
"SDUpdateService"=2 (0x2)
"SDScannerService"=2 (0x2)
"SbieSvc"=2 (0x2)
"ose"=3 (0x3)
"NVWMI"=2 (0x2)
"NVSvc"=2 (0x2)
"Nero BackItUp Scheduler 4.0"=2 (0x2)
"MSCamSvc"=2 (0x2)
"MozillaMaintenance"=3 (0x3)
"LightScribeService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"gusvc"=2 (0x2)
"gupdatem"=3 (0x3)
"gupdate1c987ea6b15f84e"=2 (0x2)
"gupdate"=2 (0x2)
"Guard Agent"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"EaseUS Agent"=2 (0x2)
"DWMRCS"=2 (0x2)
"CTAudSvcService"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"Creative Media Toolbox 6 Licensing Service"=3 (0x3)
"Creative Audio Engine Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AdobeFlashPlayerUpdateSvc"=3 (0x3)
"Adobe LM Service"=2 (0x2)
"BMGXXXXXXXX"=3 (0x3)
"BMGX"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride /**comment**(normally it is \"1\")**comment**/"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\BitLord 2\\Bitlord files\\bitlord.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\Agent.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\TbService.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\TBConsoleUI.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDFiles.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"6346:TCP"= 6346:TCP:Limewire
"6346:UDP"= 6346:UDP:Limewire
.
R0 asahxp32;asahxp32;c:\windows\system32\drivers\asahxp32.sys [5/6/2011 5:13 PM 41696]
R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [1/26/2013 12:35 AM 50248]
R0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [1/26/2013 12:35 AM 40648]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [3/7/2013 2:46 PM 33112]
R1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [1/26/2013 12:35 AM 14920]
R1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [1/26/2013 12:35 AM 185672]
R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [11/24/2012 6:33 PM 43608]
R1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [8/13/2012 5:49 PM 144344]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [5/12/2011 2:05 PM 18816]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [6/27/2012 3:09 PM 35672]
R3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [11/24/2012 6:33 PM 24408]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/24/2012 6:33 PM 24920]
S0 fnvu;fnvu;c:\windows\system32\drivers\behy.sys --> c:\windows\system32\drivers\behy.sys [?]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [12/29/2008 11:14 AM 171032]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [12/29/2008 11:14 AM 171032]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [12/29/2008 11:14 AM 1324056]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [12/29/2008 11:14 AM 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [12/29/2008 11:14 AM 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [12/29/2008 11:14 AM 72728]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [1/27/2013 10:36 PM 23456]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [12/21/2012 2:54 PM 13896]
S3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [5/6/2011 3:57 PM 13904]
S3 EsgScanner;EsgScanner;c:\windows\system32\drivers\EsgScanner.sys [6/22/2012 11:01 AM 19984]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [12/21/2012 2:53 PM 9160]
S3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\drivers\mcvidrv.sys [10/10/2012 11:08 PM 34432]
S3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv.sys [10/10/2012 11:08 PM 25088]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [12/13/2010 2:37 PM 30576]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [6/3/2011 8:36 PM 47360]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [1/14/2013 11:23 AM 13024]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
S4 BMGX;BMGX;c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe --> c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe [?]
S4 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2/1/2011 9:56 PM 79360]
S4 Creative Media Toolbox 6 Licensing Service;Creative Media Toolbox 6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\MT6Licensing.exe [2/1/2011 10:10 PM 79360]
S4 EaseUS Agent;EaseUS Agent Service;c:\program files\EaseUS\Todo Backup\bin\Agent.exe [1/26/2013 12:35 AM 68168]
S4 Guard Agent;Guard Agent Service;c:\program files\EaseUS\Todo Backup\bin\GuardAgent.exe [1/26/2013 12:36 AM 23624]
S4 gupdate1c987ea6b15f84e;Google Update Service (gupdate1c987ea6b15f84e);c:\program files\Google\Update\GoogleUpdate.exe [3/6/2011 12:12 AM 136176]
S4 NVWMI;NVIDIA WMI Provider;c:\windows\system32\nvwmi.exe [12/31/1999 8:00 PM 664424]
S4 SDScannerService;Spybot-S&D 2 Scanner Service;d:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [3/12/2013 10:21 AM 1103392]
S4 SDUpdateService;Spybot-S&D 2 Updating Service;d:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [3/12/2013 10:21 AM 1369624]
S4 SDWSCService;Spybot-S&D 2 Security Center Service;d:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [3/12/2013 10:21 AM 168384]
S4 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [1/14/2013 9:33 PM 769920]
S4 TSJSRS;TSJSRS;c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe --> c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe [?]
S4 ZWKKQGF;ZWKKQGF;c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe --> c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-03-19 15:15 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-27 17:47]
.
2013-03-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2013-03-23 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- d:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2013-03-12 18:08]
.
2013-03-23 c:\windows\Tasks\GlaryInitialize.job
- d:\program files\Glary Utilities New 3-7-13\initialize.exe [2013-03-07 20:58]
.
2013-03-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-09-26 17:28]
.
2013-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-06 04:12]
.
2013-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-06 04:12]
.
2013-03-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-651377827-2146997909-1003Core.job
- c:\documents and settings\Ray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-25 22:50]
.
2013-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-651377827-2146997909-1003UA.job
- c:\documents and settings\Ray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-25 22:50]
.
2013-03-13 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- d:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2013-03-12 18:07]
.
2013-03-12 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- d:\program files\Spybot - Search & Destroy 2\SDScan.exe [2013-03-12 18:07]
.
2013-03-23 c:\windows\Tasks\User_Feed_Synchronization-{795DF606-D83B-4891-BD02-5F2638647941}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.optimum.net/
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uInternet Settings,ProxyOverride = *.local;<local>
TCP: DhcpNameServer = 167.206.254.2 167.206.254.1
DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://amer-ml33.amer.csc.com/dwa85W.cab
DPF: {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} - hxxps://lowes.2020.net/planner/Core/Player/2020PlayerAX_WEB_Win32.cab
FF - ProfilePath - c:\documents and settings\Ray\Application Data\Mozilla\Firefox\Profiles\6cr6okv0.default\
FF - ExtSQL: 2013-01-25 11:03; {CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}; c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}
FF - ExtSQL: 2013-02-14 11:38; torntv2@torntv.com; c:\documents and settings\Ray\Application Data\Mozilla\Firefox\Profiles\6cr6okv0.default\extensions\torntv2@torntv.com.xpi
FF - ExtSQL: !HIDDEN! 2011-01-31 18:23; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - user.js: extensions.delta.tlbrSrchUrl -
FF - user.js: extensions.delta.id - 1fde8a400000000000000022152aced0
FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
FF - user.js: extensions.delta.instlDay - 15750
FF - user.js: extensions.delta.vrsn - 1.8.10.0
FF - user.js: extensions.delta.vrsni - 1.8.10.0
FF - user.js: extensions.delta.vrsnTs - 1.8.10.011:39
FF - user.js: extensions.delta.prtnrId - delta
FF - user.js: extensions.delta.prdct - delta
FF - user.js: extensions.delta.aflt - babsst
FF - user.js: extensions.delta.smplGrp - none
FF - user.js: extensions.delta.tlbrId - base
FF - user.js: extensions.delta.instlRef - sst
FF - user.js: extensions.delta.dfltLng - en
FF - user.js: extensions.delta.excTlbr - false
FF - user.js: extensions.delta.admin - false
FF - user.js: extensions.delta.autoRvrt - false
FF - user.js: extensions.delta.rvrt - false
FF - user.js: extensions.delta.newTab - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-03-23 09:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1268)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(6764)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Nero\SMC\NeroDigitalExt.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b\MFC80.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\locator.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\RTHDCPL.EXE
c:\documents and settings\Ray\Start Menu\Programs\Startup\CProcess.exe
c:\windows\StartupMonitor.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
.
**************************************************************************
.
Completion time: 2013-03-23 09:59:51 - machine was rebooted
ComboFix-quarantined-files.txt 2013-03-23 13:59
ComboFix2.txt 2013-03-22 15:19
ComboFix3.txt 2013-03-22 14:54
ComboFix4.txt 2013-03-20 19:57
ComboFix5.txt 2013-03-23 13:34
.
Pre-Run: 49,056,907,264 bytes free
Post-Run: 49,029,246,976 bytes free
.
- - End Of File - - CCF20F4E5031F064D088914B8296D095

rdomingu
2013-03-23, 16:57
Hi,
We are missing the file that is kicking off the reload/restart of 2 of the files in services and drivers we deleted with the above text file/combofix. See attached screen shots of messeges I intercepted during the start-up attempt and a shot of my temp folder and temp folder locked files. Could any of the "locked" keys in the registry be causing this?.....>>>HELP<<<

shelf life
2013-03-23, 18:31
Check malwarebytes for updates and then run it after you do this: Boot your machine into safe mode then navigate to your temp directories and delete what you can. Reboot normally and run malwarebytes. Post the malwarebytes log.

rdomingu
2013-03-23, 20:22
Hi,

In the future please specify how to run MalwareBytes "full" or "quick". Log is of a Full scan. Did not find anything.

Thanks,
Ray
Next???


Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.03.23.07

Windows XP Service Pack 3 x86 NTFS (Safe Mode)
Internet Explorer 8.0.6001.18702
Ray :: RIGHTWINXP [administrator]

3/23/2013 1:28:33 PM
mbam-log-2013-03-23 (13-28-33).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 403512
Time elapsed: 16 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

shelf life
2013-03-23, 23:59
Did you delete anything out of the temps while in safe mode? Run combofix once more using the slightly changed script below, like you did before

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:



Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BMGXXXXXXXX"=3-
"BMGX"=3-

File::
c:\docume~1\Ray\LOCALS~1\Temp\AZULWXOPZZH.exe
c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe
c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe
c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe

Driver::
AZULWXOPZZH
BMGX.exe
TSJSRS.exe
ZWKKQGF.exe



Name the Notepad file CFScript.txt and Save it to your desktop.
Now locate the file you just saved to your desktop (CFScript.txt) and the combofix icon, also on your desktop.

Using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run, reboot and produce a new log
please post the new combofix log in your reply.

After the above download:
Roguekiller.exe (http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe)

Download & SAVE to Rougekiller to your desktop
Close any running programs
Double click to start
For Vista or Windows 7, right-click and select run as Admin
Once the Prescan has finished click the scan button
Once the scan is done a report.txt will be on your desktop.
Exit Rougekiller by going to File>Quit.
copy/paste the RKreport saved to your DeskTop

rdomingu
2013-03-24, 01:04
ComboFix 13-03-23.01 - Ray 03/23/2013 18:13:50.26.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2383 [GMT -4:00]
Running from: c:\documents and settings\Ray\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ray\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
FILE ::
"c:\docume~1\Ray\LOCALS~1\Temp\AZULWXOPZZH.exe"
"c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe"
"c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe"
"c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe"
.
.
((((((((((((((((((((((((( Files Created from 2013-02-23 to 2013-03-23 )))))))))))))))))))))))))))))))
.
.
2013-03-22 14:42 . 2013-03-23 14:11 -------- d-----w- C:\ComboFix Logs 3-22-2013
2013-03-19 21:59 . 2013-03-19 21:59 -------- d-----w- C:\CLEAN BOOT
2013-03-19 21:09 . 2013-03-19 21:04 678912 ----a-w- C:\MicrosoftFixit50598.msi
2013-03-18 19:16 . 2013-03-18 19:16 -------- d-----w- C:\CFScanner
2013-03-17 18:51 . 2013-03-17 18:51 -------- d-----w- C:\sh4ldr
2013-03-10 20:31 . 2013-03-10 20:32 -------- d-----w- C:\Sophos
2013-03-09 00:22 . 2013-03-09 00:23 -------- d-----w- C:\Escort
2013-03-07 20:48 . 2013-03-07 20:48 -------- d-----r- C:\Sandbox
2013-03-07 17:06 . 2013-03-07 17:06 -------- d-----w- C:\rsit
2013-03-07 15:54 . 2013-03-07 15:54 -------- d-----w- C:\Deleted Autoruns
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-08 23:02 . 2013-01-14 15:23 13024 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
2013-02-12 00:32 . 2008-04-13 17:56 12928 ----a-w- c:\windows\system32\drivers\usb8023x.sys
2013-02-12 00:32 . 2008-04-13 17:56 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-05 20:05 . 2012-12-26 20:16 916480 ----a-w- c:\windows\system32\wininet.dll
2013-02-05 20:05 . 2012-12-26 20:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-02-05 20:05 . 2012-12-26 20:16 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-02-05 05:53 . 2012-12-24 06:40 385024 ----a-w- c:\windows\system32\html.iec
2013-01-28 02:36 . 2013-01-28 02:36 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
2013-01-26 04:35 . 2013-01-26 04:35 19528 ----a-w- c:\windows\system32\fbnative.exe
2013-01-26 04:35 . 2013-01-26 04:35 185672 ----a-w- c:\windows\system32\drivers\EuFdDisk.sys
2013-01-26 04:35 . 2013-01-26 04:35 40648 ----a-w- c:\windows\system32\drivers\EUBKMON.sys
2013-01-26 04:35 . 2013-01-26 04:35 14920 ----a-w- c:\windows\system32\drivers\eudskacs.sys
2013-01-26 04:35 . 2013-01-26 04:35 50248 ----a-w- c:\windows\system32\drivers\eubakup.sys
2013-01-26 03:55 . 2013-01-26 03:55 552448 ----a-w- c:\windows\system32\oleaut32.dll
2013-01-25 16:02 . 2013-01-25 16:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2013-01-25 16:02 . 2013-01-25 16:02 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-01-25 16:02 . 2013-01-25 16:02 473072 ----a-w- c:\windows\system32\deployJava1.dll
2013-01-07 01:19 . 2013-01-07 01:19 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-07 00:37 . 2013-01-07 00:37 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20 . 2013-01-04 01:20 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-01-02 06:49 . 2013-01-02 06:49 148992 ----a-w- c:\windows\system32\mpg2splt.ax
2013-01-02 06:49 . 2013-01-02 06:49 1292288 ----a-w- c:\windows\system32\quartz.dll
2012-06-14 22:20 . 2012-06-14 22:20 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-03-19 2363392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartupDelayer"="d:\program files\r2 Studios\Startup Delayer\Startup Launcher.exe" [2013-03-07 1081856]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"SDTray"="d:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 16270848]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-05-31 15496552]
"EaseUs Watch"="c:\program files\EaseUS\Todo Backup\bin\EuWatch.exe" [2013-01-26 70728]
"EaseUs Tray"="c:\program files\EaseUS\Todo Backup\bin\TrayNotify.exe" [2013-01-26 1372232]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2013-03-05 418024]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe" [2012-11-24 356376]
.
c:\documents and settings\Ray\Start Menu\Programs\Startup\
CProcess.cfg [2013-3-23 860]
CProcess.exe [2008-5-22 36352]
Efficient Reminder Free.lnk - c:\program files\Efficient Reminder Free\EfficientReminderFree.exe [2013-1-2 10981888]
PlexRadar.lnk - c:\program files\Plextor\PlexUTILITIES\PlexRadar.exe [2013-1-9 2907136]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
del_temp.vbs [2012-2-23 1914]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
HyperSnap-DX 5.lnk - c:\program files\HyperSnap-DX 5\HprSnap5.exe [2004-10-14 1785856]
PlexRadar.lnk - c:\program files\Plextor\PlexUTILITIES\PlexRadar.exe [2013-1-9 2907136]
Watch.lnk - c:\program files\Mustek 1200 UB Plus\Driver\WATCH.exe [2001-11-23 364544]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Ray^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
path=c:\documents and settings\Ray\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
2006-02-14 12:56 460800 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-11-28 19:13 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-13 23:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXMediaServer]
2012-11-13 18:13 450560 ----a-w- c:\program files\DivX\DivX Media Server\DivXMediaServer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2012-11-01 17:56 1263512 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-12-12 18:57 152544 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X Configure]
2006-10-30 12:44 1953792 ----a-r- c:\windows\system32\JMRaidSetup.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2010-12-13 18:37 135536 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 08:12 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2011-06-19 15:50 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"SpyHunter 4 Service"=2 (0x2)
"SDWSCService"=2 (0x2)
"SDUpdateService"=2 (0x2)
"SDScannerService"=2 (0x2)
"SbieSvc"=2 (0x2)
"ose"=3 (0x3)
"NVWMI"=2 (0x2)
"NVSvc"=2 (0x2)
"Nero BackItUp Scheduler 4.0"=2 (0x2)
"MSCamSvc"=2 (0x2)
"MozillaMaintenance"=3 (0x3)
"LightScribeService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"gusvc"=2 (0x2)
"gupdatem"=3 (0x3)
"gupdate1c987ea6b15f84e"=2 (0x2)
"gupdate"=2 (0x2)
"Guard Agent"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"EaseUS Agent"=2 (0x2)
"DWMRCS"=2 (0x2)
"CTAudSvcService"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"Creative Media Toolbox 6 Licensing Service"=3 (0x3)
"Creative Audio Engine Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AdobeFlashPlayerUpdateSvc"=3 (0x3)
"Adobe LM Service"=2 (0x2)
"BMGXXXXXXXX"=3 (0x3)
"BMGX"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride /**comment**(normally it is \"1\")**comment**/"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\BitLord 2\\Bitlord files\\bitlord.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\Agent.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\TbService.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\TBConsoleUI.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDFiles.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"6346:TCP"= 6346:TCP:Limewire
"6346:UDP"= 6346:UDP:Limewire
.
R0 asahxp32;asahxp32;c:\windows\system32\drivers\asahxp32.sys [5/6/2011 5:13 PM 41696]
R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [1/26/2013 12:35 AM 50248]
R0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [1/26/2013 12:35 AM 40648]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [3/7/2013 2:46 PM 33112]
R1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [1/26/2013 12:35 AM 14920]
R1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [1/26/2013 12:35 AM 185672]
R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [11/24/2012 6:33 PM 43608]
R1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [8/13/2012 5:49 PM 144344]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [5/12/2011 2:05 PM 18816]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [6/27/2012 3:09 PM 35672]
R3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [11/24/2012 6:33 PM 24408]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/24/2012 6:33 PM 24920]
S0 fnvu;fnvu;c:\windows\system32\drivers\behy.sys --> c:\windows\system32\drivers\behy.sys [?]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [12/29/2008 11:14 AM 171032]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [12/29/2008 11:14 AM 171032]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [12/29/2008 11:14 AM 1324056]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [12/29/2008 11:14 AM 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [12/29/2008 11:14 AM 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [12/29/2008 11:14 AM 72728]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [1/27/2013 10:36 PM 23456]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [12/21/2012 2:54 PM 13896]
S3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [5/6/2011 3:57 PM 13904]
S3 EsgScanner;EsgScanner;c:\windows\system32\drivers\EsgScanner.sys [6/22/2012 11:01 AM 19984]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [12/21/2012 2:53 PM 9160]
S3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\drivers\mcvidrv.sys [10/10/2012 11:08 PM 34432]
S3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv.sys [10/10/2012 11:08 PM 25088]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [12/13/2010 2:37 PM 30576]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [6/3/2011 8:36 PM 47360]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [1/14/2013 11:23 AM 13024]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
S4 BMGX;BMGX;c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe --> c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe [?]
S4 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2/1/2011 9:56 PM 79360]
S4 Creative Media Toolbox 6 Licensing Service;Creative Media Toolbox 6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\MT6Licensing.exe [2/1/2011 10:10 PM 79360]
S4 EaseUS Agent;EaseUS Agent Service;c:\program files\EaseUS\Todo Backup\bin\Agent.exe [1/26/2013 12:35 AM 68168]
S4 Guard Agent;Guard Agent Service;c:\program files\EaseUS\Todo Backup\bin\GuardAgent.exe [1/26/2013 12:36 AM 23624]
S4 gupdate1c987ea6b15f84e;Google Update Service (gupdate1c987ea6b15f84e);c:\program files\Google\Update\GoogleUpdate.exe [3/6/2011 12:12 AM 136176]
S4 NVWMI;NVIDIA WMI Provider;c:\windows\system32\nvwmi.exe [12/31/1999 8:00 PM 664424]
S4 SDScannerService;Spybot-S&D 2 Scanner Service;d:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [3/12/2013 10:21 AM 1103392]
S4 SDUpdateService;Spybot-S&D 2 Updating Service;d:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [3/12/2013 10:21 AM 1369624]
S4 SDWSCService;Spybot-S&D 2 Security Center Service;d:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [3/12/2013 10:21 AM 168384]
S4 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [1/14/2013 9:33 PM 769920]
S4 TSJSRS;TSJSRS;c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe --> c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe [?]
S4 ZWKKQGF;ZWKKQGF;c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe --> c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-03-19 15:15 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-27 17:47]
.
2013-03-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2013-03-23 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- d:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2013-03-12 18:08]
.
2013-03-23 c:\windows\Tasks\GlaryInitialize.job
- d:\program files\Glary Utilities New 3-7-13\initialize.exe [2013-03-07 20:58]
.
2013-03-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-09-26 17:28]
.
2013-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-06 04:12]
.
2013-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-06 04:12]
.
2013-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-651377827-2146997909-1003Core.job
- c:\documents and settings\Ray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-25 22:50]
.
2013-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-651377827-2146997909-1003UA.job
- c:\documents and settings\Ray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-25 22:50]
.
2013-03-13 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- d:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2013-03-12 18:07]
.
2013-03-12 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- d:\program files\Spybot - Search & Destroy 2\SDScan.exe [2013-03-12 18:07]
.
2013-03-23 c:\windows\Tasks\User_Feed_Synchronization-{795DF606-D83B-4891-BD02-5F2638647941}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.optimum.net/
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uInternet Settings,ProxyOverride = *.local;<local>
TCP: DhcpNameServer = 167.206.254.2 167.206.254.1
DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://amer-ml33.amer.csc.com/dwa85W.cab
DPF: {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} - hxxps://lowes.2020.net/planner/Core/Player/2020PlayerAX_WEB_Win32.cab
FF - ProfilePath - c:\documents and settings\Ray\Application Data\Mozilla\Firefox\Profiles\6cr6okv0.default\
FF - ExtSQL: 2013-01-25 11:03; {CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}; c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}
FF - ExtSQL: 2013-02-14 11:38; torntv2@torntv.com; c:\documents and settings\Ray\Application Data\Mozilla\Firefox\Profiles\6cr6okv0.default\extensions\torntv2@torntv.com.xpi
FF - ExtSQL: !HIDDEN! 2011-01-31 18:23; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - user.js: extensions.delta.tlbrSrchUrl -
FF - user.js: extensions.delta.id - 1fde8a400000000000000022152aced0
FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
FF - user.js: extensions.delta.instlDay - 15750
FF - user.js: extensions.delta.vrsn - 1.8.10.0
FF - user.js: extensions.delta.vrsni - 1.8.10.0
FF - user.js: extensions.delta.vrsnTs - 1.8.10.011:39
FF - user.js: extensions.delta.prtnrId - delta
FF - user.js: extensions.delta.prdct - delta
FF - user.js: extensions.delta.aflt - babsst
FF - user.js: extensions.delta.smplGrp - none
FF - user.js: extensions.delta.tlbrId - base
FF - user.js: extensions.delta.instlRef - sst
FF - user.js: extensions.delta.dfltLng - en
FF - user.js: extensions.delta.excTlbr - false
FF - user.js: extensions.delta.admin - false
FF - user.js: extensions.delta.autoRvrt - false
FF - user.js: extensions.delta.rvrt - false
FF - user.js: extensions.delta.newTab - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-03-23 18:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1264)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3884)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-03-23 18:24:40
ComboFix-quarantined-files.txt 2013-03-23 22:24
ComboFix2.txt 2013-03-22 15:19
ComboFix3.txt 2013-03-22 14:54
ComboFix4.txt 2013-03-20 19:57
ComboFix5.txt 2013-03-23 13:34
.
Pre-Run: 48,996,126,720 bytes free
Post-Run: 48,965,550,080 bytes free
.
- - End Of File - - 2BFD7078171C6FD05360C5B9C5899D10

_________________________________________________________________


RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Ray [Admin rights]
Mode : Scan -- Date : 03/23/2013 18:57:43
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 1 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3500630AS +++++
--- User ---
[MBR] 1abe93979b2dbe79cf8f51cd4711ed80
[BSP] 21a0857be101ba19f44717e4f1fb3047 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive1: SAMSUNG HD103SI +++++
--- User ---
[MBR] 7c2d1787dda1ca0ab05b91036f3580ec
[BSP] 5c2b22220f055145a9b1c7369ff5f509 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953867 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive2: WDC WD1002FAEX-00Z3A0 +++++
--- User ---
[MBR] 21475e07416da8f21be13708b5f622ca
[BSP] 5711a6dba2474de31ee3d7621a7365f8 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953867 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive3: SATA ST310005 SCSI Disk Device +++++
--- User ---
[MBR] bfdd3ec03803c2ccaf7f86015141d08a
[BSP] f1a4f4c15aeb52ccce9f82a9b658d6f8 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 63 | Size: 953867 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive4: KINGSTON SH103S3120G SCSI Disk Device +++++
--- User ---
[MBR] dd2d907da26384e77088766ef9d6679e
[BSP] c8ef74fb392c575a42233e04e433445d : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 114472 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_03232013_02d1857.txt >>
RKreport[1]_S_03232013_02d1857.txt

shelf life
2013-03-24, 16:12
hi,

Sometimes other software can interfere with combofix trying to make changes. Winpatrol and Spybots tea timer as well as antivirus and other antimalware can interfere. I see your AV was disabled but before running combofix once more please disable/exit the others if they are running, just as a precaution. After reboot they will be active again.

We will use combofix to delete one more file I should have included before.



File::
c:\windows\system32\drivers\behy.sys

Driver::
fnvu


Run Rougekiller once more like you did before with a change at the end:

Close any running programs
Double click to start
For Vista or Windows 7, right-click and select run as Admin
Once the Prescan has finished click the scan button
Once the scan is done a report.txt will be on your desktop.
Click on the delete button to remove the disable registry item it found.
Wait until the Status box shows "Deleting Finished"
Click on "Report" and copy/paste the content of the Notepad into your next reply.
The log should also be found in RKreport.txt on your Desktop
Exit/Close RogueKiller

rdomingu
2013-03-24, 19:01
Hi,
Ran ComboFix & RougueKiller again. CF found, deleted and restored a sys file and RougeKiller deleted a reg entry. Looking thru the CF log I am still seeing "BMGX" as well as the files we deleted along with "BMGX" in my temp folder. Did a file re-infect the box? Below are the logs:

Thank you,
Ray

ComboFix 13-03-24.03 - Ray 03/24/2013 12:12:43.27.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2442 [GMT -4:00]
Running from: c:\documents and settings\Ray\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ray\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
FILE ::
"c:\windows\system32\drivers\behy.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\Restore\rstrui.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\rstrui.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_fnvu
.
.
((((((((((((((((((((((((( Files Created from 2013-02-24 to 2013-03-24 )))))))))))))))))))))))))))))))
.
.
2013-03-22 14:42 . 2013-03-23 14:11 -------- d-----w- C:\ComboFix Logs 3-22-2013
2013-03-19 21:59 . 2013-03-19 21:59 -------- d-----w- C:\CLEAN BOOT
2013-03-19 21:09 . 2013-03-19 21:04 678912 ----a-w- C:\MicrosoftFixit50598.msi
2013-03-18 19:16 . 2013-03-18 19:16 -------- d-----w- C:\CFScanner
2013-03-17 18:51 . 2013-03-17 18:51 -------- d-----w- C:\sh4ldr
2013-03-10 20:31 . 2013-03-10 20:32 -------- d-----w- C:\Sophos
2013-03-09 00:22 . 2013-03-09 00:23 -------- d-----w- C:\Escort
2013-03-07 20:48 . 2013-03-07 20:48 -------- d-----r- C:\Sandbox
2013-03-07 17:06 . 2013-03-07 17:06 -------- d-----w- C:\rsit
2013-03-07 15:54 . 2013-03-07 15:54 -------- d-----w- C:\Deleted Autoruns
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-08 23:02 . 2013-01-14 15:23 13024 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
2013-02-12 00:32 . 2008-04-13 17:56 12928 ----a-w- c:\windows\system32\drivers\usb8023x.sys
2013-02-12 00:32 . 2008-04-13 17:56 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-05 20:05 . 2012-12-26 20:16 916480 ----a-w- c:\windows\system32\wininet.dll
2013-02-05 20:05 . 2012-12-26 20:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-02-05 20:05 . 2012-12-26 20:16 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-02-05 05:53 . 2012-12-24 06:40 385024 ----a-w- c:\windows\system32\html.iec
2013-01-28 02:36 . 2013-01-28 02:36 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
2013-01-26 04:35 . 2013-01-26 04:35 19528 ----a-w- c:\windows\system32\fbnative.exe
2013-01-26 04:35 . 2013-01-26 04:35 185672 ----a-w- c:\windows\system32\drivers\EuFdDisk.sys
2013-01-26 04:35 . 2013-01-26 04:35 40648 ----a-w- c:\windows\system32\drivers\EUBKMON.sys
2013-01-26 04:35 . 2013-01-26 04:35 14920 ----a-w- c:\windows\system32\drivers\eudskacs.sys
2013-01-26 04:35 . 2013-01-26 04:35 50248 ----a-w- c:\windows\system32\drivers\eubakup.sys
2013-01-26 03:55 . 2013-01-26 03:55 552448 ----a-w- c:\windows\system32\oleaut32.dll
2013-01-25 16:02 . 2013-01-25 16:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2013-01-25 16:02 . 2013-01-25 16:02 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-01-25 16:02 . 2013-01-25 16:02 473072 ----a-w- c:\windows\system32\deployJava1.dll
2013-01-07 01:19 . 2013-01-07 01:19 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-07 00:37 . 2013-01-07 00:37 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20 . 2013-01-04 01:20 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-01-02 06:49 . 2013-01-02 06:49 148992 ----a-w- c:\windows\system32\mpg2splt.ax
2013-01-02 06:49 . 2013-01-02 06:49 1292288 ----a-w- c:\windows\system32\quartz.dll
2012-06-14 22:20 . 2012-06-14 22:20 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-03-19 2363392]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartupDelayer"="d:\program files\r2 Studios\Startup Delayer\Startup Launcher.exe" [2013-03-07 1081856]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"SDTray"="d:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 16270848]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-05-31 15496552]
"EaseUs Watch"="c:\program files\EaseUS\Todo Backup\bin\EuWatch.exe" [2013-01-26 70728]
"EaseUs Tray"="c:\program files\EaseUS\Todo Backup\bin\TrayNotify.exe" [2013-01-26 1372232]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2013-03-05 418024]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe" [2012-11-24 356376]
.
c:\documents and settings\Ray\Start Menu\Programs\Startup\
CProcess.cfg [2013-3-23 860]
CProcess.exe [2008-5-22 36352]
Efficient Reminder Free.lnk - c:\program files\Efficient Reminder Free\EfficientReminderFree.exe [2013-1-2 10981888]
PlexRadar.lnk - c:\program files\Plextor\PlexUTILITIES\PlexRadar.exe [2013-1-9 2907136]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
del_temp.vbs [2012-2-23 1914]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
HyperSnap-DX 5.lnk - c:\program files\HyperSnap-DX 5\HprSnap5.exe [2004-10-14 1785856]
PlexRadar.lnk - c:\program files\Plextor\PlexUTILITIES\PlexRadar.exe [2013-1-9 2907136]
Watch.lnk - c:\program files\Mustek 1200 UB Plus\Driver\WATCH.exe [2001-11-23 364544]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Ray^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
path=c:\documents and settings\Ray\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
2006-02-14 12:56 460800 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-11-28 19:13 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-13 23:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXMediaServer]
2012-11-13 18:13 450560 ----a-w- c:\program files\DivX\DivX Media Server\DivXMediaServer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2012-11-01 17:56 1263512 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-12-12 18:57 152544 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X Configure]
2006-10-30 12:44 1953792 ----a-r- c:\windows\system32\JMRaidSetup.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2010-12-13 18:37 135536 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 08:12 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2011-06-19 15:50 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"SpyHunter 4 Service"=2 (0x2)
"SDWSCService"=2 (0x2)
"SDUpdateService"=2 (0x2)
"SDScannerService"=2 (0x2)
"SbieSvc"=2 (0x2)
"ose"=3 (0x3)
"NVWMI"=2 (0x2)
"NVSvc"=2 (0x2)
"Nero BackItUp Scheduler 4.0"=2 (0x2)
"MSCamSvc"=2 (0x2)
"MozillaMaintenance"=3 (0x3)
"LightScribeService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"gusvc"=2 (0x2)
"gupdatem"=3 (0x3)
"gupdate1c987ea6b15f84e"=2 (0x2)
"gupdate"=2 (0x2)
"Guard Agent"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"EaseUS Agent"=2 (0x2)
"DWMRCS"=2 (0x2)
"CTAudSvcService"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"Creative Media Toolbox 6 Licensing Service"=3 (0x3)
"Creative Audio Engine Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AdobeFlashPlayerUpdateSvc"=3 (0x3)
"Adobe LM Service"=2 (0x2)
"BMGXXXXXXXX"=3 (0x3)
"BMGX"=3 (0x3).
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride /**comment**(normally it is \"1\")**comment**/"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\BitLord 2\\Bitlord files\\bitlord.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\Agent.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\TbService.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\TBConsoleUI.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDFiles.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"6346:TCP"= 6346:TCP:Limewire
"6346:UDP"= 6346:UDP:Limewire
.
R0 asahxp32;asahxp32;c:\windows\system32\drivers\asahxp32.sys [5/6/2011 5:13 PM 41696]
R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [1/26/2013 12:35 AM 50248]
R0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [1/26/2013 12:35 AM 40648]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [3/7/2013 2:46 PM 33112]
R1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [1/26/2013 12:35 AM 14920]
R1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [1/26/2013 12:35 AM 185672]
R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [11/24/2012 6:33 PM 43608]
R1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [8/13/2012 5:49 PM 144344]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [5/12/2011 2:05 PM 18816]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [6/27/2012 3:09 PM 35672]
R3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [11/24/2012 6:33 PM 24408]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/24/2012 6:33 PM 24920]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [12/29/2008 11:14 AM 171032]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [12/29/2008 11:14 AM 171032]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [12/29/2008 11:14 AM 1324056]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [12/29/2008 11:14 AM 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [12/29/2008 11:14 AM 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [12/29/2008 11:14 AM 72728]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [1/27/2013 10:36 PM 23456]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [12/21/2012 2:54 PM 13896]
S3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [5/6/2011 3:57 PM 13904]
S3 EsgScanner;EsgScanner;c:\windows\system32\drivers\EsgScanner.sys [6/22/2012 11:01 AM 19984]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [12/21/2012 2:53 PM 9160]
S3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\drivers\mcvidrv.sys [10/10/2012 11:08 PM 34432]
S3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv.sys [10/10/2012 11:08 PM 25088]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [12/13/2010 2:37 PM 30576]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [6/3/2011 8:36 PM 47360]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [1/14/2013 11:23 AM 13024]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
S4 BMGX;BMGX;c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe --> c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe [?][/COLOR]S4 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2/1/2011 9:56 PM 79360]
S4 Creative Media Toolbox 6 Licensing Service;Creative Media Toolbox 6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\MT6Licensing.exe [2/1/2011 10:10 PM 79360]
S4 EaseUS Agent;EaseUS Agent Service;c:\program files\EaseUS\Todo Backup\bin\Agent.exe [1/26/2013 12:35 AM 68168]
S4 Guard Agent;Guard Agent Service;c:\program files\EaseUS\Todo Backup\bin\GuardAgent.exe [1/26/2013 12:36 AM 23624]
S4 gupdate1c987ea6b15f84e;Google Update Service (gupdate1c987ea6b15f84e);c:\program files\Google\Update\GoogleUpdate.exe [3/6/2011 12:12 AM 136176]
S4 NVWMI;NVIDIA WMI Provider;c:\windows\system32\nvwmi.exe [12/31/1999 8:00 PM 664424]
S4 SDScannerService;Spybot-S&D 2 Scanner Service;d:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [3/12/2013 10:21 AM 1103392]
S4 SDUpdateService;Spybot-S&D 2 Updating Service;d:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [3/12/2013 10:21 AM 1369624]
S4 SDWSCService;Spybot-S&D 2 Security Center Service;d:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [3/12/2013 10:21 AM 168384]
S4 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [1/14/2013 9:33 PM 769920]
S4 TSJSRS;TSJSRS;c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe --> c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe [?]
S4 ZWKKQGF;ZWKKQGF;c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe --> c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe [?].
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-03-19 15:15 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-27 17:47]
.
2013-03-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2013-03-24 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- d:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2013-03-12 18:08]
.
2013-03-24 c:\windows\Tasks\GlaryInitialize.job
- d:\program files\Glary Utilities New 3-7-13\initialize.exe [2013-03-07 20:58]
.
2013-03-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-09-26 17:28]
.
2013-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-06 04:12]
.
2013-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-06 04:12]
.
2013-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-651377827-2146997909-1003Core.job
- c:\documents and settings\Ray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-25 22:50]
.
2013-03-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-651377827-2146997909-1003UA.job
- c:\documents and settings\Ray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-25 22:50]
.
2013-03-13 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- d:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2013-03-12 18:07]
.
2013-03-12 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- d:\program files\Spybot - Search & Destroy 2\SDScan.exe [2013-03-12 18:07]
.
2013-03-24 c:\windows\Tasks\User_Feed_Synchronization-{795DF606-D83B-4891-BD02-5F2638647941}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.optimum.net/
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uInternet Settings,ProxyOverride = *.local;<local>
TCP: DhcpNameServer = 167.206.254.2 167.206.254.1
DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://amer-ml33.amer.csc.com/dwa85W.cab
DPF: {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} - hxxps://lowes.2020.net/planner/Core/Player/2020PlayerAX_WEB_Win32.cab
FF - ProfilePath - c:\documents and settings\Ray\Application Data\Mozilla\Firefox\Profiles\6cr6okv0.default\
FF - ExtSQL: 2013-01-25 11:03; {CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}; c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}
FF - ExtSQL: 2013-02-14 11:38; torntv2@torntv.com; c:\documents and settings\Ray\Application Data\Mozilla\Firefox\Profiles\6cr6okv0.default\extensions\torntv2@torntv.com.xpi
FF - ExtSQL: !HIDDEN! 2011-01-31 18:23; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - user.js: extensions.delta.tlbrSrchUrl -
FF - user.js: extensions.delta.id - 1fde8a400000000000000022152aced0
FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
FF - user.js: extensions.delta.instlDay - 15750
FF - user.js: extensions.delta.vrsn - 1.8.10.0
FF - user.js: extensions.delta.vrsni - 1.8.10.0
FF - user.js: extensions.delta.vrsnTs - 1.8.10.011:39
FF - user.js: extensions.delta.prtnrId - delta
FF - user.js: extensions.delta.prdct - delta
FF - user.js: extensions.delta.aflt - babsst
FF - user.js: extensions.delta.smplGrp - none
FF - user.js: extensions.delta.tlbrId - base
FF - user.js: extensions.delta.instlRef - sst
FF - user.js: extensions.delta.dfltLng - en
FF - user.js: extensions.delta.excTlbr - false
FF - user.js: extensions.delta.admin - false
FF - user.js: extensions.delta.autoRvrt - false
FF - user.js: extensions.delta.rvrt - false
FF - user.js: extensions.delta.newTab - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-03-24 12:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1268)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(5292)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\locator.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\RTHDCPL.EXE
c:\documents and settings\Ray\Start Menu\Programs\Startup\CProcess.exe
c:\windows\StartupMonitor.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
.
**************************************************************************
.
Completion time: 2013-03-24 12:28:36 - machine was rebooted
ComboFix-quarantined-files.txt 2013-03-24 16:28
ComboFix2.txt 2013-03-23 22:24
ComboFix3.txt 2013-03-22 15:19
ComboFix4.txt 2013-03-22 14:54
ComboFix5.txt 2013-03-24 16:10
.
Pre-Run: 48,972,357,632 bytes free
Post-Run: 48,940,695,552 bytes free
.
- - End Of File - - 993893FE25FFBB093E432ACC0CAF5B8F

_________________________________________________________________

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Ray [Admin rights]
Mode : Remove -- Date : 03/24/2013 12:44:45
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] StartupMonitor.exe -- C:\WINDOWS\StartupMonitor.exe [-] -> KILLED [TermProc]

¤¤¤ Registry Entries : 1 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3500630AS +++++
--- User ---
[MBR] 1abe93979b2dbe79cf8f51cd4711ed80
[BSP] 21a0857be101ba19f44717e4f1fb3047 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive1: SAMSUNG HD103SI +++++
--- User ---
[MBR] 7c2d1787dda1ca0ab05b91036f3580ec
[BSP] 5c2b22220f055145a9b1c7369ff5f509 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953867 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive2: WDC WD1002FAEX-00Z3A0 +++++
--- User ---
[MBR] 21475e07416da8f21be13708b5f622ca
[BSP] 5711a6dba2474de31ee3d7621a7365f8 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953867 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive3: SATA ST310005 SCSI Disk Device +++++
--- User ---
[MBR] bfdd3ec03803c2ccaf7f86015141d08a
[BSP] f1a4f4c15aeb52ccce9f82a9b658d6f8 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 63 | Size: 953867 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive4: KINGSTON SH103S3120G SCSI Disk Device +++++
--- User ---
[MBR] dd2d907da26384e77088766ef9d6679e
[BSP] c8ef74fb392c575a42233e04e433445d : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 114472 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2]_D_03242013_02d1244.txt >>
RKreport[1]_S_03242013_02d1241.txt ; RKreport[2]_D_03242013_02d1244.txt

rdomingu
2013-03-24, 20:11
Hi,
After performing the above, the system began hanging again. Box was unusable and hard to hard reboot. When it came back up, I re-ran combofix with the CFScript.txt which I included the files/drivers/registry entries from both of the emails from you. I get the feeling that the box gets re-infected during boot-up. Below is the log:
Thanks,
Ray


ComboFix 13-03-24.03 - Ray 03/24/2013 13:17:51.28.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2389 [GMT -4:00]
Running from: c:\documents and settings\Ray\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ray\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
FILE ::
"c:\docume~1\Ray\LOCALS~1\Temp\AZULWXOPZZH.exe"
"c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe"
"c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe"
"c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe"
"c:\windows\system32\drivers\behy.sys"
.
.
((((((((((((((((((((((((( Files Created from 2013-02-24 to 2013-03-24 )))))))))))))))))))))))))))))))
.
.
2013-03-22 14:42 . 2013-03-23 14:11 -------- d-----w- C:\ComboFix Logs 3-22-2013
2013-03-19 21:59 . 2013-03-19 21:59 -------- d-----w- C:\CLEAN BOOT
2013-03-19 21:09 . 2013-03-19 21:04 678912 ----a-w- C:\MicrosoftFixit50598.msi
2013-03-18 19:16 . 2013-03-18 19:16 -------- d-----w- C:\CFScanner
2013-03-17 18:51 . 2013-03-17 18:51 -------- d-----w- C:\sh4ldr
2013-03-10 20:31 . 2013-03-10 20:32 -------- d-----w- C:\Sophos
2013-03-09 00:22 . 2013-03-09 00:23 -------- d-----w- C:\Escort
2013-03-07 20:48 . 2013-03-07 20:48 -------- d-----r- C:\Sandbox
2013-03-07 17:06 . 2013-03-07 17:06 -------- d-----w- C:\rsit
2013-03-07 15:54 . 2013-03-07 15:54 -------- d-----w- C:\Deleted Autoruns
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-08 23:02 . 2013-01-14 15:23 13024 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
2013-02-12 00:32 . 2008-04-13 17:56 12928 ----a-w- c:\windows\system32\drivers\usb8023x.sys
2013-02-12 00:32 . 2008-04-13 17:56 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-05 20:05 . 2012-12-26 20:16 916480 ----a-w- c:\windows\system32\wininet.dll
2013-02-05 20:05 . 2012-12-26 20:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-02-05 20:05 . 2012-12-26 20:16 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-02-05 05:53 . 2012-12-24 06:40 385024 ----a-w- c:\windows\system32\html.iec
2013-01-28 02:36 . 2013-01-28 02:36 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
2013-01-26 04:35 . 2013-01-26 04:35 19528 ----a-w- c:\windows\system32\fbnative.exe
2013-01-26 04:35 . 2013-01-26 04:35 185672 ----a-w- c:\windows\system32\drivers\EuFdDisk.sys
2013-01-26 04:35 . 2013-01-26 04:35 40648 ----a-w- c:\windows\system32\drivers\EUBKMON.sys
2013-01-26 04:35 . 2013-01-26 04:35 14920 ----a-w- c:\windows\system32\drivers\eudskacs.sys
2013-01-26 04:35 . 2013-01-26 04:35 50248 ----a-w- c:\windows\system32\drivers\eubakup.sys
2013-01-26 03:55 . 2013-01-26 03:55 552448 ----a-w- c:\windows\system32\oleaut32.dll
2013-01-25 16:02 . 2013-01-25 16:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2013-01-25 16:02 . 2013-01-25 16:02 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-01-25 16:02 . 2013-01-25 16:02 473072 ----a-w- c:\windows\system32\deployJava1.dll
2013-01-07 01:19 . 2013-01-07 01:19 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-07 00:37 . 2013-01-07 00:37 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20 . 2013-01-04 01:20 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-01-02 06:49 . 2013-01-02 06:49 148992 ----a-w- c:\windows\system32\mpg2splt.ax
2013-01-02 06:49 . 2013-01-02 06:49 1292288 ----a-w- c:\windows\system32\quartz.dll
2012-06-14 22:20 . 2012-06-14 22:20 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-03-19 2363392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartupDelayer"="d:\program files\r2 Studios\Startup Delayer\Startup Launcher.exe" [2013-03-07 1081856]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"SDTray"="d:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 16270848]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-05-31 15496552]
"EaseUs Watch"="c:\program files\EaseUS\Todo Backup\bin\EuWatch.exe" [2013-01-26 70728]
"EaseUs Tray"="c:\program files\EaseUS\Todo Backup\bin\TrayNotify.exe" [2013-01-26 1372232]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2013-03-05 418024]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe" [2012-11-24 356376]
.
c:\documents and settings\Ray\Start Menu\Programs\Startup\
CProcess.cfg [2013-3-23 860]
CProcess.exe [2008-5-22 36352]
Efficient Reminder Free.lnk - c:\program files\Efficient Reminder Free\EfficientReminderFree.exe [2013-1-2 10981888]
PlexRadar.lnk - c:\program files\Plextor\PlexUTILITIES\PlexRadar.exe [2013-1-9 2907136]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
del_temp.vbs [2012-2-23 1914]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
HyperSnap-DX 5.lnk - c:\program files\HyperSnap-DX 5\HprSnap5.exe [2004-10-14 1785856]
PlexRadar.lnk - c:\program files\Plextor\PlexUTILITIES\PlexRadar.exe [2013-1-9 2907136]
Watch.lnk - c:\program files\Mustek 1200 UB Plus\Driver\WATCH.exe [2001-11-23 364544]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Ray^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
path=c:\documents and settings\Ray\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
2006-02-14 12:56 460800 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-11-28 19:13 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-13 23:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXMediaServer]
2012-11-13 18:13 450560 ----a-w- c:\program files\DivX\DivX Media Server\DivXMediaServer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2012-11-01 17:56 1263512 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-12-12 18:57 152544 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X Configure]
2006-10-30 12:44 1953792 ----a-r- c:\windows\system32\JMRaidSetup.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2010-12-13 18:37 135536 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 08:12 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2011-06-19 15:50 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"SpyHunter 4 Service"=2 (0x2)
"SDWSCService"=2 (0x2)
"SDUpdateService"=2 (0x2)
"SDScannerService"=2 (0x2)
"SbieSvc"=2 (0x2)
"ose"=3 (0x3)
"NVWMI"=2 (0x2)
"NVSvc"=2 (0x2)
"Nero BackItUp Scheduler 4.0"=2 (0x2)
"MSCamSvc"=2 (0x2)
"MozillaMaintenance"=3 (0x3)
"LightScribeService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"gusvc"=2 (0x2)
"gupdatem"=3 (0x3)
"gupdate1c987ea6b15f84e"=2 (0x2)
"gupdate"=2 (0x2)
"Guard Agent"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"EaseUS Agent"=2 (0x2)
"DWMRCS"=2 (0x2)
"CTAudSvcService"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"Creative Media Toolbox 6 Licensing Service"=3 (0x3)
"Creative Audio Engine Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AdobeFlashPlayerUpdateSvc"=3 (0x3)
"Adobe LM Service"=2 (0x2)
"BMGXXXXXXXX"=3 (0x3)
"BMGX"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride /**comment**(normally it is \"1\")**comment**/"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\BitLord 2\\Bitlord files\\bitlord.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\Agent.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\TbService.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\TBConsoleUI.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDFiles.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"6346:TCP"= 6346:TCP:Limewire
"6346:UDP"= 6346:UDP:Limewire
.
R0 asahxp32;asahxp32;c:\windows\system32\drivers\asahxp32.sys [5/6/2011 5:13 PM 41696]
R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [1/26/2013 12:35 AM 50248]
R0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [1/26/2013 12:35 AM 40648]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [3/7/2013 2:46 PM 33112]
R1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [1/26/2013 12:35 AM 14920]
R1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [1/26/2013 12:35 AM 185672]
R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [11/24/2012 6:33 PM 43608]
R1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [8/13/2012 5:49 PM 144344]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [5/12/2011 2:05 PM 18816]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [6/27/2012 3:09 PM 35672]
R3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [11/24/2012 6:33 PM 24408]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/24/2012 6:33 PM 24920]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [12/29/2008 11:14 AM 171032]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [12/29/2008 11:14 AM 171032]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [12/29/2008 11:14 AM 1324056]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [12/29/2008 11:14 AM 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [12/29/2008 11:14 AM 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [12/29/2008 11:14 AM 72728]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [1/27/2013 10:36 PM 23456]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [12/21/2012 2:54 PM 13896]
S3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [5/6/2011 3:57 PM 13904]
S3 EsgScanner;EsgScanner;c:\windows\system32\drivers\EsgScanner.sys [6/22/2012 11:01 AM 19984]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [12/21/2012 2:53 PM 9160]
S3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\drivers\mcvidrv.sys [10/10/2012 11:08 PM 34432]
S3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv.sys [10/10/2012 11:08 PM 25088]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [12/13/2010 2:37 PM 30576]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [6/3/2011 8:36 PM 47360]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [1/14/2013 11:23 AM 13024]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
S4 BMGX;BMGX;c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe --> c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe [?]
S4 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2/1/2011 9:56 PM 79360]
S4 Creative Media Toolbox 6 Licensing Service;Creative Media Toolbox 6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\MT6Licensing.exe [2/1/2011 10:10 PM 79360]
S4 EaseUS Agent;EaseUS Agent Service;c:\program files\EaseUS\Todo Backup\bin\Agent.exe [1/26/2013 12:35 AM 68168]
S4 Guard Agent;Guard Agent Service;c:\program files\EaseUS\Todo Backup\bin\GuardAgent.exe [1/26/2013 12:36 AM 23624]
S4 gupdate1c987ea6b15f84e;Google Update Service (gupdate1c987ea6b15f84e);c:\program files\Google\Update\GoogleUpdate.exe [3/6/2011 12:12 AM 136176]
S4 NVWMI;NVIDIA WMI Provider;c:\windows\system32\nvwmi.exe [12/31/1999 8:00 PM 664424]
S4 SDScannerService;Spybot-S&D 2 Scanner Service;d:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [3/12/2013 10:21 AM 1103392]
S4 SDUpdateService;Spybot-S&D 2 Updating Service;d:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [3/12/2013 10:21 AM 1369624]
S4 SDWSCService;Spybot-S&D 2 Security Center Service;d:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [3/12/2013 10:21 AM 168384]
S4 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [1/14/2013 9:33 PM 769920]
S4 TSJSRS;TSJSRS;c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe --> c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe [?]
S4 ZWKKQGF;ZWKKQGF;c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe --> c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-03-19 15:15 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-27 17:47]
.
2013-03-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2013-03-24 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- d:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2013-03-12 18:08]
.
2013-03-24 c:\windows\Tasks\GlaryInitialize.job
- d:\program files\Glary Utilities New 3-7-13\initialize.exe [2013-03-07 20:58]
.
2013-03-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-09-26 17:28]
.
2013-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-06 04:12]
.
2013-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-06 04:12]
.
2013-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-651377827-2146997909-1003Core.job
- c:\documents and settings\Ray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-25 22:50]
.
2013-03-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-651377827-2146997909-1003UA.job
- c:\documents and settings\Ray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-25 22:50]
.
2013-03-13 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- d:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2013-03-12 18:07]
.
2013-03-12 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- d:\program files\Spybot - Search & Destroy 2\SDScan.exe [2013-03-12 18:07]
.
2013-03-24 c:\windows\Tasks\User_Feed_Synchronization-{795DF606-D83B-4891-BD02-5F2638647941}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.optimum.net/
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uInternet Settings,ProxyOverride = *.local;<local>
TCP: DhcpNameServer = 167.206.254.2 167.206.254.1
DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://amer-ml33.amer.csc.com/dwa85W.cab
DPF: {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} - hxxps://lowes.2020.net/planner/Core/Player/2020PlayerAX_WEB_Win32.cab
FF - ProfilePath - c:\documents and settings\Ray\Application Data\Mozilla\Firefox\Profiles\6cr6okv0.default\
FF - ExtSQL: 2013-01-25 11:03; {CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}; c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}
FF - ExtSQL: 2013-02-14 11:38; torntv2@torntv.com; c:\documents and settings\Ray\Application Data\Mozilla\Firefox\Profiles\6cr6okv0.default\extensions\torntv2@torntv.com.xpi
FF - ExtSQL: !HIDDEN! 2011-01-31 18:23; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - user.js: extensions.delta.tlbrSrchUrl -
FF - user.js: extensions.delta.id - 1fde8a400000000000000022152aced0
FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
FF - user.js: extensions.delta.instlDay - 15750
FF - user.js: extensions.delta.vrsn - 1.8.10.0
FF - user.js: extensions.delta.vrsni - 1.8.10.0
FF - user.js: extensions.delta.vrsnTs - 1.8.10.011:39
FF - user.js: extensions.delta.prtnrId - delta
FF - user.js: extensions.delta.prdct - delta
FF - user.js: extensions.delta.aflt - babsst
FF - user.js: extensions.delta.smplGrp - none
FF - user.js: extensions.delta.tlbrId - base
FF - user.js: extensions.delta.instlRef - sst
FF - user.js: extensions.delta.dfltLng - en
FF - user.js: extensions.delta.excTlbr - false
FF - user.js: extensions.delta.admin - false
FF - user.js: extensions.delta.autoRvrt - false
FF - user.js: extensions.delta.rvrt - false
FF - user.js: extensions.delta.newTab - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-03-24 13:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1268)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(9824)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-03-24 13:28:39
ComboFix-quarantined-files.txt 2013-03-24 17:28
ComboFix2.txt 2013-03-24 16:28
ComboFix3.txt 2013-03-23 22:24
ComboFix4.txt 2013-03-22 15:19
ComboFix5.txt 2013-03-24 17:15
.
Pre-Run: 48,966,320,128 bytes free
Post-Run: 48,934,748,160 bytes free
.
- - End Of File - - 9C7CC1574228D5814EFB645395316960


QUARANTINE FILE:

2013-03-24 16:18:10 . 2013-03-24 16:18:10 61,376 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_fnvu.reg.dat
2013-03-23 13:46:17 . 2013-03-23 13:46:17 2,700 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_AZULWXOPZZH.reg.dat
2013-03-23 13:46:17 . 2013-03-23 13:46:17 830 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_AZULWXOPZZH.reg.dat
2013-03-23 13:37:59 . 2013-03-24 17:17:43 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2013-03-20 16:58:57 . 2013-03-20 16:58:57 796 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_RkHit.reg.dat
2013-03-20 16:58:57 . 2013-03-20 16:58:57 1,130 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_RKHIT.reg.dat
2013-03-20 15:24:18 . 2010-12-30 14:54:06 34,736 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\RKHit.sys.vir
2013-03-19 18:11:12 . 2013-03-19 18:11:27 29,424 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\EventSystem.log.vir
2013-03-18 19:55:58 . 2013-03-20 17:06:19 173 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-Locked.reg.dat
2013-03-18 19:33:13 . 2013-03-24 17:22:56 8,749 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2013-03-18 19:16:26 . 2013-03-24 17:15:21 663 ----a-w- C:\Qoobox\Quarantine\catchme.log
2013-03-12 19:08:42 . 2013-03-16 14:02:32 1,934 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\wininit.ini.vir
2008-04-13 23:12:36 . 2008-04-13 23:12:36 14,336 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\svchostt.exe.vir
2008-04-13 23:12:33 . 2008-04-13 23:12:33 380,416 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Restore\rstrui.exe.vir

shelf life
2013-03-24, 23:38
Lets move on to and see what TDSSkiller can find. I dont think you ran it although it may be part of your Kaspersky AV. In any case:

Download:
TDSSkiller (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) to your desktop

Click the icon, then on Change Parameters. Check the option: Detect TDLFS file system, then click ok and Start Scan

Once the scan is done you will find a .txt file in your root drive Local Disk, usually (C) labeled as: TDSSKILLER.2.8.13.0_15.10.2012_17.34.06_log.txt (version,date time) Please post it in your reply.

rdomingu
2013-03-25, 00:58
Just 2 update, while running WinPatrol, it intercepted attempts to change the file association of .cab. I also lost the funtion of my internet explorer. My URL shortcuts no longer funtioned as well. My url file association changed but correcting that did not restore funtion. (see attached for what it changed it to) To repair, I reinstalled IE8. Awaiting further instructions.
Ray


18:47:58.0187 0552 TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
18:47:58.0484 0552 ============================================================
18:47:58.0484 0552 Current date / time: 2013/03/24 18:47:58.0484
18:47:58.0484 0552 SystemInfo:
18:47:58.0484 0552
18:47:58.0484 0552 OS Version: 5.1.2600 ServicePack: 3.0
18:47:58.0484 0552 Product type: Workstation
18:47:58.0484 0552 ComputerName: RIGHTWINXP
18:47:58.0484 0552 UserName: Ray
18:47:58.0484 0552 Windows directory: C:\WINDOWS
18:47:58.0484 0552 System windows directory: C:\WINDOWS
18:47:58.0484 0552 Processor architecture: Intel x86
18:47:58.0484 0552 Number of processors: 2
18:47:58.0484 0552 Page size: 0x1000
18:47:58.0484 0552 Boot type: Normal boot
18:47:58.0484 0552 ============================================================
18:47:59.0593 0552 Drive \Device\Harddisk4\DR4 - Size: 0x1BF2976200 (111.79 Gb), SectorSize: 0x200, Cylinders: 0x3901, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000058
18:47:59.0593 0552 Drive \Device\Harddisk3\DR3 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000058
18:47:59.0609 0552 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
18:47:59.0609 0552 Drive \Device\Harddisk1\DR1 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1D9265, SectorsPerTrack: 0x3F, TracksPerCylinder: 0x10, Type 'K0', Flags 0x00000050
18:47:59.0609 0552 Drive \Device\Harddisk2\DR2 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
18:47:59.0609 0552 Drive \Device\Harddisk5\DR10 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
18:47:59.0609 0552 ============================================================
18:47:59.0609 0552 \Device\Harddisk4\DR4:
18:47:59.0609 0552 MBR partitions:
18:47:59.0609 0552 \Device\Harddisk4\DR4\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xDF947F8
18:47:59.0609 0552 \Device\Harddisk3\DR3:
18:47:59.0609 0552 MBR partitions:
18:47:59.0609 0552 \Device\Harddisk3\DR3\Partition1: MBR, Type 0x6, StartLBA 0x3F, BlocksNum 0x74705982
18:47:59.0609 0552 \Device\Harddisk0\DR0:
18:47:59.0609 0552 MBR partitions:
18:47:59.0609 0552 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x3A384C02
18:47:59.0609 0552 \Device\Harddisk1\DR1:
18:47:59.0609 0552 MBR partitions:
18:47:59.0609 0552 \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x74705982
18:47:59.0609 0552 \Device\Harddisk2\DR2:
18:47:59.0609 0552 MBR partitions:
18:47:59.0609 0552 \Device\Harddisk2\DR2\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x74705982
18:47:59.0609 0552 \Device\Harddisk5\DR10:
18:47:59.0625 0552 MBR partitions:
18:47:59.0625 0552 \Device\Harddisk5\DR10\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x3A384C02
18:47:59.0625 0552 ============================================================
18:47:59.0625 0552 C: <-> \Device\Harddisk4\DR4\Partition1
18:47:59.0640 0552 D: <-> \Device\Harddisk2\DR2\Partition1
18:47:59.0640 0552 E: <-> \Device\Harddisk1\DR1\Partition1
18:47:59.0640 0552 I: <-> \Device\Harddisk5\DR10\Partition1
18:47:59.0640 0552 P: <-> \Device\Harddisk3\DR3\Partition1
18:47:59.0656 0552 F: <-> \Device\Harddisk0\DR0\Partition1
18:47:59.0656 0552 ============================================================
18:47:59.0656 0552 Initialize success
18:47:59.0656 0552 ============================================================
18:48:33.0750 2936 ============================================================
18:48:33.0750 2936 Scan started
18:48:33.0750 2936 Mode: Manual; TDLFS;
18:48:33.0750 2936 ============================================================
18:48:34.0109 2936 ================ Scan system memory ========================
18:48:34.0109 2936 System memory - ok
18:48:34.0109 2936 ================ Scan services =============================
18:48:34.0171 2936 Abiosdsk - ok
18:48:34.0171 2936 abp480n5 - ok
18:48:34.0187 2936 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
18:48:34.0187 2936 ACPI - ok
18:48:34.0203 2936 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
18:48:34.0203 2936 ACPIEC - ok
18:48:34.0203 2936 [ 4AE327C9C375D985FF2A2AAB92765218 ] Adobe LM Service C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
18:48:34.0218 2936 Adobe LM Service - ok
18:48:34.0218 2936 [ EA856F4A46320389D1899B2CAA7BF40F ] AdobeFlashPlayerUpdateSvc C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
18:48:34.0218 2936 AdobeFlashPlayerUpdateSvc - ok
18:48:34.0234 2936 adpu160m - ok
18:48:34.0250 2936 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
18:48:34.0250 2936 aec - ok
18:48:34.0265 2936 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys
18:48:34.0265 2936 AFD - ok
18:48:34.0265 2936 Aha154x - ok
18:48:34.0281 2936 aic78u2 - ok
18:48:34.0296 2936 aic78xx - ok
18:48:34.0296 2936 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
18:48:34.0296 2936 Alerter - ok
18:48:34.0312 2936 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
18:48:34.0312 2936 ALG - ok
18:48:34.0312 2936 AliIde - ok
18:48:34.0328 2936 [ 8FCE268CDBDD83B23419D1F35F42C7B1 ] AmdK7 C:\WINDOWS\system32\DRIVERS\amdk7.sys
18:48:34.0328 2936 AmdK7 - ok
18:48:34.0343 2936 amsint - ok
18:48:34.0343 2936 [ 946EF1D9A26FB005B8257CF052FB3B83 ] AnyDVD C:\WINDOWS\system32\Drivers\AnyDVD.sys
18:48:34.0343 2936 AnyDVD - ok
18:48:34.0359 2936 [ A5299D04ED225D64CF07A568A3E1BF8C ] Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
18:48:34.0359 2936 Apple Mobile Device - ok
18:48:34.0375 2936 [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt C:\WINDOWS\System32\appmgmts.dll
18:48:34.0375 2936 AppMgmt - ok
18:48:34.0390 2936 [ B5B8A80875C1DEDEDA8B02765642C32F ] Arp1394 C:\WINDOWS\system32\DRIVERS\arp1394.sys
18:48:34.0390 2936 Arp1394 - ok
18:48:34.0406 2936 [ 6C520546FB842E7CAD0102BF2C3B3F3F ] asahxp32 C:\WINDOWS\system32\DRIVERS\asahxp32.sys
18:48:34.0406 2936 asahxp32 - ok
18:48:34.0406 2936 asc - ok
18:48:34.0421 2936 asc3350p - ok
18:48:34.0437 2936 asc3550 - ok
18:48:34.0453 2936 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
18:48:34.0453 2936 aspnet_state - ok
18:48:34.0468 2936 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
18:48:34.0468 2936 AsyncMac - ok
18:48:34.0484 2936 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
18:48:34.0484 2936 atapi - ok
18:48:34.0484 2936 Atdisk - ok
18:48:34.0500 2936 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
18:48:34.0500 2936 Atmarpc - ok
18:48:34.0515 2936 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
18:48:34.0515 2936 AudioSrv - ok
18:48:34.0515 2936 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
18:48:34.0515 2936 audstub - ok
18:48:34.0531 2936 [ DB61A6ECACD9D84405D2F3E411B25409 ] avgtp C:\WINDOWS\system32\drivers\avgtpx86.sys
18:48:34.0531 2936 avgtp - ok
18:48:34.0546 2936 AVP - ok
18:48:34.0546 2936 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
18:48:34.0546 2936 Beep - ok
18:48:34.0562 2936 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll
18:48:34.0578 2936 BITS - ok
18:48:34.0578 2936 BMGX - ok
18:48:34.0593 2936 [ DB5BEA73EDAF19AC68B2C0FAD0F92B1A ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe
18:48:34.0593 2936 Bonjour Service - ok
18:48:34.0609 2936 [ F934D1B230F84E1D19DD00AC5A7A83ED ] Bridge C:\WINDOWS\system32\DRIVERS\bridge.sys
18:48:34.0609 2936 Bridge - ok
18:48:34.0625 2936 [ F934D1B230F84E1D19DD00AC5A7A83ED ] BridgeMP C:\WINDOWS\system32\DRIVERS\bridge.sys
18:48:34.0625 2936 BridgeMP - ok
18:48:34.0625 2936 [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser C:\WINDOWS\System32\browser.dll
18:48:34.0625 2936 Browser - ok
18:48:34.0640 2936 catchme - ok
18:48:34.0640 2936 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
18:48:34.0656 2936 cbidf2k - ok
18:48:34.0656 2936 [ 0BE5AEF125BE881C4F854C554F2B025C ] CCDECODE C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
18:48:34.0656 2936 CCDECODE - ok
18:48:34.0671 2936 cd20xrnt - ok
18:48:34.0671 2936 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
18:48:34.0671 2936 Cdaudio - ok
18:48:34.0687 2936 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
18:48:34.0687 2936 Cdfs - ok
18:48:34.0703 2936 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
18:48:34.0703 2936 Cdrom - ok
18:48:34.0703 2936 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe
18:48:34.0703 2936 CiSvc - ok
18:48:34.0718 2936 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
18:48:34.0718 2936 ClipSrv - ok
18:48:34.0718 2936 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
18:48:34.0734 2936 clr_optimization_v2.0.50727_32 - ok
18:48:34.0734 2936 CmdIde - ok
18:48:34.0750 2936 COMSysApp - ok
18:48:34.0765 2936 Cpqarray - ok
18:48:34.0765 2936 [ C0EAD9F8AB83D41FF07303C75589C2B8 ] Creative Audio Engine Licensing Service C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
18:48:34.0781 2936 Creative Audio Engine Licensing Service - ok
18:48:34.0781 2936 [ D03466C36EF0E5C7694FF38B45271D9D ] Creative Media Toolbox 6 Licensing Service C:\Program Files\Common Files\Creative Labs Shared\Service\MT6Licensing.exe
18:48:34.0781 2936 Creative Media Toolbox 6 Licensing Service - ok
18:48:34.0796 2936 [ 3C8B6609712F4FF78E521F6DCFC4032B ] Creative Service for CDROM Access C:\WINDOWS\system32\CTsvcCDA.exe
18:48:34.0796 2936 Creative Service for CDROM Access - ok
18:48:34.0796 2936 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
18:48:34.0796 2936 CryptSvc - ok
18:48:34.0812 2936 [ 6F778D290F57D6137B7F258725D6D5F6 ] CT20XUT C:\WINDOWS\system32\drivers\CT20XUT.SYS
18:48:34.0812 2936 CT20XUT - ok
18:48:34.0828 2936 [ 6F778D290F57D6137B7F258725D6D5F6 ] CT20XUT.SYS C:\WINDOWS\System32\drivers\CT20XUT.SYS
18:48:34.0828 2936 CT20XUT.SYS - ok
18:48:34.0843 2936 [ 3404D052223E2C8F2CCD746C21680E65 ] ctac32k C:\WINDOWS\system32\drivers\ctac32k.sys
18:48:34.0859 2936 ctac32k - ok
18:48:34.0875 2936 [ 8254A1775B91B3C7644BC5D684F4AA59 ] ctaud2k C:\WINDOWS\system32\drivers\ctaud2k.sys
18:48:34.0875 2936 ctaud2k - ok
18:48:34.0890 2936 [ 69CDBA2B9C397E349A04FA70DD9170A2 ] CTAudSvcService C:\Program Files\Creative\Shared Files\CTAudSvc.exe
18:48:34.0890 2936 CTAudSvcService - ok
18:48:34.0906 2936 [ AC816D2A85C2673ADC5340D5CDEAB6B2 ] ctdvda2k C:\WINDOWS\system32\drivers\ctdvda2k.sys
18:48:34.0906 2936 ctdvda2k - ok
18:48:34.0937 2936 [ 6D4CEF46BB223601289DC64034401C65 ] CTEXFIFX C:\WINDOWS\system32\drivers\CTEXFIFX.SYS
18:48:34.0953 2936 CTEXFIFX - ok
18:48:34.0984 2936 [ 6D4CEF46BB223601289DC64034401C65 ] CTEXFIFX.SYS C:\WINDOWS\System32\drivers\CTEXFIFX.SYS
18:48:34.0984 2936 CTEXFIFX.SYS - ok
18:48:35.0000 2936 [ 44B9F2040C57CFA509548DDAB2E8BF09 ] CTHWIUT C:\WINDOWS\system32\drivers\CTHWIUT.SYS
18:48:35.0000 2936 CTHWIUT - ok
18:48:35.0015 2936 [ 44B9F2040C57CFA509548DDAB2E8BF09 ] CTHWIUT.SYS C:\WINDOWS\System32\drivers\CTHWIUT.SYS
18:48:35.0015 2936 CTHWIUT.SYS - ok
18:48:35.0015 2936 [ DF51F3D85D2A20B4E95C2002505D4210 ] ctprxy2k C:\WINDOWS\system32\drivers\ctprxy2k.sys
18:48:35.0031 2936 ctprxy2k - ok
18:48:35.0031 2936 [ 8B6595EA6912A09EAE381C594DCA4947 ] ctsfm2k C:\WINDOWS\system32\drivers\ctsfm2k.sys
18:48:35.0031 2936 ctsfm2k - ok
18:48:35.0046 2936 [ B5ECADF7708960F1818C7FA015F4C239 ] CVirtA C:\WINDOWS\system32\DRIVERS\CVirtA.sys
18:48:35.0046 2936 CVirtA - ok
18:48:35.0062 2936 dac2w2k - ok
18:48:35.0062 2936 dac960nt - ok
18:48:35.0078 2936 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
18:48:35.0093 2936 DcomLaunch - ok
18:48:35.0093 2936 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
18:48:35.0093 2936 Dhcp - ok
18:48:35.0109 2936 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
18:48:35.0109 2936 Disk - ok
18:48:35.0109 2936 dmadmin - ok
18:48:35.0140 2936 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
18:48:35.0140 2936 dmboot - ok
18:48:35.0156 2936 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
18:48:35.0156 2936 dmio - ok
18:48:35.0171 2936 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
18:48:35.0171 2936 dmload - ok
18:48:35.0187 2936 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
18:48:35.0187 2936 dmserver - ok
18:48:35.0187 2936 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
18:48:35.0203 2936 DMusic - ok
18:48:35.0203 2936 [ 694616F813FB627A32C9E32DEC133078 ] DNE C:\WINDOWS\system32\DRIVERS\dne2000.sys
18:48:35.0203 2936 DNE - ok
18:48:35.0218 2936 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
18:48:35.0218 2936 Dnscache - ok
18:48:35.0234 2936 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
18:48:35.0234 2936 Dot3svc - ok
18:48:35.0250 2936 [ 3E4B043F8BC6BE1D4820CC6C9C500306 ] Dot4 C:\WINDOWS\system32\DRIVERS\Dot4.sys
18:48:35.0250 2936 Dot4 - ok
18:48:35.0250 2936 [ 77CE63A8A34AE23D9FE4C7896D1DEBE7 ] Dot4Print C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
18:48:35.0265 2936 Dot4Print - ok
18:48:35.0265 2936 [ 6EC3AF6BB5B30E488A0C559921F012E1 ] dot4usb C:\WINDOWS\system32\DRIVERS\dot4usb.sys
18:48:35.0265 2936 dot4usb - ok
18:48:35.0281 2936 dpti2o - ok
18:48:35.0281 2936 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
18:48:35.0281 2936 drmkaud - ok
18:48:35.0296 2936 [ 651554E483712B708EDE864D0CA1AA73 ] DrvAgent32 C:\WINDOWS\system32\Drivers\DrvAgent32.sys
18:48:35.0296 2936 DrvAgent32 - ok
18:48:35.0312 2936 DWMRCS - ok
18:48:35.0312 2936 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
18:48:35.0312 2936 EapHost - ok
18:48:35.0328 2936 [ 98CB51EC5384635EA6B303D5648EEF1F ] EaseUS Agent C:\Program Files\EaseUS\Todo Backup\bin\Agent.exe
18:48:35.0328 2936 EaseUS Agent - ok
18:48:35.0343 2936 [ 178CC9403816C082D22A1D47FA1F9C85 ] ElbyCDIO C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
18:48:35.0343 2936 ElbyCDIO - ok
18:48:35.0343 2936 [ DF9957DB3BFE5136AAD3C2C101806C98 ] ElbyDelay C:\WINDOWS\system32\Drivers\ElbyDelay.sys
18:48:35.0359 2936 ElbyDelay - ok
18:48:35.0359 2936 [ 6C3DCE1A5600A079B046937653933281 ] emupia C:\WINDOWS\system32\drivers\emupia2k.sys
18:48:35.0359 2936 emupia - ok
18:48:35.0375 2936 [ D57F1811D8258D8D277CD9F53657EEF9 ] epmntdrv C:\WINDOWS\system32\epmntdrv.sys
18:48:35.0375 2936 epmntdrv - ok
18:48:35.0390 2936 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
18:48:35.0390 2936 ERSvc - ok
18:48:35.0390 2936 [ 2407B8164E966755BC6A4242FC9DE31E ] esgiguard C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys
18:48:35.0406 2936 esgiguard - ok
18:48:35.0406 2936 [ 01CE484FF6D70A39479BC6D619DE7ED6 ] EsgScanner C:\WINDOWS\system32\DRIVERS\EsgScanner.sys
18:48:35.0421 2936 EsgScanner - ok
18:48:35.0421 2936 [ 84D5EF7D2E978B999610482286B772DC ] EUBAKUP C:\WINDOWS\system32\drivers\eubakup.sys
18:48:35.0437 2936 EUBAKUP - ok
18:48:35.0437 2936 [ DA4230C9F3375A94DF36F140425336B9 ] EUBKMON C:\WINDOWS\system32\drivers\EUBKMON.sys
18:48:35.0437 2936 EUBKMON - ok
18:48:35.0453 2936 [ CEF620676E9D8F1207D92FCDEB63F074 ] EUDSKACS C:\WINDOWS\system32\drivers\eudskacs.sys
18:48:35.0453 2936 EUDSKACS - ok
18:48:35.0468 2936 [ F1BB27BC6DD385C154666ADE0D28387B ] EUFDDISK C:\WINDOWS\system32\drivers\EuFdDisk.sys
18:48:35.0468 2936 EUFDDISK - ok
18:48:35.0484 2936 [ F1DE3EEF501DDA7DDF99F2EDF0C5540E ] EuGdiDrv C:\WINDOWS\system32\EuGdiDrv.sys
18:48:35.0484 2936 EuGdiDrv - ok
18:48:35.0500 2936 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe
18:48:35.0500 2936 Eventlog - ok
18:48:35.0515 2936 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\system32\es.dll
18:48:35.0515 2936 EventSystem - ok
18:48:35.0515 2936 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
18:48:35.0531 2936 Fastfat - ok
18:48:35.0531 2936 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
18:48:35.0546 2936 FastUserSwitchingCompatibility - ok
18:48:35.0546 2936 [ E97D6A8684466DF94FF3BC24FB787A07 ] Fax C:\WINDOWS\system32\fxssvc.exe
18:48:35.0562 2936 Fax - ok
18:48:35.0562 2936 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys
18:48:35.0562 2936 Fdc - ok
18:48:35.0578 2936 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
18:48:35.0578 2936 Fips - ok
18:48:35.0593 2936 [ 227846995AFEEFA70D328BF5334A86A5 ] FLEXnet Licensing Service C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
18:48:35.0609 2936 FLEXnet Licensing Service - ok
18:48:35.0625 2936 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\DRIVERS\flpydisk.sys
18:48:35.0625 2936 Flpydisk - ok
18:48:35.0625 2936 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
18:48:35.0640 2936 FltMgr - ok
18:48:35.0640 2936 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
18:48:35.0640 2936 FontCache3.0.0.0 - ok
18:48:35.0656 2936 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
18:48:35.0656 2936 Fs_Rec - ok
18:48:35.0671 2936 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
18:48:35.0671 2936 Ftdisk - ok
18:48:35.0687 2936 [ 065639773D8B03F33577F6CDAEA21063 ] gameenum C:\WINDOWS\system32\DRIVERS\gameenum.sys
18:48:35.0687 2936 gameenum - ok
18:48:35.0687 2936 [ 185ADA973B5020655CEE342059A86CBB ] GEARAspiWDM C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
18:48:35.0703 2936 GEARAspiWDM - ok
18:48:35.0703 2936 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
18:48:35.0703 2936 Gpc - ok
18:48:35.0718 2936 [ 7B90BE6811334CAA9243B89F3D3FEE1A ] GT680x C:\WINDOWS\system32\Drivers\gt680x.sys
18:48:35.0718 2936 GT680x - ok
18:48:35.0734 2936 [ 2FC26B450D640F72E59F43DF1D48F439 ] Guard Agent C:\Program Files\EaseUS\Todo Backup\bin\GuardAgent.exe
18:48:35.0734 2936 Guard Agent - ok
18:48:35.0734 2936 [ F02A533F517EB38333CB12A9E8963773 ] gupdate C:\Program Files\Google\Update\GoogleUpdate.exe
18:48:35.0750 2936 gupdate - ok
18:48:35.0750 2936 [ F02A533F517EB38333CB12A9E8963773 ] gupdate1c987ea6b15f84e C:\Program Files\Google\Update\GoogleUpdate.exe
18:48:35.0765 2936 gupdate1c987ea6b15f84e - ok
18:48:35.0765 2936 [ F02A533F517EB38333CB12A9E8963773 ] gupdatem C:\Program Files\Google\Update\GoogleUpdate.exe
18:48:35.0765 2936 gupdatem - ok
18:48:35.0781 2936 [ 408DDD80EEDE47175F6844817B90213E ] gusvc C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
18:48:35.0781 2936 gusvc - ok
18:48:35.0812 2936 [ 46209281D43511CE2C660821B05C2B5D ] ha20x2k C:\WINDOWS\system32\drivers\ha20x2k.sys
18:48:35.0828 2936 ha20x2k - ok
18:48:35.0843 2936 [ 573C7D0A32852B48F3058CFD8026F511 ] HDAudBus C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
18:48:35.0843 2936 HDAudBus - ok
18:48:35.0843 2936 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
18:48:35.0859 2936 helpsvc - ok
18:48:35.0859 2936 [ 923EE4EEF2582909A056904CA8026015 ] hidgame C:\WINDOWS\system32\DRIVERS\hidgame.sys
18:48:35.0859 2936 hidgame - ok
18:48:35.0875 2936 [ DEB04DA35CC871B6D309B77E1443C796 ] HidServ C:\WINDOWS\System32\hidserv.dll
18:48:35.0875 2936 HidServ - ok
18:48:35.0890 2936 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] hidusb C:\WINDOWS\system32\DRIVERS\hidusb.sys
18:48:35.0890 2936 hidusb - ok
18:48:35.0890 2936 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
18:48:35.0906 2936 hkmsvc - ok
18:48:35.0906 2936 hpn - ok
18:48:35.0921 2936 [ F50F7984FDD151EDD8A70A8DBD9E2A44 ] hpqcxs08 C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll
18:48:35.0921 2936 hpqcxs08 - ok
18:48:35.0921 2936 [ DF446BA625CC441617843E87798CE048 ] hpqddsvc C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll
18:48:35.0937 2936 hpqddsvc - ok
18:48:35.0937 2936 [ D03D10F7DED688FECF50F8FBF1EA9B8A ] HPZid412 C:\WINDOWS\system32\DRIVERS\HPZid412.sys
18:48:35.0937 2936 HPZid412 - ok
18:48:35.0953 2936 [ 89F41658929393487B6B7D13C8528CE3 ] HPZipr12 C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
18:48:35.0953 2936 HPZipr12 - ok
18:48:35.0968 2936 [ ABCB05CCDBF03000354B9553820E39F8 ] HPZius12 C:\WINDOWS\system32\DRIVERS\HPZius12.sys
18:48:35.0968 2936 HPZius12 - ok
18:48:35.0968 2936 [ 6DB36593ABDDA54C505B77A4F135D5F3 ] HSFHWBS2 C:\WINDOWS\system32\DRIVERS\USR_BSC2.sys
18:48:35.0984 2936 HSFHWBS2 - ok
18:48:36.0000 2936 [ 01DC6300BD5B4EAA3DE6FC3FA4ADB82A ] HSF_DPV C:\WINDOWS\system32\DRIVERS\USR_MDMV.sys
18:48:36.0015 2936 HSF_DPV - ok
18:48:36.0031 2936 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
18:48:36.0031 2936 HTTP - ok
18:48:36.0046 2936 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
18:48:36.0046 2936 HTTPFilter - ok
18:48:36.0062 2936 i2omp - ok
18:48:36.0062 2936 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
18:48:36.0062 2936 i8042prt - ok
18:48:36.0078 2936 [ 7E9DCE459BE666AB54F67E77CB7D1297 ] ICAM3NT5 C:\WINDOWS\system32\Drivers\Icam3.sys
18:48:36.0093 2936 ICAM3NT5 - ok
18:48:36.0109 2936 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
18:48:36.0125 2936 idsvc - ok
18:48:36.0125 2936 [ 0A7C49B48C772591A2D362DAA00246C8 ] imagedrv C:\WINDOWS\system32\Drivers\imagedrv.sys
18:48:36.0140 2936 imagedrv - ok
18:48:36.0140 2936 [ 549BA4F539E7B8D8129500B96DD7B27A ] imagesrv C:\WINDOWS\system32\DRIVERS\imagesrv.sys
18:48:36.0156 2936 imagesrv - ok
18:48:36.0156 2936 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
18:48:36.0171 2936 Imapi - ok
18:48:36.0187 2936 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
18:48:36.0187 2936 ImapiService - ok
18:48:36.0187 2936 InCDfs - ok
18:48:36.0203 2936 InCDrec - ok
18:48:36.0218 2936 ini910u - ok
18:48:36.0296 2936 [ 60D7460B07012D364CED11DD9FD83E1F ] IntcAzAudAddService C:\WINDOWS\system32\drivers\RtkHDAud.sys
18:48:36.0359 2936 IntcAzAudAddService - ok
18:48:36.0375 2936 IntelIde - ok
18:48:36.0390 2936 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
18:48:36.0390 2936 intelppm - ok
18:48:36.0406 2936 [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw C:\WINDOWS\system32\drivers\ip6fw.sys
18:48:36.0406 2936 Ip6Fw - ok
18:48:36.0421 2936 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
18:48:36.0421 2936 IpFilterDriver - ok
18:48:36.0437 2936 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
18:48:36.0437 2936 IpInIp - ok
18:48:36.0453 2936 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
18:48:36.0453 2936 IpNat - ok
18:48:36.0468 2936 [ E8A39D41474BE42FD8830CED32932D6C ] iPod Service C:\Program Files\iPod\bin\iPodService.exe
18:48:36.0484 2936 iPod Service - ok
18:48:36.0500 2936 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
18:48:36.0515 2936 IPSec - ok
18:48:36.0515 2936 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
18:48:36.0515 2936 IRENUM - ok
18:48:36.0531 2936 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
18:48:36.0546 2936 isapnp - ok
18:48:36.0562 2936 [ F59C3569A2F2C464BB78CB1BDCDCA55E ] Iviaspi C:\WINDOWS\system32\drivers\iviaspi.sys
18:48:36.0562 2936 Iviaspi - ok
18:48:36.0578 2936 [ 6D53710E993F9DDFE5C8F2C048F3AE4D ] JavaQuickStarterService C:\Program Files\Java\jre6\bin\jqs.exe
18:48:36.0578 2936 JavaQuickStarterService - ok
18:48:36.0593 2936 [ C995C0E8B4503FAC38793BB0236AD246 ] JGOGO C:\WINDOWS\system32\DRIVERS\JGOGO.sys
18:48:36.0593 2936 JGOGO - ok
18:48:36.0593 2936 [ F4A31E66A61C0783F51157519B03280B ] JRAID C:\WINDOWS\system32\DRIVERS\jraid.sys
18:48:36.0609 2936 JRAID - ok
18:48:36.0609 2936 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
18:48:36.0609 2936 Kbdclass - ok
18:48:36.0625 2936 [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys
18:48:36.0625 2936 kbdhid - ok
18:48:36.0640 2936 [ EA26CB00F83686856F2C79673C00C686 ] KL1 C:\WINDOWS\system32\DRIVERS\kl1.sys
18:48:36.0640 2936 KL1 - ok
18:48:36.0656 2936 [ 3D23639C3FDBC082AF7016A5C8829329 ] KLIF C:\WINDOWS\system32\DRIVERS\klif.sys
18:48:36.0671 2936 KLIF - ok
18:48:36.0671 2936 [ 05E5504E5E06F75F18BBEA7291601FE2 ] klim5 C:\WINDOWS\system32\DRIVERS\klim5.sys
18:48:36.0671 2936 klim5 - ok
18:48:36.0687 2936 [ 7BE035A9C20F357DC765D6C7FDCDC964 ] klkbdflt C:\WINDOWS\system32\DRIVERS\klkbdflt.sys
18:48:36.0687 2936 klkbdflt - ok
18:48:36.0703 2936 [ A8234A8F67B0565F74753FE88A7BF03D ] klmouflt C:\WINDOWS\system32\DRIVERS\klmouflt.sys
18:48:36.0703 2936 klmouflt - ok
18:48:36.0703 2936 [ 53C0DF6C5139CB78A631E7AFCD893730 ] kltdi C:\WINDOWS\system32\DRIVERS\kltdi.sys
18:48:36.0718 2936 kltdi - ok
18:48:36.0718 2936 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
18:48:36.0718 2936 kmixer - ok
18:48:36.0734 2936 [ 71A38C123600172511C26BFABD0EF579 ] kneps C:\WINDOWS\system32\DRIVERS\kneps.sys
18:48:36.0734 2936 kneps - ok
18:48:36.0750 2936 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
18:48:36.0750 2936 KSecDD - ok
18:48:36.0765 2936 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
18:48:36.0765 2936 lanmanserver - ok
18:48:36.0781 2936 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
18:48:36.0781 2936 lanmanworkstation - ok
18:48:36.0796 2936 [ AC2E68E3421AF857B8D438414E7AE31C ] LightScribeService C:\Program Files\Common Files\LightScribe\LSSrvc.exe
18:48:36.0812 2936 LightScribeService - ok
18:48:36.0812 2936 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
18:48:36.0812 2936 LmHosts - ok
18:48:36.0828 2936 [ D8C0B2EB928D57C928522EFF500C4BA8 ] ManyCam C:\WINDOWS\system32\DRIVERS\mcvidrv.sys
18:48:36.0828 2936 ManyCam - ok
18:48:36.0843 2936 [ 964BD01FD77026F93F15040027F6F579 ] mcaudrv_simple C:\WINDOWS\system32\drivers\mcaudrv.sys
18:48:36.0843 2936 mcaudrv_simple - ok
18:48:36.0859 2936 MDM - ok
18:48:36.0859 2936 [ 3C318B9CD391371BED62126581EE9961 ] mdmxsdk C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
18:48:36.0875 2936 mdmxsdk - ok
18:48:36.0875 2936 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
18:48:36.0875 2936 Messenger - ok
18:48:36.0890 2936 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
18:48:36.0890 2936 mnmdd - ok
18:48:36.0906 2936 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
18:48:36.0906 2936 mnmsrvc - ok
18:48:36.0906 2936 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
18:48:36.0921 2936 Modem - ok
18:48:36.0921 2936 [ 1992E0D143B09653AB0F9C5E04B0FD65 ] MODEMCSA C:\WINDOWS\system32\drivers\MODEMCSA.sys
18:48:36.0921 2936 MODEMCSA - ok
18:48:36.0937 2936 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
18:48:36.0937 2936 Mouclass - ok
18:48:36.0953 2936 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
18:48:36.0953 2936 mouhid - ok
18:48:36.0968 2936 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
18:48:36.0968 2936 MountMgr - ok
18:48:36.0968 2936 [ 15D5398EED42C2504BB3D4FC875C15D1 ] MozillaMaintenance C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
18:48:36.0984 2936 MozillaMaintenance - ok
18:48:36.0984 2936 mraid35x - ok
18:48:37.0000 2936 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
18:48:37.0000 2936 MRxDAV - ok
18:48:37.0015 2936 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
18:48:37.0031 2936 MRxSmb - ok
18:48:37.0031 2936 [ B03E3F64B70F8031E65EB26DA23DE91A ] MSCamSvc C:\Program Files\Microsoft LifeCam\MSCamS32.exe
18:48:37.0046 2936 MSCamSvc - ok
18:48:37.0046 2936 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
18:48:37.0062 2936 MSDTC - ok
18:48:37.0062 2936 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
18:48:37.0078 2936 Msfs - ok
18:48:37.0078 2936 [ 7A0F9CBDBDB135113B9A3C138E20C85D ] MSHUSBVideo C:\WINDOWS\system32\Drivers\nx6000.sys
18:48:37.0078 2936 MSHUSBVideo - ok
18:48:37.0093 2936 MSIServer - ok
18:48:37.0109 2936 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
18:48:37.0109 2936 MSKSSRV - ok
18:48:37.0109 2936 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
18:48:37.0125 2936 MSPCLOCK - ok
18:48:37.0125 2936 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
18:48:37.0125 2936 MSPQM - ok
18:48:37.0140 2936 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
18:48:37.0156 2936 mssmbios - ok
18:48:37.0156 2936 [ E53736A9E30C45FA9E7B5EAC55056D1D ] MSTEE C:\WINDOWS\system32\drivers\MSTEE.sys
18:48:37.0156 2936 MSTEE - ok
18:48:37.0171 2936 [ CA3E22598F411199ADC2DFEE76CD0AE0 ] ms_mpu401 C:\WINDOWS\system32\drivers\msmpu401.sys
18:48:37.0171 2936 ms_mpu401 - ok
18:48:37.0187 2936 [ D48659BB24C48345D926ECB45C1EBDF5 ] MTsensor C:\WINDOWS\system32\DRIVERS\ASACPI.sys
18:48:37.0187 2936 MTsensor - ok
18:48:37.0203 2936 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
18:48:37.0203 2936 Mup - ok
18:48:37.0218 2936 [ 5B50F1B2A2ED47D560577B221DA734DB ] NABTSFEC C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
18:48:37.0218 2936 NABTSFEC - ok
18:48:37.0234 2936 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
18:48:37.0234 2936 napagent - ok
18:48:37.0250 2936 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
18:48:37.0250 2936 NDIS - ok
18:48:37.0265 2936 [ 7FF1F1FD8609C149AA432F95A8163D97 ] NdisIP C:\WINDOWS\system32\DRIVERS\NdisIP.sys
18:48:37.0265 2936 NdisIP - ok
18:48:37.0281 2936 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
18:48:37.0281 2936 NdisTapi - ok
18:48:37.0296 2936 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
18:48:37.0296 2936 Ndisuio - ok
18:48:37.0296 2936 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
18:48:37.0312 2936 NdisWan - ok
18:48:37.0312 2936 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
18:48:37.0328 2936 NDProxy - ok
18:48:37.0343 2936 [ 0FF3C6AA3E0FE0EB316DF5449B569463 ] Nero BackItUp Scheduler 4.0 C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
18:48:37.0359 2936 Nero BackItUp Scheduler 4.0 - ok
18:48:37.0359 2936 [ 51C6D8BFBD4EA5B62A1BA7F4469250D3 ] Net Driver HPZ12 C:\WINDOWS\system32\HPZinw12.dll
18:48:37.0375 2936 Net Driver HPZ12 - ok
18:48:37.0375 2936 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
18:48:37.0375 2936 NetBIOS - ok
18:48:37.0390 2936 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
18:48:37.0390 2936 NetBT - ok
18:48:37.0406 2936 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
18:48:37.0421 2936 NetDDE - ok
18:48:37.0421 2936 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
18:48:37.0437 2936 NetDDEdsdm - ok
18:48:37.0437 2936 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe
18:48:37.0453 2936 Netlogon - ok
18:48:37.0453 2936 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
18:48:37.0468 2936 Netman - ok
18:48:37.0468 2936 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
18:48:37.0484 2936 NetTcpPortSharing - ok
18:48:37.0484 2936 [ E9E47CFB2D461FA0FC75B7A74C6383EA ] NIC1394 C:\WINDOWS\system32\DRIVERS\nic1394.sys
18:48:37.0484 2936 NIC1394 - ok
18:48:37.0500 2936 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll
18:48:37.0515 2936 Nla - ok
18:48:37.0515 2936 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
18:48:37.0515 2936 Npfs - ok
18:48:37.0546 2936 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
18:48:37.0546 2936 Ntfs - ok
18:48:37.0562 2936 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
18:48:37.0562 2936 NtLmSsp - ok
18:48:37.0578 2936 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
18:48:37.0593 2936 NtmsSvc - ok
18:48:37.0593 2936 [ CF7E041663119E09D2E118521ADA9300 ] NuidFltr C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
18:48:37.0609 2936 NuidFltr - ok
18:48:37.0609 2936 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
18:48:37.0609 2936 Null - ok
18:48:37.0812 2936 [ 18A012E8A546942E5AA45CA0D2F52FCB ] nv C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
18:48:37.0984 2936 nv - ok
18:48:38.0000 2936 [ C03E15101F6D9E82CD9B0E7D715F5DE3 ] nvata C:\WINDOWS\system32\DRIVERS\nvata.sys
18:48:38.0015 2936 nvata - ok
18:48:38.0031 2936 [ B9333604527E02CD2223F200C0BAE7E0 ] NVENETFD C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
18:48:38.0031 2936 NVENETFD - ok
18:48:38.0046 2936 [ 5E9E55F7EE644C7C5FD78A206FBE37AB ] nvnetbus C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
18:48:38.0046 2936 nvnetbus - ok
18:48:38.0062 2936 [ B65CE56C36F573113FF2F6D0F07B7563 ] nvraid C:\WINDOWS\system32\DRIVERS\nvraid.sys
18:48:38.0062 2936 nvraid - ok
18:48:38.0078 2936 [ E3C0F0D0DB96BFF169B0D7C33E2BA1AA ] NVSvc C:\WINDOWS\system32\nvsvc32.exe
18:48:38.0078 2936 NVSvc - ok
18:48:38.0093 2936 [ 4347E23182C51BBE6A1C95F91CBFDC5E ] NVWMI C:\WINDOWS\system32\nvwmi.exe
18:48:38.0109 2936 NVWMI - ok
18:48:38.0125 2936 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
18:48:38.0125 2936 NwlnkFlt - ok
18:48:38.0125 2936 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
18:48:38.0140 2936 NwlnkFwd - ok
18:48:38.0140 2936 [ CA33832DF41AFB202EE7AEB05145922F ] ohci1394 C:\WINDOWS\system32\DRIVERS\ohci1394.sys
18:48:38.0156 2936 ohci1394 - ok
18:48:38.0156 2936 [ 5A432A042DAE460ABE7199B758E8606C ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
18:48:38.0171 2936 ose - ok
18:48:38.0171 2936 [ 5CFBF86E0A98390EBA378A7E738F92E3 ] ossrv C:\WINDOWS\system32\drivers\ctoss2k.sys
18:48:38.0187 2936 ossrv - ok
18:48:38.0203 2936 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
18:48:38.0203 2936 Parport - ok
18:48:38.0218 2936 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
18:48:38.0218 2936 PartMgr - ok
18:48:38.0234 2936 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
18:48:38.0234 2936 ParVdm - ok
18:48:38.0250 2936 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
18:48:38.0250 2936 PCI - ok
18:48:38.0265 2936 PCIDump - ok
18:48:38.0265 2936 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
18:48:38.0265 2936 PCIIde - ok
18:48:38.0281 2936 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys
18:48:38.0281 2936 Pcmcia - ok
18:48:38.0296 2936 [ 5B6C11DE7E839C05248CED8825470FEF ] pcouffin C:\WINDOWS\system32\Drivers\pcouffin.sys
18:48:38.0296 2936 pcouffin - ok
18:48:38.0312 2936 perc2 - ok
18:48:38.0328 2936 perc2hib - ok
18:48:38.0359 2936 [ 444F122E68DB44C0589227781F3C8B3F ] pfc C:\WINDOWS\system32\drivers\pfc.sys
18:48:38.0359 2936 pfc - ok
18:48:38.0375 2936 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe
18:48:38.0375 2936 PlugPlay - ok
18:48:38.0390 2936 [ 79834AA2FBF9FE81EEBB229024F6F7FC ] Pml Driver HPZ12 C:\WINDOWS\system32\HPZipm12.dll
18:48:38.0390 2936 Pml Driver HPZ12 - ok
18:48:38.0406 2936 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
18:48:38.0406 2936 PolicyAgent - ok
18:48:38.0421 2936 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
18:48:38.0421 2936 PptpMiniport - ok
18:48:38.0437 2936 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
18:48:38.0437 2936 ProtectedStorage - ok
18:48:38.0453 2936 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
18:48:38.0453 2936 PSched - ok
18:48:38.0468 2936 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
18:48:38.0468 2936 Ptilink - ok
18:48:38.0484 2936 [ D86B4A68565E444D76457F14172C875A ] PxHelp20 C:\WINDOWS\system32\Drivers\PxHelp20.sys
18:48:38.0484 2936 PxHelp20 - ok
18:48:38.0500 2936 ql1080 - ok
18:48:38.0500 2936 Ql10wnt - ok
18:48:38.0515 2936 ql12160 - ok
18:48:38.0531 2936 ql1240 - ok
18:48:38.0531 2936 ql1280 - ok
18:48:38.0546 2936 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
18:48:38.0546 2936 RasAcd - ok
18:48:38.0562 2936 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
18:48:38.0578 2936 RasAuto - ok
18:48:38.0578 2936 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
18:48:38.0578 2936 Rasl2tp - ok
18:48:38.0593 2936 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
18:48:38.0609 2936 RasMan - ok
18:48:38.0609 2936 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
18:48:38.0609 2936 RasPppoe - ok
18:48:38.0625 2936 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
18:48:38.0625 2936 Raspti - ok
18:48:38.0640 2936 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
18:48:38.0640 2936 Rdbss - ok
18:48:38.0656 2936 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
18:48:38.0656 2936 RDPCDD - ok
18:48:38.0671 2936 [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
18:48:38.0687 2936 rdpdr - ok
18:48:38.0703 2936 [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
18:48:38.0703 2936 RDPWD - ok
18:48:38.0718 2936 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
18:48:38.0718 2936 RDSessMgr - ok
18:48:38.0734 2936 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
18:48:38.0734 2936 redbook - ok
18:48:38.0750 2936 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
18:48:38.0750 2936 RemoteAccess - ok
18:48:38.0765 2936 [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll
18:48:38.0765 2936 RemoteRegistry - ok
18:48:38.0781 2936 [ D8B0B4ADE32574B2D9C5CC34DC0DBBE7 ] ROOTMODEM C:\WINDOWS\system32\Drivers\RootMdm.sys
18:48:38.0781 2936 ROOTMODEM - ok
18:48:38.0796 2936 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\system32\locator.exe
18:48:38.0796 2936 RpcLocator - ok
18:48:38.0812 2936 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\System32\rpcss.dll
18:48:38.0812 2936 RpcSs - ok
18:48:38.0828 2936 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe
18:48:38.0828 2936 RSVP - ok
18:48:38.0843 2936 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
18:48:38.0843 2936 SamSs - ok
18:48:38.0843 2936 [ A3281AEC37E0720A2BC28034C2DF2A56 ] SASDIFSV C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
18:48:38.0859 2936 SASDIFSV - ok
18:48:38.0859 2936 [ 61DB0D0756A99506207FD724E3692B25 ] SASKUTIL C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
18:48:38.0859 2936 SASKUTIL - ok
18:48:38.0875 2936 [ E5C587C0668F83E799D1C43BC53E5E37 ] SAVRKBootTasks C:\WINDOWS\system32\SAVRKBootTasks.sys
18:48:38.0875 2936 SAVRKBootTasks - ok
18:48:39.0000 2936 [ CA57D847403633D0D97114071B59C2B2 ] SbieDrv D:\Program Files\Sandboxie\SbieDrv.sys
18:48:39.0000 2936 SbieDrv - ok
18:48:39.0046 2936 [ 5CC11034A2E22DFF623BC922090AEBAB ] SbieSvc D:\Program Files\Sandboxie\SbieSvc.exe
18:48:39.0046 2936 SbieSvc - ok
18:48:39.0046 2936 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
18:48:39.0062 2936 SCardSvr - ok
18:48:39.0062 2936 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
18:48:39.0078 2936 Schedule - ok
18:48:39.0171 2936 [ 206387AB881E93A1A6EB89966C8651F1 ] SDScannerService D:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
18:48:39.0187 2936 SDScannerService - ok
18:48:39.0218 2936 [ A529CFE32565C0B145578FFB2B32C9A5 ] SDUpdateService D:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
18:48:39.0218 2936 SDUpdateService - ok
18:48:39.0250 2936 [ CB63BDB77BB86549FC3303C2F11EDC18 ] SDWSCService D:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
18:48:39.0250 2936 SDWSCService - ok
18:48:39.0265 2936 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
18:48:39.0265 2936 Secdrv - ok
18:48:39.0281 2936 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
18:48:39.0281 2936 seclogon - ok
18:48:39.0296 2936 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
18:48:39.0296 2936 SENS - ok
18:48:39.0312 2936 [ 0F29512CCD6BEAD730039FB4BD2C85CE ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
18:48:39.0312 2936 serenum - ok
18:48:39.0328 2936 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys
18:48:39.0328 2936 Serial - ok
18:48:39.0359 2936 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
18:48:39.0359 2936 Sfloppy - ok
18:48:39.0375 2936 [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
18:48:39.0375 2936 SharedAccess - ok
18:48:39.0390 2936 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
18:48:39.0390 2936 ShellHWDetection - ok
18:48:39.0406 2936 Simbad - ok
18:48:39.0421 2936 [ 866D538EBE33709A5C9F5C62B73B7D14 ] SLIP C:\WINDOWS\system32\DRIVERS\SLIP.sys
18:48:39.0437 2936 SLIP - ok
18:48:39.0453 2936 Sparrow - ok
18:48:39.0468 2936 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
18:48:39.0468 2936 splitter - ok
18:48:39.0484 2936 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe
18:48:39.0484 2936 Spooler - ok
18:48:39.0500 2936 [ 48AAE4C5E13611ED49C68F06857FF930 ] SpyHunter 4 Service C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
18:48:39.0515 2936 SpyHunter 4 Service - ok
18:48:39.0531 2936 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
18:48:39.0531 2936 sr - ok
18:48:39.0546 2936 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
18:48:39.0546 2936 srservice - ok
18:48:39.0562 2936 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
18:48:39.0562 2936 Srv - ok
18:48:39.0578 2936 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
18:48:39.0578 2936 SSDPSRV - ok
18:48:39.0593 2936 [ A9573045BAA16EAB9B1085205B82F1ED ] StillCam C:\WINDOWS\system32\DRIVERS\serscan.sys
18:48:39.0593 2936 StillCam - ok
18:48:39.0609 2936 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
18:48:39.0625 2936 stisvc - ok
18:48:39.0625 2936 stllssvr - ok
18:48:39.0640 2936 [ 77813007BA6265C4B6098187E6ED79D2 ] streamip C:\WINDOWS\system32\DRIVERS\StreamIP.sys
18:48:39.0640 2936 streamip - ok
18:48:39.0656 2936 [ 289ABD8C3E253CFFC230C785E082FA60 ] SWDUMon C:\WINDOWS\system32\DRIVERS\SWDUMon.sys
18:48:39.0656 2936 SWDUMon - ok
18:48:39.0671 2936 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
18:48:39.0671 2936 swenum - ok
18:48:39.0687 2936 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
18:48:39.0687 2936 swmidi - ok
18:48:39.0703 2936 SwPrv - ok
18:48:39.0718 2936 symc810 - ok
18:48:39.0734 2936 symc8xx - ok
18:48:39.0750 2936 sym_hi - ok
18:48:39.0750 2936 sym_u3 - ok
18:48:39.0765 2936 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
18:48:39.0765 2936 sysaudio - ok
18:48:39.0781 2936 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
18:48:39.0781 2936 SysmonLog - ok
18:48:39.0812 2936 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
18:48:39.0812 2936 TapiSrv - ok
18:48:39.0828 2936 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
18:48:39.0843 2936 Tcpip - ok
18:48:39.0843 2936 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
18:48:39.0859 2936 TDPIPE - ok
18:48:39.0859 2936 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
18:48:39.0875 2936 TDTCP - ok
18:48:39.0875 2936 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
18:48:39.0890 2936 TermDD - ok
18:48:39.0890 2936 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll
18:48:39.0906 2936 TermService - ok
18:48:39.0921 2936 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll
18:48:39.0921 2936 Themes - ok
18:48:39.0937 2936 [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr C:\WINDOWS\system32\tlntsvr.exe
18:48:39.0937 2936 TlntSvr - ok
18:48:39.0953 2936 TosIde - ok
18:48:39.0953 2936 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
18:48:39.0968 2936 TrkWks - ok
18:48:39.0984 2936 TSJSRS - ok
18:48:40.0000 2936 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
18:48:40.0000 2936 Udfs - ok
18:48:40.0015 2936 ultra - ok
18:48:40.0031 2936 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
18:48:40.0046 2936 Update - ok
18:48:40.0062 2936 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
18:48:40.0062 2936 upnphost - ok
18:48:40.0078 2936 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
18:48:40.0078 2936 UPS - ok
18:48:40.0093 2936 [ EAFE1E00739AFE6C51487A050E772E17 ] USBAAPL C:\WINDOWS\system32\Drivers\usbaapl.sys
18:48:40.0093 2936 USBAAPL - ok
18:48:40.0109 2936 [ E919708DB44ED8543A7C017953148330 ] usbaudio C:\WINDOWS\system32\drivers\usbaudio.sys
18:48:40.0109 2936 usbaudio - ok
18:48:40.0125 2936 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
18:48:40.0125 2936 usbccgp - ok
18:48:40.0140 2936 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
18:48:40.0140 2936 usbehci - ok
18:48:40.0156 2936 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
18:48:40.0156 2936 usbhub - ok
18:48:40.0171 2936 [ 0DAECCE65366EA32B162F85F07C6753B ] usbohci C:\WINDOWS\system32\DRIVERS\usbohci.sys
18:48:40.0171 2936 usbohci - ok
18:48:40.0187 2936 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
18:48:40.0187 2936 usbprint - ok
18:48:40.0203 2936 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
18:48:40.0203 2936 usbscan - ok
18:48:40.0218 2936 [ 1C888B000C2F9492F4B15B5B6B84873E ] usbser C:\WINDOWS\system32\DRIVERS\usbser.sys
18:48:40.0218 2936 usbser - ok
18:48:40.0234 2936 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:48:40.0234 2936 USBSTOR - ok
18:48:40.0250 2936 [ 63BBFCA7F390F4C49ED4B96BFB1633E0 ] usbvideo C:\WINDOWS\system32\Drivers\usbvideo.sys
18:48:40.0250 2936 usbvideo - ok
18:48:40.0265 2936 [ B4D7B7AD8A9F7C063C5CC3E2C1A0724E ] usb_rndisx C:\WINDOWS\system32\DRIVERS\usb8023x.sys
18:48:40.0265 2936 usb_rndisx - ok
18:48:40.0281 2936 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
18:48:40.0281 2936 VgaSave - ok
18:48:40.0296 2936 ViaIde - ok
18:48:40.0296 2936 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
18:48:40.0312 2936 VolSnap - ok
18:48:40.0328 2936 [ 0354BA3A5BA5E28CC247EB5F5DD8793C ] vsdatant C:\WINDOWS\system32\vsdatant.sys
18:48:40.0328 2936 vsdatant - ok
18:48:40.0359 2936 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
18:48:40.0359 2936 VSS - ok
18:48:40.0375 2936 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\system32\w32time.dll
18:48:40.0390 2936 W32Time - ok
18:48:40.0406 2936 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
18:48:40.0406 2936 Wanarp - ok
18:48:40.0421 2936 [ D6EFAF429FD30C5DF613D220E344CCE7 ] WDC_SAM C:\WINDOWS\system32\DRIVERS\wdcsam.sys
18:48:40.0437 2936 WDC_SAM - ok
18:48:40.0453 2936 [ FD47474BD21794508AF449D9D91AF6E6 ] Wdf01000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
18:48:40.0453 2936 Wdf01000 - ok
18:48:40.0468 2936 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
18:48:40.0468 2936 wdmaud - ok
18:48:40.0484 2936 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
18:48:40.0484 2936 WebClient - ok
18:48:40.0515 2936 [ 35104D888A90EBC18F71FDC2374D2BB9 ] winachsf C:\WINDOWS\system32\DRIVERS\HSF_USR.sys
18:48:40.0515 2936 winachsf - ok
18:48:40.0546 2936 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
18:48:40.0546 2936 winmgmt - ok
18:48:40.0578 2936 [ 18F347402DA544A780949B8FDF83351B ] WinRM C:\WINDOWS\system32\WsmSvc.dll
18:48:40.0593 2936 WinRM - ok
18:48:40.0656 2936 [ 051B1BDECD6DEE18C771B5D5EC7F044D ] WmdmPmSN C:\WINDOWS\system32\MsPMSNSv.dll
18:48:40.0656 2936 WmdmPmSN - ok
18:48:40.0671 2936 [ E76F8807070ED04E7408A86D6D3A6137 ] Wmi C:\WINDOWS\System32\advapi32.dll
18:48:40.0687 2936 Wmi - ok
18:48:40.0703 2936 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
18:48:40.0703 2936 WmiApSrv - ok
18:48:40.0734 2936 [ 6BAB4DC65515A098505F8B3D01FB6FE5 ] WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe
18:48:40.0734 2936 WMPNetworkSvc - ok
18:48:40.0750 2936 [ C60DC16D4E406810FAD54B98DC92D5EC ] WpdUsb C:\WINDOWS\system32\DRIVERS\wpdusb.sys
18:48:40.0765 2936 WpdUsb - ok
18:48:40.0765 2936 [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL C:\WINDOWS\System32\drivers\ws2ifsl.sys
18:48:40.0781 2936 WS2IFSL - ok
18:48:40.0781 2936 [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc C:\WINDOWS\system32\wscsvc.dll
18:48:40.0796 2936 wscsvc - ok
18:48:40.0812 2936 [ C98B39829C2BBD34E454150633C62C78 ] WSTCODEC C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
18:48:40.0812 2936 WSTCODEC - ok
18:48:40.0828 2936 [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv C:\WINDOWS\system32\wuauserv.dll
18:48:40.0828 2936 wuauserv - ok
18:48:40.0843 2936 [ F15FEAFFFBB3644CCC80C5DA584E6311 ] WudfPf C:\WINDOWS\system32\DRIVERS\WudfPf.sys
18:48:40.0843 2936 WudfPf - ok
18:48:40.0859 2936 [ 28B524262BCE6DE1F7EF9F510BA3985B ] WudfRd C:\WINDOWS\system32\DRIVERS\wudfrd.sys
18:48:40.0859 2936 WudfRd - ok
18:48:40.0875 2936 [ 05231C04253C5BC30B26CBAAE680ED89 ] WudfSvc C:\WINDOWS\System32\WUDFSvc.dll
18:48:40.0875 2936 WudfSvc - ok
18:48:40.0906 2936 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
18:48:40.0906 2936 WZCSVC - ok
18:48:40.0921 2936 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
18:48:40.0921 2936 xmlprov - ok
18:48:40.0937 2936 ZWKKQGF - ok
18:48:41.0031 2936 ================ Scan global ===============================
18:48:41.0031 2936 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
18:48:41.0046 2936 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
18:48:41.0062 2936 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
18:48:41.0078 2936 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
18:48:41.0078 2936 [Global] - ok
18:48:41.0078 2936 ================ Scan MBR ==================================
18:48:41.0078 2936 [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk4\DR4
18:48:41.0609 2936 \Device\Harddisk4\DR4 - ok
18:48:41.0609 2936 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk3\DR3
18:48:41.0812 2936 \Device\Harddisk3\DR3 - ok
18:48:41.0828 2936 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
18:48:42.0250 2936 \Device\Harddisk0\DR0 - ok
18:48:42.0250 2936 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk1\DR1
18:48:42.0640 2936 \Device\Harddisk1\DR1 - ok
18:48:42.0640 2936 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk2\DR2
18:48:43.0000 2936 \Device\Harddisk2\DR2 - ok
18:48:43.0000 2936 [ 988D3C46CBD13EC7F482B833C55264C8 ] \Device\Harddisk5\DR10
18:48:43.0515 2936 \Device\Harddisk5\DR10 - ok
18:48:43.0515 2936 ================ Scan VBR ==================================
18:48:43.0515 2936 [ EC344EA8A4F8C7BFC284909E99D34902 ] \Device\Harddisk4\DR4\Partition1
18:48:43.0515 2936 \Device\Harddisk4\DR4\Partition1 - ok
18:48:43.0515 2936 [ BAECBB54D003E5F2C5CCE61E21AF8D0D ] \Device\Harddisk3\DR3\Partition1
18:48:43.0531 2936 \Device\Harddisk3\DR3\Partition1 - ok
18:48:43.0531 2936 [ 6DD5E96E8B3B960C7980FB324EF00E23 ] \Device\Harddisk0\DR0\Partition1
18:48:43.0531 2936 \Device\Harddisk0\DR0\Partition1 - ok
18:48:43.0531 2936 [ D5CB73AE40CB0CC684E75947E4D3F073 ] \Device\Harddisk1\DR1\Partition1
18:48:43.0531 2936 \Device\Harddisk1\DR1\Partition1 - ok
18:48:43.0546 2936 [ 6E103E03B8B0B9E1FE4406DAC22A2FDD ] \Device\Harddisk2\DR2\Partition1
18:48:43.0546 2936 \Device\Harddisk2\DR2\Partition1 - ok
18:48:43.0546 2936 [ DDF211A61161C3A78EE76D496F9FA992 ] \Device\Harddisk5\DR10\Partition1
18:48:43.0546 2936 \Device\Harddisk5\DR10\Partition1 - ok
18:48:43.0546 2936 ============================================================
18:48:43.0546 2936 Scan finished
18:48:43.0546 2936 ============================================================
18:48:43.0562 1108 Detected object count: 0
18:48:43.0562 1108 Actual detected object count: 0

shelf life
2013-03-25, 04:05
Not really familiar with Winpatrol but cant it be used to prevent the change before it happens? Does it provide anymore info like what initiated the change? No luck with TDSSkiller, may as well try Malwarebytes Anti-Rootkit:

Download the beta version of Malwarebytes Anti-rootkit to your desktop.
Read the Disclaimer since this is a Beta version

Download Malwarebytes (http://www.malwarebytes.org/products/mbar/) Anti-Rootkit from the link to the right.
Unzip the contents to a folder in a convenient location.
Open the folder where the contents were unzipped and run mbar.exe
Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
Click on the Cleanup button to remove any threats and reboot if prompted to do so.
Wait while the system shuts down and the cleanup process is performed.
Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access
Windows Update
Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.
Verify that your system is now functioning normally.

Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
Copy and paste the contents of these two log files in your next reply.

After the above you can do a online scan with ESET (http://www.eset.com/onlinescan/)

These directions are old and probably outdated, but Iam sure you can manage to get a scan done:

Use Internet Explorer
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan archives" Leave the defaults checked under Advanced settings
click scan. When it completes click "List found threats"
click "Export to text file.." and save it to your desktop. Post the saved log.
Click "back" and "finish"

I wont be back online for 18 hours or so.

rdomingu
2013-03-28, 22:20
Below logs were from when all was running good except that I could not run Windows Update. Enabled BITS to try and repair update and issues began again. Something is re-triggering the malware.... Running ESET again. Will post results.

System.log:

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1021

(c) Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_38

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED, I:\ DRIVE_FIXED, P:\ DRIVE_FIXED
CPU speed: 3.360000 GHz
Memory total: 3219623936, free: 2373488640

------------ Kernel report ------------
03/25/2013 09:56:48
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
ohci1394.sys
\WINDOWS\system32\DRIVERS\1394BUS.SYS
imagesrv.sys
kl1.sys
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
nvraid.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
VolSnap.sys
atapi.sys
nvata.sys
jraid.sys
\WINDOWS\system32\DRIVERS\SCSIPORT.SYS
asahxp32.sys
imagedrv.sys
disk.sys
fltmgr.sys
sr.sys
PxHelp20.sys
KSecDD.sys
WudfPf.sys
Ntfs.sys
NDIS.sys
Mup.sys
JGOGO.sys
EUBKMON.sys
eubakup.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\nv4_mini.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\usbohci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\System32\Drivers\AnyDVD.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\System32\Drivers\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\nic1394.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\nvnetbus.sys
\SystemRoot\system32\DRIVERS\NVNRM.SYS
\SystemRoot\system32\DRIVERS\NVSNPU.SYS
\SystemRoot\system32\DRIVERS\ASACPI.sys
\SystemRoot\system32\DRIVERS\klim5.sys
\SystemRoot\system32\DRIVERS\klflt.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\NVENETFD.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\RtkHDAud.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\klif.sys
\??\C:\WINDOWS\system32\SAVRKBootTasks.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\??\C:\WINDOWS\system32\drivers\avgtpx86.sys
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\kltdi.sys
\SystemRoot\system32\DRIVERS\ipnat.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\System32\drivers\ws2ifsl.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\arp1394.sys
\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\kneps.sys
\SystemRoot\System32\Drivers\Fips.SYS
\??\C:\WINDOWS\system32\drivers\EuFdDisk.sys
\??\C:\WINDOWS\system32\drivers\eudskacs.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\dot4usb.sys
\SystemRoot\system32\DRIVERS\Dot4.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\klkbdflt.sys
\SystemRoot\system32\DRIVERS\Dot4Prt.sys
\SystemRoot\system32\DRIVERS\NuidFltr.sys
\SystemRoot\system32\DRIVERS\WDFLDR.SYS
\SystemRoot\system32\DRIVERS\Wdf01000.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\klmouflt.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\usbprint.sys
\SystemRoot\system32\DRIVERS\HPZius12.sys
\SystemRoot\system32\DRIVERS\HPZid412.sys
\SystemRoot\system32\DRIVERS\HPZipr12.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_asahxp32.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\nv4_disp.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\system32\DRIVERS\mrxdav.sys
\SystemRoot\System32\Drivers\ParVdm.SYS
\SystemRoot\System32\Drivers\ElbyCDIO.sys
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\mdmxsdk.sys
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\kmixer.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
\WINDOWS\system32\kernel32.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk5\DR10
Upper Device Object: 0xffffffff8b2ca030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000009b\
Lower Device Object: 0xffffffff8ac75670
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
Initialization returned 0x0
Load Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk4\DR4
Upper Device Object: 0xffffffff8b2ceab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Scsi\asahxp321Port5Path0Target0Lun0\
Lower Device Object: 0xffffffff8b30aa38
Lower Device Driver Name: \Driver\asahxp32\
Driver name found: asahxp32
Initialization returned 0x0
Port sub-driver loaded: \??\C:\WINDOWS\system32\drivers\scsiport.sys (0x0)
Load Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk3\DR3
Upper Device Object: 0xffffffff8b3087e8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Scsi\JRAID1Port4Path0Target0Lun0\
Lower Device Object: 0xffffffff8b391a38
Lower Device Driver Name: \Driver\JRAID\
Driver name found: JRAID
Initialization returned 0x0
Port sub-driver loaded: \??\C:\WINDOWS\system32\drivers\scsiport.sys (0x0)
Load Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR2
Upper Device Object: 0xffffffff8b308030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000089\
Lower Device Object: 0xffffffff8b290030
Lower Device Driver Name: \Driver\nvata\
Driver name found: nvata
Initialization returned 0x0
Load Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xffffffff8b3098a0
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000086\
Lower Device Object: 0xffffffff8b2ba030
Lower Device Driver Name: \Driver\nvata\
Driver name found: nvata
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8b309030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000085\
Lower Device Object: 0xffffffff8b30c030
Lower Device Driver Name: \Driver\nvata\
Driver name found: nvata
Downloaded database version: v2013.03.25.10
Initializing...
Done!
<<<2>>>
Device number: 4, partition: 1
Physical Sector Size: 512
Drive: 4, DevicePointer: 0xffffffff8b2ceab8, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8b2ce890, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8b2ceab8, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8b30aa38, DeviceName: \Device\Scsi\asahxp321Port5Path0Target0Lun0\, DriverName: \Driver\asahxp32\
------------ End ----------
Alternate DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\Disk\
Upper DeviceData: 0xffffffffe54eb110, 0xffffffff8b2ceab8, 0xffffffff89509230
Lower DeviceData: 0xffffffffe132a8c8, 0xffffffff8b30aa38, 0xffffffff896390b0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 4, partition: 1
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8b309030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8b309e08, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8b309030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8b390ac0, DeviceName: \Device\00000087\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8b30c030, DeviceName: \Device\00000085\, DriverName: \Driver\nvata\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0xffffffffe50d30d8, 0xffffffff8b309030, 0xffffffff89a1d8d0
Lower DeviceData: 0xffffffffe498bfd0, 0xffffffff8b30c030, 0xffffffff8951eb68
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: F0D95948

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 976768002
Partition file system is NTFS
Partition is not bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-976753168-976773168)...
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xffffffff8b3098a0, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8b309678, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8b3098a0, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8b3a32b0, DeviceName: \Device\00000088\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8b2ba030, DeviceName: \Device\00000086\, DriverName: \Driver\nvata\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
Upper DeviceData: 0xffffffffe4950b90, 0xffffffff8b3098a0, 0xffffffff8955d318
Lower DeviceData: 0xffffffffe53fc528, 0xffffffff8b2ba030, 0xffffffff89ee7b10
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 5CEE4027

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 1953520002
Partition file system is NTFS
Partition is not bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 1000204886016 bytes
Sector size: 512 bytes

Physical Sector Size: 512
Drive: 2, DevicePointer: 0xffffffff8b308030, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8b308e08, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8b308030, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8b27ef18, DeviceName: \Device\0000008b\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8b290030, DeviceName: \Device\00000089\, DriverName: \Driver\nvata\
------------ End ----------
Alternate DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
Upper DeviceData: 0xffffffffe34e3f98, 0xffffffff8b308030, 0xffffffff8976e8e0
Lower DeviceData: 0xffffffffe35bf918, 0xffffffff8b290030, 0xffffffff8b1dfd18
Drive 2
Scanning MBR on drive 2...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 8AD0619A

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 1953520002
Partition file system is NTFS
Partition is not bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 1000204886016 bytes
Sector size: 512 bytes

Physical Sector Size: 512
Drive: 3, DevicePointer: 0xffffffff8b3087e8, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8b2ce020, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8b3087e8, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8b3938f8, DeviceName: Unknown, DriverName: \Driver\JGOGO\
DevicePointer: 0xffffffff8b391a38, DeviceName: \Device\Scsi\JRAID1Port4Path0Target0Lun0\, DriverName: \Driver\JRAID\
------------ End ----------
Alternate DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\
Upper DeviceData: 0xffffffffe4aa9d00, 0xffffffff8b3087e8, 0xffffffff89b698d8
Lower DeviceData: 0xffffffffe53f8170, 0xffffffff8b391a38, 0xffffffff89c37b10
Drive 3
Scanning MBR on drive 3...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 8424C816

Partition information:

Partition 0 type is Other (0x6)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 1953520002
Partition file system is NTFS
Partition is bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 1000204886016 bytes
Sector size: 512 bytes

Drive 4
Scanning MBR on drive 4...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 510C9D64

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 234440696
Partition file system is NTFS
Partition is bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 120034124288 bytes
Sector size: 512 bytes

Physical Sector Size: 512
Drive: 5, DevicePointer: 0xffffffff8b2ca030, DeviceName: \Device\Harddisk5\DR10\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8accc7f0, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8b2ca030, DeviceName: \Device\Harddisk5\DR10\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8ac75670, DeviceName: \Device\0000009b\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk5\DR10\, DriverName: \Driver\Disk\
Upper DeviceData: 0xffffffffe57c41e0, 0xffffffff8b2ca030, 0xffffffff8a1ab158
Lower DeviceData: 0xffffffffe4d52250, 0xffffffff8ac75670, 0xffffffff8a373040
Drive 5
Scanning MBR on drive 5...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 8D399BC0

Partition information:

Partition 0 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 63 Numsec = 976768002

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Done!
Performing system, memory and registry scan...
Done!
Scan finished
=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1021

(c) Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_38

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED, I:\ DRIVE_FIXED, P:\ DRIVE_FIXED
CPU speed: 3.360000 GHz
Memory total: 3219623936, free: 2604408832

=======================================
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1021

(c) Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_38

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED, F:\ DRIVE_FIXED, I:\ DRIVE_FIXED, P:\ DRIVE_FIXED
CPU speed: 3.360000 GHz
Memory total: 3219623936, free: 2067292160

------------ Kernel report ------------
03/27/2013 08:52:22
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
ohci1394.sys
\WINDOWS\system32\DRIVERS\1394BUS.SYS
imagesrv.sys
kl1.sys
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
nvraid.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
pavboot.sys
VolSnap.sys
atapi.sys
nvata.sys
jraid.sys
\WINDOWS\system32\DRIVERS\SCSIPORT.SYS
asahxp32.sys
imagedrv.sys
disk.sys
fltmgr.sys
PxHelp20.sys
KSecDD.sys
WudfPf.sys
Ntfs.sys
NDIS.sys
Mup.sys
JGOGO.sys
EUBKMON.sys
eubakup.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\nv4_mini.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\usbohci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\System32\Drivers\AnyDVD.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\System32\Drivers\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\nic1394.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\nvnetbus.sys
\SystemRoot\system32\DRIVERS\NVNRM.SYS
\SystemRoot\system32\DRIVERS\NVSNPU.SYS
\SystemRoot\system32\DRIVERS\ASACPI.sys
\SystemRoot\system32\DRIVERS\klim5.sys
\SystemRoot\system32\DRIVERS\klflt.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\NVENETFD.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\RtkHDAud.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\klif.sys
\??\C:\WINDOWS\system32\SAVRKBootTasks.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\??\C:\WINDOWS\system32\drivers\avgtpx86.sys
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\kltdi.sys
\SystemRoot\system32\DRIVERS\ipnat.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\System32\drivers\ws2ifsl.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\arp1394.sys
\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\kneps.sys
\SystemRoot\System32\Drivers\Fips.SYS
\??\C:\WINDOWS\system32\drivers\EuFdDisk.sys
\??\C:\WINDOWS\system32\drivers\eudskacs.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\dot4usb.sys
\SystemRoot\system32\DRIVERS\Dot4.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\klkbdflt.sys
\SystemRoot\system32\DRIVERS\Dot4Prt.sys
\SystemRoot\system32\DRIVERS\NuidFltr.sys
\SystemRoot\system32\DRIVERS\WDFLDR.SYS
\SystemRoot\system32\DRIVERS\Wdf01000.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\klmouflt.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\usbprint.sys
\SystemRoot\system32\DRIVERS\HPZius12.sys
\SystemRoot\system32\DRIVERS\HPZid412.sys
\SystemRoot\system32\DRIVERS\HPZipr12.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_asahxp32.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\nv4_disp.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\mrxdav.sys
\SystemRoot\System32\Drivers\ParVdm.SYS
\SystemRoot\System32\Drivers\ElbyCDIO.sys
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\mdmxsdk.sys
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\system32\drivers\kmixer.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
\WINDOWS\system32\kernel32.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk5\DR10
Upper Device Object: 0xffffffff8b341ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000009c\
Lower Device Object: 0xffffffff8ad45888
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
Initialization returned 0x0
Load Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk4\DR4
Upper Device Object: 0xffffffff8b361030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Scsi\asahxp321Port5Path0Target0Lun0\
Lower Device Object: 0xffffffff8b396a38
Lower Device Driver Name: \Driver\asahxp32\
Driver name found: asahxp32
Initialization returned 0x0
Port sub-driver loaded: \??\C:\WINDOWS\system32\drivers\scsiport.sys (0x0)
Load Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk3\DR3
Upper Device Object: 0xffffffff8b2fb8a0
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Scsi\JRAID1Port4Path0Target0Lun0\
Lower Device Object: 0xffffffff8b30ea38
Lower Device Driver Name: \Driver\JRAID\
Driver name found: JRAID
Initialization returned 0x0
Port sub-driver loaded: \??\C:\WINDOWS\system32\drivers\scsiport.sys (0x0)
Load Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR2
Upper Device Object: 0xffffffff8b2fb030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000008a\
Lower Device Object: 0xffffffff8b362030
Lower Device Driver Name: \Driver\nvata\
Driver name found: nvata
Initialization returned 0x0
Load Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xffffffff8b330ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000087\
Lower Device Object: 0xffffffff8b3aa030
Lower Device Driver Name: \Driver\nvata\
Driver name found: nvata
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8b330030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000086\
Lower Device Object: 0xffffffff8b2da030
Lower Device Driver Name: \Driver\nvata\
Driver name found: nvata
Downloaded database version: v2013.03.27.05
Downloaded database version: v2013.03.25.01
Initializing...
Done!
<<<2>>>
Device number: 4, partition: 1
Physical Sector Size: 512
Drive: 4, DevicePointer: 0xffffffff8b361030, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8b361db0, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8b361030, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8b396a38, DeviceName: \Device\Scsi\asahxp321Port5Path0Target0Lun0\, DriverName: \Driver\asahxp32\
------------ End ----------
Alternate DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\Disk\
Upper DeviceData: 0xffffffffe4579d98, 0xffffffff8b361030, 0xffffffff8887e680
Lower DeviceData: 0xffffffffeeb7c318, 0xffffffff8b396a38, 0xffffffff89956330
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 4, partition: 1
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8b330030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8b396718, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8b330030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8b30bac0, DeviceName: \Device\00000088\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8b2da030, DeviceName: \Device\00000086\, DriverName: \Driver\nvata\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0xfffffffff2f05bd0, 0xffffffff8b330030, 0xffffffff880d6248
Lower DeviceData: 0xffffffffe79df690, 0xffffffff8b2da030, 0xffffffff88351438
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: F0D95948

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 976768002
Partition file system is NTFS
Partition is not bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-976753168-976773168)...
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xffffffff8b330ab8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8b330890, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8b330ab8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8b30caf8, DeviceName: \Device\00000089\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8b3aa030, DeviceName: \Device\00000087\, DriverName: \Driver\nvata\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
Upper DeviceData: 0xfffffffff0fe23c0, 0xffffffff8b330ab8, 0xffffffff877f3ab8
Lower DeviceData: 0xffffffffedcc6620, 0xffffffff8b3aa030, 0xffffffff89b215d0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 5CEE4027

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 1953520002
Partition file system is NTFS
Partition is not bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 1000204886016 bytes
Sector size: 512 bytes

Physical Sector Size: 512
Drive: 2, DevicePointer: 0xffffffff8b2fb030, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8b2fbe08, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8b2fb030, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8b2fcf18, DeviceName: \Device\0000008c\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8b362030, DeviceName: \Device\0000008a\, DriverName: \Driver\nvata\
------------ End ----------
Alternate DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
Upper DeviceData: 0xffffffffe978c4a8, 0xffffffff8b2fb030, 0xffffffff87a7d5e8
Lower DeviceData: 0xffffffffeb733768, 0xffffffff8b362030, 0xffffffff87ddfd80
Drive 2
Scanning MBR on drive 2...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 8AD0619A

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 1953520002
Partition file system is NTFS
Partition is not bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 1000204886016 bytes
Sector size: 512 bytes

Physical Sector Size: 512
Drive: 3, DevicePointer: 0xffffffff8b2fb8a0, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8b2fb678, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8b2fb8a0, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8b3988f8, DeviceName: Unknown, DriverName: \Driver\JGOGO\
DevicePointer: 0xffffffff8b30ea38, DeviceName: \Device\Scsi\JRAID1Port4Path0Target0Lun0\, DriverName: \Driver\JRAID\
------------ End ----------
Alternate DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\
Upper DeviceData: 0xffffffffe57f6700, 0xffffffff8b2fb8a0, 0xffffffff875f36c8
Lower DeviceData: 0xffffffffe3d17a40, 0xffffffff8b30ea38, 0xffffffff87de98b0
Drive 3
Scanning MBR on drive 3...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 8424C816

Partition information:

Partition 0 type is Other (0x6)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 1953520002
Partition file system is NTFS
Partition is bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 1000204886016 bytes
Sector size: 512 bytes

Drive 4
Scanning MBR on drive 4...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 510C9D64

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 234440696
Partition file system is NTFS
Partition is bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 120034124288 bytes
Sector size: 512 bytes

Physical Sector Size: 512
Drive: 5, DevicePointer: 0xffffffff8b341ab8, DeviceName: \Device\Harddisk5\DR10\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8acf47f0, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8b341ab8, DeviceName: \Device\Harddisk5\DR10\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8ad45888, DeviceName: \Device\0000009c\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk5\DR10\, DriverName: \Driver\Disk\
Upper DeviceData: 0xffffffffe605bec0, 0xffffffff8b341ab8, 0xffffffff881712c8
Lower DeviceData: 0xffffffffe9ee1408, 0xffffffff8ad45888, 0xffffffff885d0368
Drive 5
Scanning MBR on drive 5...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 8D399BC0

Partition information:

Partition 0 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 63 Numsec = 976768002

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Done!
Performing system, memory and registry scan...
Done!
Scan finished
=======================================


mbar-log-2013-03-27 (09-01-23).txt

Malwarebytes Anti-Rootkit BETA 1.01.0.1021
www.malwarebytes.org

Database version: v2013.03.27.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Ray :: RIGHTWINXP [administrator]

3/27/2013 9:01:23 AM
mbar-log-2013-03-27 (09-01-23).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 28145
Time elapsed: 8 minute(s), 27 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


ESET.txt

C:\Documents and Settings\Ray\My Documents\FreeWAVToMP3ConverterSetup.exe a variant of Win32/Agent.SZW trojan cleaned by deleting - quarantined
C:\Documents and Settings\Ray\My Documents\PDF995\HCB004F5\Pdf995_Script.exe probably unknown NewHeur_PE virus deleted - quarantined
C:\Documents and Settings\Ray\My Documents\PDF995\HCB00554\Pdf995_Script.exe probably unknown NewHeur_PE virus deleted - quarantined
D:\DESKTOP n FAVORITES from SSD\My Documents\FreeWAVToMP3ConverterSetup.exe a variant of Win32/Agent.SZW trojan cleaned by deleting - quarantined
D:\DESKTOP n FAVORITES from SSD\My Documents\PDF995\HCB004F5\Pdf995_Script.exe probably unknown NewHeur_PE virus deleted - quarantined
D:\DESKTOP n FAVORITES from SSD\My Documents\PDF995\HCB00554\Pdf995_Script.exe probably unknown NewHeur_PE virus deleted - quarantined
I:\C Drive Copy\Documents and Settings\All Users\Application Data\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
I:\C Drive Copy\Documents and Settings\Ray\Application Data\Sun\Java\Deployment\cache\6.0\25\6bc1819-222517b9 a variant of Java/TrojanDownloader.OpenStream.NCP trojan cleaned by deleting - quarantined
I:\C Drive Copy\Documents and Settings\Ray\My Documents\FreeWAVToMP3ConverterSetup.exe a variant of Win32/Agent.SZW trojan cleaned by deleting - quarantined
I:\C Drive Copy\Documents and Settings\Ray\My Documents\PDF995\HCB004F5\Pdf995_Script.exe probably unknown NewHeur_PE virus deleted - quarantined
I:\C Drive Copy\Documents and Settings\Ray\My Documents\PDF995\HCB00554\Pdf995_Script.exe probably unknown NewHeur_PE virus deleted - quarantined

shelf life
2013-03-29, 15:53
Looks like ESET removed some goodies. Other than that not seeing any malware. Have you tried this (http://www.thewindowsclub.com/windows-update-troubleshooter-from-microsoft-fixes-windows-updates-problems) for Window update problems?

rdomingu
2013-04-01, 18:20
My responses are not posting...I tried twice along wit an attachment in both.

shelf life
2013-04-06, 01:12
Attachments can have size limitations. You can try reducing the size by opening it in a editor and saving it as another extension. I am assuming its a screenshot/picture, but maybe its not.

rdomingu
2013-04-06, 01:55
Thanks for your help. My OS just got so badly corrupted that I had no DVD drives listed anymore so out of pure frustration, I formatted the drive and loaded a fresh OS. Everything is working great now.
Thanks,
Ray

shelf life
2013-04-06, 03:57
Ok great and your welcome. Didnt really look like a malware issue to me. Sometimes nothing beats a reformat/reinstall. Happy safe surfing.