An infection that I can't find.
Hello,
New to this forum.
I am infected with something which I cannot seem to find. I am hoping someone can assist me with locating this/these infections and ridding my box of them. I am running Win XP SP3 and current on all patches. I have run Kaspersky scans (full, vulnerability, critical area and root kit), Sophos stand alone (Sav32cli), SB Search n Destroy 2, RootAlyzer, SuperAntiSpyware, HijackThis, Combofix and MalwareBytes....all with current updates....with no significant results. I have run these all under normal boot and some under safe mode with no difference in results. After a boot-up, box runs good but eventually slows to a crawl with CPU usage at 100%. Running a manual Windows Update will take a LONG time to complete. I have to wait about 30 seconds when creating a new folder, in order to give it a name. I am a presently unemployed desktop support analyst and have alot of disinfecting experience, but this one, being on my own personal box, is REALLY making me feel incompetent!!! I have backups, but they are infected as well so I can't just restore. It would be a simple re-image normally, but I can't do that with my box....much too much stuff on it. I would greatly appreciate your assistance with this one. Thanks in advance for your hopeful assistance. Below are the requested logs:
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_38
Run by Ray at 15:52:50 on 2013-03-13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2056 [GMT -4:00]
.
AV: Kaspersky Anti-Virus *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *Disabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\nvwmi.exe
D:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\EaseUS\Todo Backup\bin\Agent.exe
C:\Program Files\EaseUS\Todo Backup\bin\GuardAgent.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
D:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\locator.exe
D:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\SYSTEM32\DWRCST.exe
D:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\EaseUS\Todo Backup\bin\EuWatch.exe
C:\Program Files\EaseUS\Todo Backup\bin\TrayNotify.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe
D:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HyperSnap-DX 5\HprSnap5.exe
C:\Program Files\HyperSnap-DX 5\HprSnap5.exe
C:\Program Files\Plextor\PlexUTILITIES\PlexRadar.exe
C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
C:\Program Files\Efficient Reminder Free\EfficientReminderFree.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\nvwmi.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k WINRM
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.optimum.net/
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - d:\program files\spybot - search & destroy 2\SDHelper.dll
BHO: Content Blocker Plugin: {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - c:\program files\kaspersky lab\kaspersky anti-virus 2013\ieext\contentblocker\ie_content_blocker_plugin.dll
BHO: Virtual Keyboard Plugin: {73455575-E40C-433C-9784-C78DC7761455} - c:\program files\kaspersky lab\kaspersky anti-virus 2013\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: URL Advisor Plugin: {E33CF602-D945-461A-83F0-819F76A199F8} - c:\program files\kaspersky lab\kaspersky anti-virus 2013\ieext\urladvisor\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SandboxieControl] "d:\program files\sandboxie\SbieCtrl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [EaseUs Watch] "c:\program files\easeus\todo backup\bin\EuWatch.exe"
mRun: [EaseUs Tray] "c:\program files\easeus\todo backup\bin\TrayNotify.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2013\avp.exe"
mRun: [SDTray] "d:\program files\spybot - search & destroy 2\SDTray.exe"
StartupFolder: c:\docume~1\ray\startm~1\programs\startup\effici~1.lnk - c:\program files\efficient reminder free\EfficientReminderFree.exe
StartupFolder: c:\docume~1\ray\startm~1\programs\startup\erunta~1.lnk - d:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\ray\startm~1\programs\startup\plexra~1.lnk - c:\program files\plextor\plexutilities\PlexRadar.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\del_temp.vbs
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hypers~1.lnk - c:\program files\hypersnap-dx 5\HprSnap5.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\plexra~1.lnk - c:\program files\plextor\plexutilities\PlexRadar.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\watch.lnk - c:\program files\mustek 1200 ub plus\driver\WATCH.exe
uPolicies-Explorer: NoWindowsUpdate = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:383
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoWindowsUpdate = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\program files\spybot - search & destroy 2\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://amer-ml33.amer.csc.com/dwa85W.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1296519865546
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1362800798828
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1353104195093
DPF: {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} - hxxps://lowes.2020.net/planner/Core/Player/2020PlayerAX_WEB_Win32.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_38-windows-i586.cab
TCP: NameServer = 167.206.254.2 167.206.254.1
TCP: Interfaces\{9C3AA36C-E157-4013-9946-690262E89D96} : DHCPNameServer = 167.206.254.2 167.206.254.1
TCP: Interfaces\{9E3725C9-9785-4641-AB27-3C257B07A781} : DHCPNameServer = 167.206.254.1 167.206.254.2
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: klogon - c:\windows\system32\klogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ray\application data\mozilla\firefox\profiles\6cr6okv0.default\
FF - prefs.js: browser.search.selectedEngine - Delta Search
FF - prefs.js: browser.startup.homepage - hxxp://www.delta-search.com/?affID=119776&tt=050412_30b&babsrc=HP_ss&mntrId=1fde8a400000000000000022152aced0
FF - prefs.js: network.proxy.type - 4
FF - ExtSQL: 2013-01-25 11:03; {CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}; c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}
FF - ExtSQL: 2013-02-14 11:38; torntv2@torntv.com; c:\documents and settings\ray\application data\mozilla\firefox\profiles\6cr6okv0.default\extensions\torntv2@torntv.com.xpi
FF - ExtSQL: !HIDDEN! 2011-01-31 18:23; smartwebprinting@hp.com; c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.delta.tlbrSrchUrl -
FF - user.js: extensions.delta.id - 1fde8a400000000000000022152aced0
FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
FF - user.js: extensions.delta.instlDay - 15750
FF - user.js: extensions.delta.vrsn - 1.8.10.0
FF - user.js: extensions.delta.vrsni - 1.8.10.0
FF - user.js: extensions.delta.vrsnTs - 1.8.10.011:39:40
FF - user.js: extensions.delta.prtnrId - delta
FF - user.js: extensions.delta.prdct - delta
FF - user.js: extensions.delta.aflt - babsst
FF - user.js: extensions.delta.smplGrp - none
FF - user.js: extensions.delta.tlbrId - base
FF - user.js: extensions.delta.instlRef - sst
FF - user.js: extensions.delta.dfltLng - en
FF - user.js: extensions.delta.excTlbr - false
FF - user.js: extensions.delta.admin - false
FF - user.js: extensions.delta.autoRvrt - false
FF - user.js: extensions.delta.rvrt - false
FF - user.js: extensions.delta.newTab - false
.
============= SERVICES / DRIVERS ===============
.
R0 asahxp32;asahxp32;c:\windows\system32\drivers\asahxp32.sys [2011-5-6 41696]
R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [2013-1-26 50248]
R0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [2013-1-26 40648]
R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2012-6-19 136024]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2013-3-7 33112]
R1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [2013-1-26 14920]
R1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [2013-1-26 185672]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2012-11-24 586584]
R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [2012-11-24 43608]
R1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [2012-8-13 144344]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2011-5-12 18816]
R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky anti-virus 2013\avp.exe -r --> c:\program files\kaspersky lab\kaspersky anti-virus 2013\avp.exe -r [?]
R2 EaseUS Agent;EaseUS Agent Service;c:\program files\easeus\todo backup\bin\Agent.exe [2013-1-26 68168]
R2 Guard Agent;Guard Agent Service;c:\program files\easeus\todo backup\bin\GuardAgent.exe [2013-1-26 23624]
R2 NVWMI;NVIDIA WMI Provider;c:\windows\system32\nvwmi.exe [1999-12-31 664424]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;d:\program files\spybot - search & destroy 2\SDFSSvc.exe [2013-3-12 1103392]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;d:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2013-3-12 1369624]
R2 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-13 14336]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2012-6-27 35672]
R3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [2012-11-24 24408]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2012-11-24 24920]
R3 SbieDrv;SbieDrv;d:\program files\sandboxie\SbieDrv.sys [2012-12-16 157776]
S0 fnvu;fnvu;c:\windows\system32\drivers\behy.sys --> c:\windows\system32\drivers\behy.sys [?]
S2 gupdate1c987ea6b15f84e;Google Update Service (gupdate1c987ea6b15f84e);c:\program files\google\update\GoogleUpdate.exe [2011-3-6 136176]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;d:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2013-3-12 168384]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2011-2-1 79360]
S3 Creative Media Toolbox 6 Licensing Service;Creative Media Toolbox 6 Licensing Service;c:\program files\common files\creative labs shared\service\MT6Licensing.exe [2011-2-1 79360]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2008-12-29 171032]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-12-29 171032]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2008-12-29 1324056]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-12-29 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2008-12-29 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-12-29 72728]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2013-1-27 23456]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2012-12-21 13896]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2012-12-21 9160]
S3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\drivers\mcvidrv.sys [2012-10-10 34432]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2013-3-8 35144]
S3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv.sys [2012-10-10 25088]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2010-12-13 30576]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [2013-1-14 13024]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S4 AZULWXOPZZH;AZULWXOPZZH;c:\docume~1\ray\locals~1\temp\azulwxopzzh.exe --> c:\docume~1\ray\locals~1\temp\AZULWXOPZZH.exe [?]
S4 TSJSRS;TSJSRS;c:\docume~1\ray\locals~1\temp\tsjsrs.exe --> c:\docume~1\ray\locals~1\temp\TSJSRS.exe [?]
S4 ZWKKQGF;ZWKKQGF;c:\docume~1\ray\locals~1\temp\zwkkqgf.exe --> c:\docume~1\ray\locals~1\temp\ZWKKQGF.exe [?]
.
=============== File Associations ===============
.
FileExt: .reg: regfile=regedit.exe "%1" [UserChoice]
ShellExec: CORELPNT.EXE: CANCEL=c:\corel40\programs\CORELPNT.EXE
ShellExec: CORELPNT.EXE: OPEN=c:\corel40\programs\CORELPNT.EXE
ShellExec: CORELPNT.EXE: PRINT=c:\corel40\programs\CORELPNT.EXE
ShellExec: dreamweaver.exe: Open="c:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe", "%1"
.
=============== Created Last 30 ================
.
2013-03-13 14:53:55 12928 ------w- c:\windows\system32\dllcache\usb8023x.sys
2013-03-13 14:53:55 12928 ------w- c:\windows\system32\dllcache\usb8023.sys
2013-03-12 14:21:49 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2013-03-12 14:21:24 15224 ----a-w- c:\windows\system32\sdnclean.exe
2013-03-12 00:16:58 8461312 ------w- c:\windows\system32\dllcache\shell32.dll
2013-03-10 20:31:06 -------- d-----w- C:\Sophos
2013-03-09 00:22:39 -------- d-----w- C:\Escort
2013-03-08 23:42:22 -------- d-----w- c:\windows\system32\wbem\repository\FS
2013-03-08 23:42:22 -------- d-----w- c:\windows\system32\wbem\Repository
2013-03-08 23:36:06 -------- d-----w- c:\program files\PC HealthBoost
2013-03-08 19:30:33 -------- d-sh--w- c:\windows\Installer
2013-03-08 16:58:20 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-03-08 04:34:24 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-08 04:34:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware(2)
2013-03-08 04:34:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-03-08 00:19:13 630272 ----a-w- c:\windows\system32\dllcache\msfeeds.dll
2013-03-08 00:19:13 55296 ----a-w- c:\windows\system32\dllcache\msfeedsbs.dll
2013-03-08 00:19:12 247808 ----a-w- c:\windows\system32\dllcache\ieproxy.dll
2013-03-08 00:19:12 12800 ----a-w- c:\windows\system32\dllcache\xpshims.dll
2013-03-08 00:19:11 743424 ----a-w- c:\windows\system32\dllcache\iedvtool.dll
2013-03-08 00:19:11 522240 ----a-w- c:\windows\system32\dllcache\jsdbgui.dll
2013-03-08 00:19:11 2004992 ----a-w- c:\windows\system32\dllcache\iertutil.dll
2013-03-08 00:19:09 11111424 ----a-w- c:\windows\system32\dllcache\ieframe.dll
2013-03-07 20:48:36 -------- d-----r- C:\Sandbox
2013-03-07 18:46:02 33112 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-03-07 17:15:49 -------- d-----w- c:\documents and settings\ray\DoctorWeb
2013-03-07 17:11:45 52232 ----a-w- c:\windows\system32\drivers\REGSYS701.SYS
2013-03-07 15:54:05 -------- d-----w- C:\Deleted Autoruns
.
==================== Find3M ====================
.
2013-03-09 20:16:21 71024 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-09 20:16:21 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-08 23:02:02 13024 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
2013-02-27 19:08:13 16473456 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2013-02-12 00:32:23 12928 ----a-w- c:\windows\system32\drivers\usb8023x.sys
2013-02-12 00:32:23 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-05 20:05:47 916480 ----a-w- c:\windows\system32\wininet.dll
2013-02-05 20:05:46 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-02-05 20:05:46 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-02-05 05:53:57 385024 ----a-w- c:\windows\system32\html.iec
2013-01-28 02:36:28 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
2013-01-26 04:35:50 19528 ----a-w- c:\windows\system32\fbnative.exe
2013-01-26 04:35:38 185672 ----a-w- c:\windows\system32\drivers\EuFdDisk.sys
2013-01-26 04:35:34 40648 ----a-w- c:\windows\system32\drivers\EUBKMON.sys
2013-01-26 04:35:28 14920 ----a-w- c:\windows\system32\drivers\eudskacs.sys
2013-01-26 04:35:24 50248 ----a-w- c:\windows\system32\drivers\eubakup.sys
2013-01-26 03:55:44 552448 ----a-w- c:\windows\system32\oleaut32.dll
2013-01-25 16:02:54 73728 ----a-w- c:\windows\system32\javacpl.cpl
2013-01-25 16:02:53 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-01-25 16:02:53 473072 ----a-w- c:\windows\system32\deployJava1.dll
2013-01-07 01:19:45 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-07 00:37:01 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20:00 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-01-02 06:49:10 148992 ----a-w- c:\windows\system32\mpg2splt.ax
2013-01-02 06:49:10 1292288 ----a-w- c:\windows\system32\quartz.dll
2012-12-21 22:20:40 2468520 ----a-w- c:\windows\system32\BootMan.exe
2012-12-21 18:54:00 13896 ----a-w- c:\windows\system32\epmntdrv.sys
2012-12-21 18:53:58 9160 ----a-w- c:\windows\system32\EuGdiDrv.sys
2012-12-21 18:53:58 87112 ----a-w- c:\windows\system32\setupempdrv03.exe
2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll
.
============= FINISH: 15:53:48.35 ===============
aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2013-03-13 16:00:21
-----------------------------
16:00:21.437 OS Version: Windows 5.1.2600 Service Pack 3
16:00:21.437 Number of processors: 2 586 0x403
16:00:21.437 ComputerName: RIGHTWINXP UserName: Ray
16:00:31.265 Initialize success
16:02:41.437 AVAST engine defs: 13031301
16:03:12.015 Disk 0 \Device\Harddisk0\DR0 -> \Device\00000083
16:03:12.015 Disk 0 Vendor: ST3500630AS 3.AAE Size: 476940MB BusType: 3
16:03:12.031 Disk 1 \Device\Harddisk1\DR1 -> \Device\00000084
16:03:12.031 Disk 1 Vendor: SAMSUNG_HD103SI 1AG01118 Size: 953869MB BusType: 3
16:03:12.031 Disk 2 \Device\Harddisk2\DR2 -> \Device\00000087
16:03:12.031 Disk 2 Vendor: WDC_WD1002FAEX-00Z3A0 05.01D05 Size: 953869MB BusType: 3
16:03:12.031 Disk 3 \Device\Harddisk3\DR3 -> \Device\Scsi\JRAID1Port4Path0Target0Lun0
16:03:12.031 Disk 3 Vendor: SATA____ Size: 953869MB BusType: 1
16:03:12.031 Disk 4 (boot) \Device\Harddisk4\DR4 -> \Device\Scsi\asahxp321Port5Path0Target0Lun0
16:03:12.031 Disk 4 Vendor: KINGSTON 502A Size: 114473MB BusType: 3
16:03:12.046 Disk 4 MBR read successfully
16:03:12.046 Disk 4 MBR scan
16:03:12.046 Disk 4 Windows 7 default MBR code
16:03:12.046 Disk 4 Partition 1 80 (A) 07 HPFS/NTFS NTFS 114472 MB offset 63
16:03:12.062 Disk 4 scanning sectors +234440759
16:03:12.078 Disk 4 scanning C:\WINDOWS\system32\drivers
16:03:24.109 Service scanning
16:03:31.765 Service KL1 C:\WINDOWS\system32\DRIVERS\kl1.sys **LOCKED** 5
16:03:31.875 Service klim5 C:\WINDOWS\system32\DRIVERS\klim5.sys **LOCKED** 5
16:03:31.906 Service klkbdflt C:\WINDOWS\system32\DRIVERS\klkbdflt.sys **LOCKED** 5
16:03:31.921 Service klmouflt C:\WINDOWS\system32\DRIVERS\klmouflt.sys **LOCKED** 5
16:03:31.937 Service kltdi C:\WINDOWS\system32\DRIVERS\kltdi.sys **LOCKED** 5
16:03:31.984 Service kneps C:\WINDOWS\system32\DRIVERS\kneps.sys **LOCKED** 5
16:03:42.937 Modules scanning
16:03:46.406 Disk 4 trace - called modules:
16:03:46.421 ntkrnlpa.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll asahxp32.sys
16:03:46.421 1 nt!IofCallDriver -> \Device\Harddisk4\DR4[0x8b2e3030]
16:03:46.421 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\Scsi\asahxp321Port5Path0Target0Lun0[0x8b2d2030]
16:03:46.843 AVAST engine scan C:\WINDOWS
16:03:51.593 AVAST engine scan C:\WINDOWS\system32
16:07:32.765 AVAST engine scan C:\WINDOWS\system32\drivers
16:07:53.453 AVAST engine scan C:\Documents and Settings\Ray
16:15:11.843 File: C:\Documents and Settings\Ray\My Documents\Diagnostic Tools\Security Tool Service Killer\rkill.com **INFECTED** Win32:Malware-gen
16:19:08.515 AVAST engine scan C:\Documents and Settings\All Users
16:21:23.359 Scan finished successfully
17:18:19.328 Disk 4 MBR has been saved successfully to "C:\Documents and Settings\Ray\Desktop\DISINFECTION TOOLS 3-12-2013\AswMBR\MBR.dat"
17:18:19.343 The log file has been saved successfully to "C:\Documents and Settings\Ray\Desktop\DISINFECTION TOOLS 3-12-2013\AswMBR\aswMBR.txt"
An infection that I may have found???
Hi Shelf Life,
Thanks for your response. I would not mind redoing the scans or whatever u may suggest. Just link me up and give me the directions and off I will go...!!! But first, after a week of running things and investigating logs and burning out Google, I found that by DESELECTING "BMGX" in my System Configuration Utility (XP Pro) Services tab, that my box now "appears" to be running well. My investigations suggest this being a Trojan but I don't know what kind nor how to figure it out and completely remove it. As of now it is just disabled. So I will gladly wait for and follow your advice. Could a ROOTKIT be the issue????
Ray:confused::confused::confused::thanks:
ComboFix with CFScript.txt LOG
Question....
Should I duplicate running this procedure under the other profiles on the machine or did the infection/threat affect only "my" profile?
Thank you
Ray
Standing by awaiting further instructions....
Below is the log of ComboFix AFTER running the CFScript.txt file:
ComboFix 13-03-21.02 - Ray 03/23/2013 9:38.25.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2130 [GMT -4:00]
Running from: c:\documents and settings\Ray\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ray\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
* Created a new restore point
.
FILE ::
"c:\docume~1\Ray\LOCALS~1\Temp\AZULWXOPZZH.exe"
"c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe"
"c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe"
"c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\EventSystem.log
c:\windows\system32\drivers\RKHit.sys
c:\windows\wininit.ini
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_AZULWXOPZZH
-------\Service_AZULWXOPZZH
.
.
((((((((((((((((((((((((( Files Created from 2013-02-23 to 2013-03-23 )))))))))))))))))))))))))))))))
.
.
2013-03-22 14:42 . 2013-03-22 15:20 -------- d-----w- C:\ComboFix Logs 3-22-2013
2013-03-19 21:59 . 2013-03-19 21:59 -------- d-----w- C:\CLEAN BOOT
2013-03-19 21:09 . 2013-03-19 21:04 678912 ----a-w- C:\MicrosoftFixit50598.msi
2013-03-18 19:16 . 2013-03-18 19:16 -------- d-----w- C:\CFScanner
2013-03-17 18:51 . 2013-03-17 18:51 -------- d-----w- C:\sh4ldr
2013-03-10 20:31 . 2013-03-10 20:32 -------- d-----w- C:\Sophos
2013-03-09 00:22 . 2013-03-09 00:23 -------- d-----w- C:\Escort
2013-03-07 20:48 . 2013-03-07 20:48 -------- d-----r- C:\Sandbox
2013-03-07 17:06 . 2013-03-07 17:06 -------- d-----w- C:\rsit
2013-03-07 15:54 . 2013-03-07 15:54 -------- d-----w- C:\Deleted Autoruns
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-08 23:02 . 2013-01-14 15:23 13024 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
2013-02-12 00:32 . 2008-04-13 17:56 12928 ----a-w- c:\windows\system32\drivers\usb8023x.sys
2013-02-12 00:32 . 2008-04-13 17:56 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-05 20:05 . 2012-12-26 20:16 916480 ----a-w- c:\windows\system32\wininet.dll
2013-02-05 20:05 . 2012-12-26 20:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-02-05 20:05 . 2012-12-26 20:16 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-02-05 05:53 . 2012-12-24 06:40 385024 ----a-w- c:\windows\system32\html.iec
2013-01-28 02:36 . 2013-01-28 02:36 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
2013-01-26 04:35 . 2013-01-26 04:35 19528 ----a-w- c:\windows\system32\fbnative.exe
2013-01-26 04:35 . 2013-01-26 04:35 185672 ----a-w- c:\windows\system32\drivers\EuFdDisk.sys
2013-01-26 04:35 . 2013-01-26 04:35 40648 ----a-w- c:\windows\system32\drivers\EUBKMON.sys
2013-01-26 04:35 . 2013-01-26 04:35 14920 ----a-w- c:\windows\system32\drivers\eudskacs.sys
2013-01-26 04:35 . 2013-01-26 04:35 50248 ----a-w- c:\windows\system32\drivers\eubakup.sys
2013-01-26 03:55 . 2013-01-26 03:55 552448 ----a-w- c:\windows\system32\oleaut32.dll
2013-01-25 16:02 . 2013-01-25 16:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2013-01-25 16:02 . 2013-01-25 16:02 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-01-25 16:02 . 2013-01-25 16:02 473072 ----a-w- c:\windows\system32\deployJava1.dll
2013-01-07 01:19 . 2013-01-07 01:19 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-07 00:37 . 2013-01-07 00:37 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20 . 2013-01-04 01:20 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-01-02 06:49 . 2013-01-02 06:49 148992 ----a-w- c:\windows\system32\mpg2splt.ax
2013-01-02 06:49 . 2013-01-02 06:49 1292288 ----a-w- c:\windows\system32\quartz.dll
2012-06-14 22:20 . 2012-06-14 22:20 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-03-19 2363392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartupDelayer"="d:\program files\r2 Studios\Startup Delayer\Startup Launcher.exe" [2013-03-07 1081856]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"SDTray"="d:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 16270848]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-05-31 15496552]
"EaseUs Watch"="c:\program files\EaseUS\Todo Backup\bin\EuWatch.exe" [2013-01-26 70728]
"EaseUs Tray"="c:\program files\EaseUS\Todo Backup\bin\TrayNotify.exe" [2013-01-26 1372232]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2013-03-05 418024]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe" [2012-11-24 356376]
.
c:\documents and settings\Ray\Start Menu\Programs\Startup\
CProcess.exe [2008-5-22 36352]
Efficient Reminder Free.lnk - c:\program files\Efficient Reminder Free\EfficientReminderFree.exe [2013-1-2 10981888]
PlexRadar.lnk - c:\program files\Plextor\PlexUTILITIES\PlexRadar.exe [2013-1-9 2907136]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
del_temp.vbs [2012-2-23 1914]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
HyperSnap-DX 5.lnk - c:\program files\HyperSnap-DX 5\HprSnap5.exe [2004-10-14 1785856]
PlexRadar.lnk - c:\program files\Plextor\PlexUTILITIES\PlexRadar.exe [2013-1-9 2907136]
Watch.lnk - c:\program files\Mustek 1200 UB Plus\Driver\WATCH.exe [2001-11-23 364544]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Ray^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
path=c:\documents and settings\Ray\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
2006-02-14 12:56 460800 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-11-28 19:13 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-13 23:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXMediaServer]
2012-11-13 18:13 450560 ----a-w- c:\program files\DivX\DivX Media Server\DivXMediaServer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2012-11-01 17:56 1263512 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-12-12 18:57 152544 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X Configure]
2006-10-30 12:44 1953792 ----a-r- c:\windows\system32\JMRaidSetup.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2010-12-13 18:37 135536 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 08:12 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2011-06-19 15:50 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"SpyHunter 4 Service"=2 (0x2)
"SDWSCService"=2 (0x2)
"SDUpdateService"=2 (0x2)
"SDScannerService"=2 (0x2)
"SbieSvc"=2 (0x2)
"ose"=3 (0x3)
"NVWMI"=2 (0x2)
"NVSvc"=2 (0x2)
"Nero BackItUp Scheduler 4.0"=2 (0x2)
"MSCamSvc"=2 (0x2)
"MozillaMaintenance"=3 (0x3)
"LightScribeService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"gusvc"=2 (0x2)
"gupdatem"=3 (0x3)
"gupdate1c987ea6b15f84e"=2 (0x2)
"gupdate"=2 (0x2)
"Guard Agent"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"EaseUS Agent"=2 (0x2)
"DWMRCS"=2 (0x2)
"CTAudSvcService"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"Creative Media Toolbox 6 Licensing Service"=3 (0x3)
"Creative Audio Engine Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AdobeFlashPlayerUpdateSvc"=3 (0x3)
"Adobe LM Service"=2 (0x2)
"BMGXXXXXXXX"=3 (0x3)
"BMGX"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride /**comment**(normally it is \"1\")**comment**/"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\BitLord 2\\Bitlord files\\bitlord.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\Agent.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\TbService.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\TBConsoleUI.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDFiles.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"6346:TCP"= 6346:TCP:Limewire
"6346:UDP"= 6346:UDP:Limewire
.
R0 asahxp32;asahxp32;c:\windows\system32\drivers\asahxp32.sys [5/6/2011 5:13 PM 41696]
R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [1/26/2013 12:35 AM 50248]
R0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [1/26/2013 12:35 AM 40648]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [3/7/2013 2:46 PM 33112]
R1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [1/26/2013 12:35 AM 14920]
R1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [1/26/2013 12:35 AM 185672]
R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [11/24/2012 6:33 PM 43608]
R1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [8/13/2012 5:49 PM 144344]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [5/12/2011 2:05 PM 18816]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [6/27/2012 3:09 PM 35672]
R3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [11/24/2012 6:33 PM 24408]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/24/2012 6:33 PM 24920]
S0 fnvu;fnvu;c:\windows\system32\drivers\behy.sys --> c:\windows\system32\drivers\behy.sys [?]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [12/29/2008 11:14 AM 171032]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [12/29/2008 11:14 AM 171032]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [12/29/2008 11:14 AM 1324056]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [12/29/2008 11:14 AM 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [12/29/2008 11:14 AM 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [12/29/2008 11:14 AM 72728]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [1/27/2013 10:36 PM 23456]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [12/21/2012 2:54 PM 13896]
S3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [5/6/2011 3:57 PM 13904]
S3 EsgScanner;EsgScanner;c:\windows\system32\drivers\EsgScanner.sys [6/22/2012 11:01 AM 19984]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [12/21/2012 2:53 PM 9160]
S3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\drivers\mcvidrv.sys [10/10/2012 11:08 PM 34432]
S3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv.sys [10/10/2012 11:08 PM 25088]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [12/13/2010 2:37 PM 30576]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [6/3/2011 8:36 PM 47360]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [1/14/2013 11:23 AM 13024]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
S4 BMGX;BMGX;c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe --> c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe [?]
S4 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2/1/2011 9:56 PM 79360]
S4 Creative Media Toolbox 6 Licensing Service;Creative Media Toolbox 6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\MT6Licensing.exe [2/1/2011 10:10 PM 79360]
S4 EaseUS Agent;EaseUS Agent Service;c:\program files\EaseUS\Todo Backup\bin\Agent.exe [1/26/2013 12:35 AM 68168]
S4 Guard Agent;Guard Agent Service;c:\program files\EaseUS\Todo Backup\bin\GuardAgent.exe [1/26/2013 12:36 AM 23624]
S4 gupdate1c987ea6b15f84e;Google Update Service (gupdate1c987ea6b15f84e);c:\program files\Google\Update\GoogleUpdate.exe [3/6/2011 12:12 AM 136176]
S4 NVWMI;NVIDIA WMI Provider;c:\windows\system32\nvwmi.exe [12/31/1999 8:00 PM 664424]
S4 SDScannerService;Spybot-S&D 2 Scanner Service;d:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [3/12/2013 10:21 AM 1103392]
S4 SDUpdateService;Spybot-S&D 2 Updating Service;d:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [3/12/2013 10:21 AM 1369624]
S4 SDWSCService;Spybot-S&D 2 Security Center Service;d:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [3/12/2013 10:21 AM 168384]
S4 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [1/14/2013 9:33 PM 769920]
S4 TSJSRS;TSJSRS;c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe --> c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe [?]
S4 ZWKKQGF;ZWKKQGF;c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe --> c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-03-19 15:15 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-27 17:47]
.
2013-03-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2013-03-23 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- d:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2013-03-12 18:08]
.
2013-03-23 c:\windows\Tasks\GlaryInitialize.job
- d:\program files\Glary Utilities New 3-7-13\initialize.exe [2013-03-07 20:58]
.
2013-03-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-09-26 17:28]
.
2013-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-06 04:12]
.
2013-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-06 04:12]
.
2013-03-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-651377827-2146997909-1003Core.job
- c:\documents and settings\Ray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-25 22:50]
.
2013-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-651377827-2146997909-1003UA.job
- c:\documents and settings\Ray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-25 22:50]
.
2013-03-13 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- d:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2013-03-12 18:07]
.
2013-03-12 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- d:\program files\Spybot - Search & Destroy 2\SDScan.exe [2013-03-12 18:07]
.
2013-03-23 c:\windows\Tasks\User_Feed_Synchronization-{795DF606-D83B-4891-BD02-5F2638647941}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.optimum.net/
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uInternet Settings,ProxyOverride = *.local;<local>
TCP: DhcpNameServer = 167.206.254.2 167.206.254.1
DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://amer-ml33.amer.csc.com/dwa85W.cab
DPF: {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} - hxxps://lowes.2020.net/planner/Core/Player/2020PlayerAX_WEB_Win32.cab
FF - ProfilePath - c:\documents and settings\Ray\Application Data\Mozilla\Firefox\Profiles\6cr6okv0.default\
FF - ExtSQL: 2013-01-25 11:03; {CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}; c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}
FF - ExtSQL: 2013-02-14 11:38; torntv2@torntv.com; c:\documents and settings\Ray\Application Data\Mozilla\Firefox\Profiles\6cr6okv0.default\extensions\torntv2@torntv.com.xpi
FF - ExtSQL: !HIDDEN! 2011-01-31 18:23; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - user.js: extensions.delta.tlbrSrchUrl -
FF - user.js: extensions.delta.id - 1fde8a400000000000000022152aced0
FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
FF - user.js: extensions.delta.instlDay - 15750
FF - user.js: extensions.delta.vrsn - 1.8.10.0
FF - user.js: extensions.delta.vrsni - 1.8.10.0
FF - user.js: extensions.delta.vrsnTs - 1.8.10.011:39
FF - user.js: extensions.delta.prtnrId - delta
FF - user.js: extensions.delta.prdct - delta
FF - user.js: extensions.delta.aflt - babsst
FF - user.js: extensions.delta.smplGrp - none
FF - user.js: extensions.delta.tlbrId - base
FF - user.js: extensions.delta.instlRef - sst
FF - user.js: extensions.delta.dfltLng - en
FF - user.js: extensions.delta.excTlbr - false
FF - user.js: extensions.delta.admin - false
FF - user.js: extensions.delta.autoRvrt - false
FF - user.js: extensions.delta.rvrt - false
FF - user.js: extensions.delta.newTab - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-03-23 09:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1268)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(6764)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Nero\SMC\NeroDigitalExt.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b\MFC80.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\locator.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\RTHDCPL.EXE
c:\documents and settings\Ray\Start Menu\Programs\Startup\CProcess.exe
c:\windows\StartupMonitor.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
.
**************************************************************************
.
Completion time: 2013-03-23 09:59:51 - machine was rebooted
ComboFix-quarantined-files.txt 2013-03-23 13:59
ComboFix2.txt 2013-03-22 15:19
ComboFix3.txt 2013-03-22 14:54
ComboFix4.txt 2013-03-20 19:57
ComboFix5.txt 2013-03-23 13:34
.
Pre-Run: 49,056,907,264 bytes free
Post-Run: 49,029,246,976 bytes free
.
- - End Of File - - CCF20F4E5031F064D088914B8296D095
Services trying to re-load/re-start
Hi,
We are missing the file that is kicking off the reload/restart of 2 of the files in services and drivers we deleted with the above text file/combofix. See attached screen shots of messeges I intercepted during the start-up attempt and a shot of my temp folder and temp folder locked files. Could any of the "locked" keys in the registry be causing this?.....>>>HELP<<<