Page 1 of 3 123 LastLast
Results 1 to 10 of 25

Thread: An infection that I can't find.

  1. #1
    Junior Member
    Join Date
    Mar 2013
    Posts
    18

    Default An infection that I can't find.

    Hello,
    New to this forum.
    I am infected with something which I cannot seem to find. I am hoping someone can assist me with locating this/these infections and ridding my box of them. I am running Win XP SP3 and current on all patches. I have run Kaspersky scans (full, vulnerability, critical area and root kit), Sophos stand alone (Sav32cli), SB Search n Destroy 2, RootAlyzer, SuperAntiSpyware, HijackThis, Combofix and MalwareBytes....all with current updates....with no significant results. I have run these all under normal boot and some under safe mode with no difference in results. After a boot-up, box runs good but eventually slows to a crawl with CPU usage at 100%. Running a manual Windows Update will take a LONG time to complete. I have to wait about 30 seconds when creating a new folder, in order to give it a name. I am a presently unemployed desktop support analyst and have alot of disinfecting experience, but this one, being on my own personal box, is REALLY making me feel incompetent!!! I have backups, but they are infected as well so I can't just restore. It would be a simple re-image normally, but I can't do that with my box....much too much stuff on it. I would greatly appreciate your assistance with this one. Thanks in advance for your hopeful assistance. Below are the requested logs:


    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_38
    Run by Ray at 15:52:50 on 2013-03-13
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2056 [GMT -4:00]
    .
    AV: Kaspersky Anti-Virus *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    FW: Kaspersky Anti-Virus *Disabled*
    .
    ============== Running Processes ================
    .
    C:\WINDOWS\system32\nvwmi.exe
    D:\Program Files\Sandboxie\SbieSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Creative\Shared Files\CTAudSvc.exe
    C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\WINDOWS\SYSTEM32\DWRCS.EXE
    C:\Program Files\EaseUS\Todo Backup\bin\Agent.exe
    C:\Program Files\EaseUS\Todo Backup\bin\GuardAgent.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    D:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\locator.exe
    D:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
    C:\WINDOWS\system32\wbem\wmiapsrv.exe
    C:\WINDOWS\SYSTEM32\DWRCST.exe
    D:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\EaseUS\Todo Backup\bin\EuWatch.exe
    C:\Program Files\EaseUS\Todo Backup\bin\TrayNotify.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe
    D:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
    C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\WINDOWS\system32\ctfmon.exe
    D:\Program Files\Sandboxie\SbieCtrl.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\HyperSnap-DX 5\HprSnap5.exe
    C:\Program Files\HyperSnap-DX 5\HprSnap5.exe
    C:\Program Files\Plextor\PlexUTILITIES\PlexRadar.exe
    C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
    C:\Program Files\Efficient Reminder Free\EfficientReminderFree.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\nvwmi.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\system32\svchost.exe -k DcomLaunch
    C:\WINDOWS\system32\svchost.exe -k rpcss
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\svchost.exe -k WINRM
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.optimum.net/
    mStart Page = about:blank
    uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
    BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
    BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - d:\program files\spybot - search & destroy 2\SDHelper.dll
    BHO: Content Blocker Plugin: {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - c:\program files\kaspersky lab\kaspersky anti-virus 2013\ieext\contentblocker\ie_content_blocker_plugin.dll
    BHO: Virtual Keyboard Plugin: {73455575-E40C-433C-9784-C78DC7761455} - c:\program files\kaspersky lab\kaspersky anti-virus 2013\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: URL Advisor Plugin: {E33CF602-D945-461A-83F0-819F76A199F8} - c:\program files\kaspersky lab\kaspersky anti-virus 2013\ieext\urladvisor\klwtbbho.dll
    BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
    uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [SandboxieControl] "d:\program files\sandboxie\SbieCtrl.exe"
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [SkyTel] SkyTel.EXE
    mRun: [EaseUs Watch] "c:\program files\easeus\todo backup\bin\EuWatch.exe"
    mRun: [EaseUs Tray] "c:\program files\easeus\todo backup\bin\TrayNotify.exe"
    mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2013\avp.exe"
    mRun: [SDTray] "d:\program files\spybot - search & destroy 2\SDTray.exe"
    StartupFolder: c:\docume~1\ray\startm~1\programs\startup\effici~1.lnk - c:\program files\efficient reminder free\EfficientReminderFree.exe
    StartupFolder: c:\docume~1\ray\startm~1\programs\startup\erunta~1.lnk - d:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\docume~1\ray\startm~1\programs\startup\plexra~1.lnk - c:\program files\plextor\plexutilities\PlexRadar.exe
    StartupFolder: c:\documents and settings\all users\start menu\programs\startup\del_temp.vbs
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hypers~1.lnk - c:\program files\hypersnap-dx 5\HprSnap5.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\plexra~1.lnk - c:\program files\plextor\plexutilities\PlexRadar.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\watch.lnk - c:\program files\mustek 1200 ub plus\driver\WATCH.exe
    uPolicies-Explorer: NoWindowsUpdate = dword:0
    mPolicies-Explorer: NoDriveAutoRun = dword:67108863
    mPolicies-Explorer: NoDriveTypeAutoRun = dword:383
    mPolicies-Explorer: NoDrives = dword:0
    mPolicies-Explorer: NoWindowsUpdate = dword:0
    mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
    mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
    mPolicies-Explorer: NoDriveAutoRun = dword:67108863
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\program files\spybot - search & destroy 2\SDHelper.dll
    .
    INFO: HKCU has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    .
    INFO: HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://amer-ml33.amer.csc.com/dwa85W.cab
    DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1296519865546
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1362800798828
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1353104195093
    DPF: {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} - hxxps://lowes.2020.net/planner/Core/Player/2020PlayerAX_WEB_Win32.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_38-windows-i586.cab
    TCP: NameServer = 167.206.254.2 167.206.254.1
    TCP: Interfaces\{9C3AA36C-E157-4013-9946-690262E89D96} : DHCPNameServer = 167.206.254.2 167.206.254.1
    TCP: Interfaces\{9E3725C9-9785-4641-AB27-3C257B07A781} : DHCPNameServer = 167.206.254.1 167.206.254.2
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: klogon - c:\windows\system32\klogon.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\ray\application data\mozilla\firefox\profiles\6cr6okv0.default\
    FF - prefs.js: browser.search.selectedEngine - Delta Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.delta-search.com/?affID=119776&tt=050412_30b&babsrc=HP_ss&mntrId=1fde8a400000000000000022152aced0
    FF - prefs.js: network.proxy.type - 4
    FF - ExtSQL: 2013-01-25 11:03; {CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}; c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}
    FF - ExtSQL: 2013-02-14 11:38; torntv2@torntv.com; c:\documents and settings\ray\application data\mozilla\firefox\profiles\6cr6okv0.default\extensions\torntv2@torntv.com.xpi
    FF - ExtSQL: !HIDDEN! 2011-01-31 18:23; smartwebprinting@hp.com; c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: extensions.delta.tlbrSrchUrl -
    FF - user.js: extensions.delta.id - 1fde8a400000000000000022152aced0
    FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
    FF - user.js: extensions.delta.instlDay - 15750
    FF - user.js: extensions.delta.vrsn - 1.8.10.0
    FF - user.js: extensions.delta.vrsni - 1.8.10.0
    FF - user.js: extensions.delta.vrsnTs - 1.8.10.011:39:40
    FF - user.js: extensions.delta.prtnrId - delta
    FF - user.js: extensions.delta.prdct - delta
    FF - user.js: extensions.delta.aflt - babsst
    FF - user.js: extensions.delta.smplGrp - none
    FF - user.js: extensions.delta.tlbrId - base
    FF - user.js: extensions.delta.instlRef - sst
    FF - user.js: extensions.delta.dfltLng - en
    FF - user.js: extensions.delta.excTlbr - false
    FF - user.js: extensions.delta.admin - false
    FF - user.js: extensions.delta.autoRvrt - false
    FF - user.js: extensions.delta.rvrt - false
    FF - user.js: extensions.delta.newTab - false
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 asahxp32;asahxp32;c:\windows\system32\drivers\asahxp32.sys [2011-5-6 41696]
    R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [2013-1-26 50248]
    R0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [2013-1-26 40648]
    R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2012-6-19 136024]
    R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2013-3-7 33112]
    R1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [2013-1-26 14920]
    R1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [2013-1-26 185672]
    R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2012-11-24 586584]
    R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [2012-11-24 43608]
    R1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [2012-8-13 144344]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
    R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2011-5-12 18816]
    R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky anti-virus 2013\avp.exe -r --> c:\program files\kaspersky lab\kaspersky anti-virus 2013\avp.exe -r [?]
    R2 EaseUS Agent;EaseUS Agent Service;c:\program files\easeus\todo backup\bin\Agent.exe [2013-1-26 68168]
    R2 Guard Agent;Guard Agent Service;c:\program files\easeus\todo backup\bin\GuardAgent.exe [2013-1-26 23624]
    R2 NVWMI;NVIDIA WMI Provider;c:\windows\system32\nvwmi.exe [1999-12-31 664424]
    R2 SDScannerService;Spybot-S&D 2 Scanner Service;d:\program files\spybot - search & destroy 2\SDFSSvc.exe [2013-3-12 1103392]
    R2 SDUpdateService;Spybot-S&D 2 Updating Service;d:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2013-3-12 1369624]
    R2 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-13 14336]
    R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2012-6-27 35672]
    R3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [2012-11-24 24408]
    R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2012-11-24 24920]
    R3 SbieDrv;SbieDrv;d:\program files\sandboxie\SbieDrv.sys [2012-12-16 157776]
    S0 fnvu;fnvu;c:\windows\system32\drivers\behy.sys --> c:\windows\system32\drivers\behy.sys [?]
    S2 gupdate1c987ea6b15f84e;Google Update Service (gupdate1c987ea6b15f84e);c:\program files\google\update\GoogleUpdate.exe [2011-3-6 136176]
    S2 SDWSCService;Spybot-S&D 2 Security Center Service;d:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2013-3-12 168384]
    S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2011-2-1 79360]
    S3 Creative Media Toolbox 6 Licensing Service;Creative Media Toolbox 6 Licensing Service;c:\program files\common files\creative labs shared\service\MT6Licensing.exe [2011-2-1 79360]
    S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2008-12-29 171032]
    S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-12-29 171032]
    S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2008-12-29 1324056]
    S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-12-29 1324056]
    S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2008-12-29 72728]
    S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-12-29 72728]
    S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2013-1-27 23456]
    S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2012-12-21 13896]
    S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2012-12-21 9160]
    S3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\drivers\mcvidrv.sys [2012-10-10 34432]
    S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2013-3-8 35144]
    S3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv.sys [2012-10-10 25088]
    S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2010-12-13 30576]
    S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [2013-1-14 13024]
    S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
    S4 AZULWXOPZZH;AZULWXOPZZH;c:\docume~1\ray\locals~1\temp\azulwxopzzh.exe --> c:\docume~1\ray\locals~1\temp\AZULWXOPZZH.exe [?]
    S4 TSJSRS;TSJSRS;c:\docume~1\ray\locals~1\temp\tsjsrs.exe --> c:\docume~1\ray\locals~1\temp\TSJSRS.exe [?]
    S4 ZWKKQGF;ZWKKQGF;c:\docume~1\ray\locals~1\temp\zwkkqgf.exe --> c:\docume~1\ray\locals~1\temp\ZWKKQGF.exe [?]
    .
    =============== File Associations ===============
    .
    FileExt: .reg: regfile=regedit.exe "%1" [UserChoice]
    ShellExec: CORELPNT.EXE: CANCEL=c:\corel40\programs\CORELPNT.EXE
    ShellExec: CORELPNT.EXE: OPEN=c:\corel40\programs\CORELPNT.EXE
    ShellExec: CORELPNT.EXE: PRINT=c:\corel40\programs\CORELPNT.EXE
    ShellExec: dreamweaver.exe: Open="c:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe", "%1"
    .
    =============== Created Last 30 ================
    .
    2013-03-13 14:53:55 12928 ------w- c:\windows\system32\dllcache\usb8023x.sys
    2013-03-13 14:53:55 12928 ------w- c:\windows\system32\dllcache\usb8023.sys
    2013-03-12 14:21:49 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
    2013-03-12 14:21:24 15224 ----a-w- c:\windows\system32\sdnclean.exe
    2013-03-12 00:16:58 8461312 ------w- c:\windows\system32\dllcache\shell32.dll
    2013-03-10 20:31:06 -------- d-----w- C:\Sophos
    2013-03-09 00:22:39 -------- d-----w- C:\Escort
    2013-03-08 23:42:22 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2013-03-08 23:42:22 -------- d-----w- c:\windows\system32\wbem\Repository
    2013-03-08 23:36:06 -------- d-----w- c:\program files\PC HealthBoost
    2013-03-08 19:30:33 -------- d-sh--w- c:\windows\Installer
    2013-03-08 16:58:20 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
    2013-03-08 04:34:24 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
    2013-03-08 04:34:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware(2)
    2013-03-08 04:34:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2013-03-08 00:19:13 630272 ----a-w- c:\windows\system32\dllcache\msfeeds.dll
    2013-03-08 00:19:13 55296 ----a-w- c:\windows\system32\dllcache\msfeedsbs.dll
    2013-03-08 00:19:12 247808 ----a-w- c:\windows\system32\dllcache\ieproxy.dll
    2013-03-08 00:19:12 12800 ----a-w- c:\windows\system32\dllcache\xpshims.dll
    2013-03-08 00:19:11 743424 ----a-w- c:\windows\system32\dllcache\iedvtool.dll
    2013-03-08 00:19:11 522240 ----a-w- c:\windows\system32\dllcache\jsdbgui.dll
    2013-03-08 00:19:11 2004992 ----a-w- c:\windows\system32\dllcache\iertutil.dll
    2013-03-08 00:19:09 11111424 ----a-w- c:\windows\system32\dllcache\ieframe.dll
    2013-03-07 20:48:36 -------- d-----r- C:\Sandbox
    2013-03-07 18:46:02 33112 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
    2013-03-07 17:15:49 -------- d-----w- c:\documents and settings\ray\DoctorWeb
    2013-03-07 17:11:45 52232 ----a-w- c:\windows\system32\drivers\REGSYS701.SYS
    2013-03-07 15:54:05 -------- d-----w- C:\Deleted Autoruns
    .
    ==================== Find3M ====================
    .
    2013-03-09 20:16:21 71024 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2013-03-09 20:16:21 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2013-03-08 23:02:02 13024 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
    2013-02-27 19:08:13 16473456 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
    2013-02-12 00:32:23 12928 ----a-w- c:\windows\system32\drivers\usb8023x.sys
    2013-02-12 00:32:23 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
    2013-02-05 20:05:47 916480 ----a-w- c:\windows\system32\wininet.dll
    2013-02-05 20:05:46 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2013-02-05 20:05:46 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2013-02-05 05:53:57 385024 ----a-w- c:\windows\system32\html.iec
    2013-01-28 02:36:28 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
    2013-01-26 04:35:50 19528 ----a-w- c:\windows\system32\fbnative.exe
    2013-01-26 04:35:38 185672 ----a-w- c:\windows\system32\drivers\EuFdDisk.sys
    2013-01-26 04:35:34 40648 ----a-w- c:\windows\system32\drivers\EUBKMON.sys
    2013-01-26 04:35:28 14920 ----a-w- c:\windows\system32\drivers\eudskacs.sys
    2013-01-26 04:35:24 50248 ----a-w- c:\windows\system32\drivers\eubakup.sys
    2013-01-26 03:55:44 552448 ----a-w- c:\windows\system32\oleaut32.dll
    2013-01-25 16:02:54 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2013-01-25 16:02:53 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
    2013-01-25 16:02:53 473072 ----a-w- c:\windows\system32\deployJava1.dll
    2013-01-07 01:19:45 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2013-01-07 00:37:01 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2013-01-04 01:20:00 1867264 ----a-w- c:\windows\system32\win32k.sys
    2013-01-02 06:49:10 148992 ----a-w- c:\windows\system32\mpg2splt.ax
    2013-01-02 06:49:10 1292288 ----a-w- c:\windows\system32\quartz.dll
    2012-12-21 22:20:40 2468520 ----a-w- c:\windows\system32\BootMan.exe
    2012-12-21 18:54:00 13896 ----a-w- c:\windows\system32\epmntdrv.sys
    2012-12-21 18:53:58 9160 ----a-w- c:\windows\system32\EuGdiDrv.sys
    2012-12-21 18:53:58 87112 ----a-w- c:\windows\system32\setupempdrv03.exe
    2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll
    .
    ============= FINISH: 15:53:48.35 ===============




    aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
    Run date: 2013-03-13 16:00:21
    -----------------------------
    16:00:21.437 OS Version: Windows 5.1.2600 Service Pack 3
    16:00:21.437 Number of processors: 2 586 0x403
    16:00:21.437 ComputerName: RIGHTWINXP UserName: Ray
    16:00:31.265 Initialize success
    16:02:41.437 AVAST engine defs: 13031301
    16:03:12.015 Disk 0 \Device\Harddisk0\DR0 -> \Device\00000083
    16:03:12.015 Disk 0 Vendor: ST3500630AS 3.AAE Size: 476940MB BusType: 3
    16:03:12.031 Disk 1 \Device\Harddisk1\DR1 -> \Device\00000084
    16:03:12.031 Disk 1 Vendor: SAMSUNG_HD103SI 1AG01118 Size: 953869MB BusType: 3
    16:03:12.031 Disk 2 \Device\Harddisk2\DR2 -> \Device\00000087
    16:03:12.031 Disk 2 Vendor: WDC_WD1002FAEX-00Z3A0 05.01D05 Size: 953869MB BusType: 3
    16:03:12.031 Disk 3 \Device\Harddisk3\DR3 -> \Device\Scsi\JRAID1Port4Path0Target0Lun0
    16:03:12.031 Disk 3 Vendor: SATA____ Size: 953869MB BusType: 1
    16:03:12.031 Disk 4 (boot) \Device\Harddisk4\DR4 -> \Device\Scsi\asahxp321Port5Path0Target0Lun0
    16:03:12.031 Disk 4 Vendor: KINGSTON 502A Size: 114473MB BusType: 3
    16:03:12.046 Disk 4 MBR read successfully
    16:03:12.046 Disk 4 MBR scan
    16:03:12.046 Disk 4 Windows 7 default MBR code
    16:03:12.046 Disk 4 Partition 1 80 (A) 07 HPFS/NTFS NTFS 114472 MB offset 63
    16:03:12.062 Disk 4 scanning sectors +234440759
    16:03:12.078 Disk 4 scanning C:\WINDOWS\system32\drivers
    16:03:24.109 Service scanning
    16:03:31.765 Service KL1 C:\WINDOWS\system32\DRIVERS\kl1.sys **LOCKED** 5
    16:03:31.875 Service klim5 C:\WINDOWS\system32\DRIVERS\klim5.sys **LOCKED** 5
    16:03:31.906 Service klkbdflt C:\WINDOWS\system32\DRIVERS\klkbdflt.sys **LOCKED** 5
    16:03:31.921 Service klmouflt C:\WINDOWS\system32\DRIVERS\klmouflt.sys **LOCKED** 5
    16:03:31.937 Service kltdi C:\WINDOWS\system32\DRIVERS\kltdi.sys **LOCKED** 5
    16:03:31.984 Service kneps C:\WINDOWS\system32\DRIVERS\kneps.sys **LOCKED** 5
    16:03:42.937 Modules scanning
    16:03:46.406 Disk 4 trace - called modules:
    16:03:46.421 ntkrnlpa.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll asahxp32.sys
    16:03:46.421 1 nt!IofCallDriver -> \Device\Harddisk4\DR4[0x8b2e3030]
    16:03:46.421 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\Scsi\asahxp321Port5Path0Target0Lun0[0x8b2d2030]
    16:03:46.843 AVAST engine scan C:\WINDOWS
    16:03:51.593 AVAST engine scan C:\WINDOWS\system32
    16:07:32.765 AVAST engine scan C:\WINDOWS\system32\drivers
    16:07:53.453 AVAST engine scan C:\Documents and Settings\Ray
    16:15:11.843 File: C:\Documents and Settings\Ray\My Documents\Diagnostic Tools\Security Tool Service Killer\rkill.com **INFECTED** Win32:Malware-gen
    16:19:08.515 AVAST engine scan C:\Documents and Settings\All Users
    16:21:23.359 Scan finished successfully
    17:18:19.328 Disk 4 MBR has been saved successfully to "C:\Documents and Settings\Ray\Desktop\DISINFECTION TOOLS 3-12-2013\AswMBR\MBR.dat"
    17:18:19.343 The log file has been saved successfully to "C:\Documents and Settings\Ray\Desktop\DISINFECTION TOOLS 3-12-2013\AswMBR\aswMBR.txt"

  2. #2
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,067

    Default

    hi rdomingu,

    From the tools you have run already there's not much left to run, other than repeating it.
    Usually malware will present different signs other than just slowing to a crawl as you describe, after all it needs and wants a somewhat functioning computer to be successful.
    What I am getting at is not all problems are malware related. Could be a software or hardware issue. It becomes a process of elimination.
    We can repeat running some tools as a check for malware if you want. If all looks good then you should visit another forum.
    How Can I Reduce My Risk?

  3. #3
    Junior Member
    Join Date
    Mar 2013
    Posts
    18

    Default An infection that I may have found???

    Hi Shelf Life,
    Thanks for your response. I would not mind redoing the scans or whatever u may suggest. Just link me up and give me the directions and off I will go...!!! But first, after a week of running things and investigating logs and burning out Google, I found that by DESELECTING "BMGX" in my System Configuration Utility (XP Pro) Services tab, that my box now "appears" to be running well. My investigations suggest this being a Trojan but I don't know what kind nor how to figure it out and completely remove it. As of now it is just disabled. So I will gladly wait for and follow your advice. Could a ROOTKIT be the issue????

    Ray

  4. #4
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,067

    Default

    hi,

    Ok. Lets see if combofix can dig up anything. Double click the icon and if a update is available it will update then run. When its done you can save the log file and copy/paste it in your reply. You can also find a copy in your root drive, usually C:\ combofix.txt
    Before you use it you should read through the guide.
    How Can I Reduce My Risk?

  5. #5
    Junior Member
    Join Date
    Mar 2013
    Posts
    18

    Default I see no ICON

    Quote Originally Posted by shelf life View Post
    hi,

    Ok. Lets see if combofix can dig up anything. Double click the icon and if a update is available it will update then run. When its done you can save the log file and copy/paste it in your reply. You can also find a copy in your root drive, usually C:\ combofix.txt
    Before you use it you should read through the guide.
    I see no ICON

  6. #6
    Junior Member
    Join Date
    Mar 2013
    Posts
    18

    Default Combofix Log

    Hi,
    I ran 3 logs. 1 as administrator in safe mode, 1 using my profile as "ray" in safe mode and the final one using my profile as "ray" in normal boot mode still with the "BMGX" service disabled. Below are the results of # 3 and attached are the results of 1 & 2. Hope they are helpfull.

    Thanks,
    Ray


    As "ray" in normal boot mode:

    ComboFix 13-03-21.02 - Ray 03/22/2013 11:08:57.24.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2312 [GMT -4:00]
    Running from: c:\documents and settings\Ray\Desktop\ComboFix.exe
    AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    FW: Kaspersky Anti-Virus *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2013-02-22 to 2013-03-22 )))))))))))))))))))))))))))))))
    .
    .
    2013-03-22 14:42 . 2013-03-22 14:55 -------- d-----w- C:\ComboFix Logs 3-22-2013
    2013-03-19 21:59 . 2013-03-19 21:59 -------- d-----w- C:\CLEAN BOOT
    2013-03-19 21:09 . 2013-03-19 21:04 678912 ----a-w- C:\MicrosoftFixit50598.msi
    2013-03-18 19:16 . 2013-03-18 19:16 -------- d-----w- C:\CFScanner
    2013-03-17 18:51 . 2013-03-17 18:51 -------- d-----w- C:\sh4ldr
    2013-03-10 20:31 . 2013-03-10 20:32 -------- d-----w- C:\Sophos
    2013-03-09 00:22 . 2013-03-09 00:23 -------- d-----w- C:\Escort
    2013-03-07 20:48 . 2013-03-07 20:48 -------- d-----r- C:\Sandbox
    2013-03-07 17:06 . 2013-03-07 17:06 -------- d-----w- C:\rsit
    2013-03-07 15:54 . 2013-03-07 15:54 -------- d-----w- C:\Deleted Autoruns
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-03-08 23:02 . 2013-01-14 15:23 13024 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
    2013-02-12 00:32 . 2008-04-13 17:56 12928 ----a-w- c:\windows\system32\drivers\usb8023x.sys
    2013-02-12 00:32 . 2008-04-13 17:56 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
    2013-02-05 20:05 . 2012-12-26 20:16 916480 ----a-w- c:\windows\system32\wininet.dll
    2013-02-05 20:05 . 2012-12-26 20:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2013-02-05 20:05 . 2012-12-26 20:16 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2013-02-05 05:53 . 2012-12-24 06:40 385024 ----a-w- c:\windows\system32\html.iec
    2013-01-28 02:36 . 2013-01-28 02:36 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
    2013-01-26 04:35 . 2013-01-26 04:35 19528 ----a-w- c:\windows\system32\fbnative.exe
    2013-01-26 04:35 . 2013-01-26 04:35 185672 ----a-w- c:\windows\system32\drivers\EuFdDisk.sys
    2013-01-26 04:35 . 2013-01-26 04:35 40648 ----a-w- c:\windows\system32\drivers\EUBKMON.sys
    2013-01-26 04:35 . 2013-01-26 04:35 14920 ----a-w- c:\windows\system32\drivers\eudskacs.sys
    2013-01-26 04:35 . 2013-01-26 04:35 50248 ----a-w- c:\windows\system32\drivers\eubakup.sys
    2013-01-26 03:55 . 2013-01-26 03:55 552448 ----a-w- c:\windows\system32\oleaut32.dll
    2013-01-25 16:02 . 2013-01-25 16:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2013-01-25 16:02 . 2013-01-25 16:02 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
    2013-01-25 16:02 . 2013-01-25 16:02 473072 ----a-w- c:\windows\system32\deployJava1.dll
    2013-01-07 01:19 . 2013-01-07 01:19 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2013-01-07 00:37 . 2013-01-07 00:37 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2013-01-04 01:20 . 2013-01-04 01:20 1867264 ----a-w- c:\windows\system32\win32k.sys
    2013-01-02 06:49 . 2013-01-02 06:49 148992 ----a-w- c:\windows\system32\mpg2splt.ax
    2013-01-02 06:49 . 2013-01-02 06:49 1292288 ----a-w- c:\windows\system32\quartz.dll
    2012-06-14 22:20 . 2012-06-14 22:20 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-03-19 2363392]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "StartupDelayer"="d:\program files\r2 Studios\Startup Delayer\Startup Launcher.exe" [2013-03-07 1081856]
    "SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
    "SDTray"="d:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
    "RTHDCPL"="RTHDCPL.EXE" [2006-11-14 16270848]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-05-31 15496552]
    "EaseUs Watch"="c:\program files\EaseUS\Todo Backup\bin\EuWatch.exe" [2013-01-26 70728]
    "EaseUs Tray"="c:\program files\EaseUS\Todo Backup\bin\TrayNotify.exe" [2013-01-26 1372232]
    "WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2013-03-05 418024]
    "AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe" [2012-11-24 356376]
    .
    c:\documents and settings\Ray\Start Menu\Programs\Startup\
    CProcess.exe [2008-5-22 36352]
    Efficient Reminder Free.lnk - c:\program files\Efficient Reminder Free\EfficientReminderFree.exe [2013-1-2 10981888]
    PlexRadar.lnk - c:\program files\Plextor\PlexUTILITIES\PlexRadar.exe [2013-1-9 2907136]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    del_temp.vbs [2012-2-23 1914]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
    HyperSnap-DX 5.lnk - c:\program files\HyperSnap-DX 5\HprSnap5.exe [2004-10-14 1785856]
    PlexRadar.lnk - c:\program files\Plextor\PlexUTILITIES\PlexRadar.exe [2013-1-9 2907136]
    Watch.lnk - c:\program files\Mustek 1200 UB Plus\Driver\WATCH.exe [2001-11-23 364544]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
    backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Ray^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
    path=c:\documents and settings\Ray\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
    backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
    2006-02-14 12:56 460800 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVD.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
    2012-11-28 19:13 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-13 23:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXMediaServer]
    2012-11-13 18:13 450560 ----a-w- c:\program files\DivX\DivX Media Server\DivXMediaServer.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
    2012-11-01 17:56 1263512 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2012-12-12 18:57 152544 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X Configure]
    2006-10-30 12:44 1953792 ----a-r- c:\windows\system32\JMRaidSetup.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
    2010-12-13 18:37 135536 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2012-10-25 08:12 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2011-06-19 15:50 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WMPNetworkSvc"=3 (0x3)
    "SpyHunter 4 Service"=2 (0x2)
    "SDWSCService"=2 (0x2)
    "SDUpdateService"=2 (0x2)
    "SDScannerService"=2 (0x2)
    "SbieSvc"=2 (0x2)
    "ose"=3 (0x3)
    "NVWMI"=2 (0x2)
    "NVSvc"=2 (0x2)
    "Nero BackItUp Scheduler 4.0"=2 (0x2)
    "MSCamSvc"=2 (0x2)
    "MozillaMaintenance"=3 (0x3)
    "LightScribeService"=2 (0x2)
    "JavaQuickStarterService"=2 (0x2)
    "iPod Service"=3 (0x3)
    "idsvc"=3 (0x3)
    "gusvc"=2 (0x2)
    "gupdatem"=3 (0x3)
    "gupdate1c987ea6b15f84e"=2 (0x2)
    "gupdate"=2 (0x2)
    "Guard Agent"=2 (0x2)
    "FLEXnet Licensing Service"=3 (0x3)
    "EaseUS Agent"=2 (0x2)
    "DWMRCS"=2 (0x2)
    "CTAudSvcService"=2 (0x2)
    "Creative Service for CDROM Access"=2 (0x2)
    "Creative Media Toolbox 6 Licensing Service"=3 (0x3)
    "Creative Audio Engine Licensing Service"=3 (0x3)
    "Bonjour Service"=2 (0x2)
    "Apple Mobile Device"=2 (0x2)
    "AdobeFlashPlayerUpdateSvc"=3 (0x3)
    "Adobe LM Service"=2 (0x2)
    "BMGXXXXXXXX"=3 (0x3)
    "BMGX"=3 (0x3)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride /**comment**(normally it is \"1\")**comment**/"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
    "c:\\Program Files\\AIM95\\aim.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=
    "c:\\Program Files\\SoulseekNS\\slsk.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\BitLord 2\\Bitlord files\\bitlord.exe"=
    "c:\\Program Files\\EaseUS\\Todo Backup\\bin\\Agent.exe"=
    "c:\\Program Files\\EaseUS\\Todo Backup\\bin\\TbService.exe"=
    "c:\\Program Files\\EaseUS\\Todo Backup\\bin\\TBConsoleUI.exe"=
    "c:\\WINDOWS\\system32\\mmc.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
    "d:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
    "d:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
    "d:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
    "d:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
    "d:\\Program Files\\Spybot - Search & Destroy 2\\SDFiles.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
    "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
    "3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
    "3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
    "50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
    "50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
    "6346:TCP"= 6346:TCP:Limewire
    "6346:UDP"= 6346:UDP:Limewire
    .
    R0 asahxp32;asahxp32;c:\windows\system32\drivers\asahxp32.sys [5/6/2011 5:13 PM 41696]
    R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [1/26/2013 12:35 AM 50248]
    R0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [1/26/2013 12:35 AM 40648]
    R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [3/7/2013 2:46 PM 33112]
    R1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [1/26/2013 12:35 AM 14920]
    R1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [1/26/2013 12:35 AM 185672]
    R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [11/24/2012 6:33 PM 43608]
    R1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [8/13/2012 5:49 PM 144344]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
    R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [5/12/2011 2:05 PM 18816]
    R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [6/27/2012 3:09 PM 35672]
    R3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [11/24/2012 6:33 PM 24408]
    R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/24/2012 6:33 PM 24920]
    S0 fnvu;fnvu;c:\windows\system32\drivers\behy.sys --> c:\windows\system32\drivers\behy.sys [?]
    S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [12/29/2008 11:14 AM 171032]
    S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [12/29/2008 11:14 AM 171032]
    S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [12/29/2008 11:14 AM 1324056]
    S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [12/29/2008 11:14 AM 1324056]
    S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [12/29/2008 11:14 AM 72728]
    S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [12/29/2008 11:14 AM 72728]
    S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [1/27/2013 10:36 PM 23456]
    S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [12/21/2012 2:54 PM 13896]
    S3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [5/6/2011 3:57 PM 13904]
    S3 EsgScanner;EsgScanner;c:\windows\system32\drivers\EsgScanner.sys [6/22/2012 11:01 AM 19984]
    S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [12/21/2012 2:53 PM 9160]
    S3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\drivers\mcvidrv.sys [10/10/2012 11:08 PM 34432]
    S3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv.sys [10/10/2012 11:08 PM 25088]
    S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [12/13/2010 2:37 PM 30576]
    S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [6/3/2011 8:36 PM 47360]
    S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [1/14/2013 11:23 AM 13024]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
    S4 AZULWXOPZZH;AZULWXOPZZH;c:\docume~1\Ray\LOCALS~1\Temp\AZULWXOPZZH.exe --> c:\docume~1\Ray\LOCALS~1\Temp\AZULWXOPZZH.exe [?]
    S4 BMGX;BMGX;c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe --> c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe [?]
    S4 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2/1/2011 9:56 PM 79360]
    S4 Creative Media Toolbox 6 Licensing Service;Creative Media Toolbox 6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\MT6Licensing.exe [2/1/2011 10:10 PM 79360]
    S4 EaseUS Agent;EaseUS Agent Service;c:\program files\EaseUS\Todo Backup\bin\Agent.exe [1/26/2013 12:35 AM 68168]
    S4 Guard Agent;Guard Agent Service;c:\program files\EaseUS\Todo Backup\bin\GuardAgent.exe [1/26/2013 12:36 AM 23624]
    S4 gupdate1c987ea6b15f84e;Google Update Service (gupdate1c987ea6b15f84e);c:\program files\Google\Update\GoogleUpdate.exe [3/6/2011 12:12 AM 136176]
    S4 NVWMI;NVIDIA WMI Provider;c:\windows\system32\nvwmi.exe [12/31/1999 8:00 PM 664424]
    S4 SDScannerService;Spybot-S&D 2 Scanner Service;d:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [3/12/2013 10:21 AM 1103392]
    S4 SDUpdateService;Spybot-S&D 2 Updating Service;d:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [3/12/2013 10:21 AM 1369624]
    S4 SDWSCService;Spybot-S&D 2 Security Center Service;d:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [3/12/2013 10:21 AM 168384]
    S4 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [1/14/2013 9:33 PM 769920]
    S4 TSJSRS;TSJSRS;c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe --> c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe [?]
    S4 ZWKKQGF;ZWKKQGF;c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe --> c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe [?]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2010-03-19 15:15 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-03-22 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-27 17:47]
    .
    2013-03-13 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
    .
    2013-03-22 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
    - d:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2013-03-12 18:08]
    .
    2013-03-22 c:\windows\Tasks\GlaryInitialize.job
    - d:\program files\Glary Utilities New 3-7-13\initialize.exe [2013-03-07 20:58]
    .
    2013-03-21 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-09-26 17:28]
    .
    2013-03-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-06 04:12]
    .
    2013-03-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-06 04:12]
    .
    2013-03-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-651377827-2146997909-1003Core.job
    - c:\documents and settings\Ray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-25 22:50]
    .
    2013-03-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-651377827-2146997909-1003UA.job
    - c:\documents and settings\Ray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-25 22:50]
    .
    2013-03-13 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
    - d:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2013-03-12 18:07]
    .
    2013-03-12 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
    - d:\program files\Spybot - Search & Destroy 2\SDScan.exe [2013-03-12 18:07]
    .
    2013-03-22 c:\windows\Tasks\User_Feed_Synchronization-{795DF606-D83B-4891-BD02-5F2638647941}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.optimum.net/
    mStart Page = about:blank
    uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
    uInternet Settings,ProxyOverride = *.local;<local>
    TCP: DhcpNameServer = 167.206.254.2 167.206.254.1
    DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://amer-ml33.amer.csc.com/dwa85W.cab
    DPF: {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} - hxxps://lowes.2020.net/planner/Core/Player/2020PlayerAX_WEB_Win32.cab
    FF - ProfilePath - c:\documents and settings\Ray\Application Data\Mozilla\Firefox\Profiles\6cr6okv0.default\
    FF - ExtSQL: 2013-01-25 11:03; {CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}; c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}
    FF - ExtSQL: 2013-02-14 11:38; torntv2@torntv.com; c:\documents and settings\Ray\Application Data\Mozilla\Firefox\Profiles\6cr6okv0.default\extensions\torntv2@torntv.com.xpi
    FF - ExtSQL: !HIDDEN! 2011-01-31 18:23; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
    FF - user.js: extensions.delta.tlbrSrchUrl -
    FF - user.js: extensions.delta.id - 1fde8a400000000000000022152aced0
    FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
    FF - user.js: extensions.delta.instlDay - 15750
    FF - user.js: extensions.delta.vrsn - 1.8.10.0
    FF - user.js: extensions.delta.vrsni - 1.8.10.0
    FF - user.js: extensions.delta.vrsnTs - 1.8.10.011:39
    FF - user.js: extensions.delta.prtnrId - delta
    FF - user.js: extensions.delta.prdct - delta
    FF - user.js: extensions.delta.aflt - babsst
    FF - user.js: extensions.delta.smplGrp - none
    FF - user.js: extensions.delta.tlbrId - base
    FF - user.js: extensions.delta.instlRef - sst
    FF - user.js: extensions.delta.dfltLng - en
    FF - user.js: extensions.delta.excTlbr - false
    FF - user.js: extensions.delta.admin - false
    FF - user.js: extensions.delta.autoRvrt - false
    FF - user.js: extensions.delta.rvrt - false
    FF - user.js: extensions.delta.newTab - false
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2013-03-22 11:17
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
    @="?????????????????? v1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
    @="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
    @="?????????????????? v2"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
    @="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1264)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    .
    - - - - - - - > 'explorer.exe'(7000)
    c:\windows\system32\WININET.dll
    c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
    c:\windows\system32\ieframe.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2013-03-22 11:19:47
    ComboFix-quarantined-files.txt 2013-03-22 15:19
    ComboFix2.txt 2013-03-22 14:54
    ComboFix3.txt 2013-03-20 19:57
    ComboFix4.txt 2013-03-20 17:08
    ComboFix5.txt 2013-03-22 15:06
    .
    Pre-Run: 49,022,193,664 bytes free
    Post-Run: 48,989,089,792 bytes free
    .
    - - End Of File - - F9364BAE093EDA4C26E2267AED60EF21

  7. #7
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,067

    Default

    We will use combofix to remove some goodies. Run it in "normal boot" mode

    Click Start, then Run and type Notepad and click OK.
    Copy/paste the text in the code box below into notepad:

    Code:
    File::
    c:\docume~1\Ray\LOCALS~1\Temp\AZULWXOPZZH.exe
    c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe
    c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe
    c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe
    
    Driver::
    AZULWXOPZZH
    BMGX.exe
    TSJSRS.exe
    ZWKKQGF.exe
    Name the Notepad file CFScript.txt and Save it to your desktop.
    Now locate the file you just saved to your desktop (CFScript.txt) and the combofix icon, also on your desktop.

    Using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run, reboot and produce a new log
    please post the new combofix log in your reply.

    After combofix is all done you can do this also;
    Click Start>Run then type %temp%
    Hit OK. Delete all the files you can.

    click Start>Run then type %windir%\temp
    hit ok. delete all the files you can
    How Can I Reduce My Risk?

  8. #8
    Junior Member
    Join Date
    Mar 2013
    Posts
    18

    Default ComboFix with CFScript.txt LOG

    Question....

    Should I duplicate running this procedure under the other profiles on the machine or did the infection/threat affect only "my" profile?

    Thank you
    Ray

    Standing by awaiting further instructions....

    Below is the log of ComboFix AFTER running the CFScript.txt file:


    ComboFix 13-03-21.02 - Ray 03/23/2013 9:38.25.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2130 [GMT -4:00]
    Running from: c:\documents and settings\Ray\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Ray\Desktop\CFScript.txt
    AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    FW: Kaspersky Anti-Virus *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    * Created a new restore point
    .
    FILE ::
    "c:\docume~1\Ray\LOCALS~1\Temp\AZULWXOPZZH.exe"
    "c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe"
    "c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe"
    "c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\EventSystem.log
    c:\windows\system32\drivers\RKHit.sys
    c:\windows\wininit.ini
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_AZULWXOPZZH
    -------\Service_AZULWXOPZZH
    .
    .
    ((((((((((((((((((((((((( Files Created from 2013-02-23 to 2013-03-23 )))))))))))))))))))))))))))))))
    .
    .
    2013-03-22 14:42 . 2013-03-22 15:20 -------- d-----w- C:\ComboFix Logs 3-22-2013
    2013-03-19 21:59 . 2013-03-19 21:59 -------- d-----w- C:\CLEAN BOOT
    2013-03-19 21:09 . 2013-03-19 21:04 678912 ----a-w- C:\MicrosoftFixit50598.msi
    2013-03-18 19:16 . 2013-03-18 19:16 -------- d-----w- C:\CFScanner
    2013-03-17 18:51 . 2013-03-17 18:51 -------- d-----w- C:\sh4ldr
    2013-03-10 20:31 . 2013-03-10 20:32 -------- d-----w- C:\Sophos
    2013-03-09 00:22 . 2013-03-09 00:23 -------- d-----w- C:\Escort
    2013-03-07 20:48 . 2013-03-07 20:48 -------- d-----r- C:\Sandbox
    2013-03-07 17:06 . 2013-03-07 17:06 -------- d-----w- C:\rsit
    2013-03-07 15:54 . 2013-03-07 15:54 -------- d-----w- C:\Deleted Autoruns
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-03-08 23:02 . 2013-01-14 15:23 13024 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
    2013-02-12 00:32 . 2008-04-13 17:56 12928 ----a-w- c:\windows\system32\drivers\usb8023x.sys
    2013-02-12 00:32 . 2008-04-13 17:56 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
    2013-02-05 20:05 . 2012-12-26 20:16 916480 ----a-w- c:\windows\system32\wininet.dll
    2013-02-05 20:05 . 2012-12-26 20:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2013-02-05 20:05 . 2012-12-26 20:16 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2013-02-05 05:53 . 2012-12-24 06:40 385024 ----a-w- c:\windows\system32\html.iec
    2013-01-28 02:36 . 2013-01-28 02:36 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
    2013-01-26 04:35 . 2013-01-26 04:35 19528 ----a-w- c:\windows\system32\fbnative.exe
    2013-01-26 04:35 . 2013-01-26 04:35 185672 ----a-w- c:\windows\system32\drivers\EuFdDisk.sys
    2013-01-26 04:35 . 2013-01-26 04:35 40648 ----a-w- c:\windows\system32\drivers\EUBKMON.sys
    2013-01-26 04:35 . 2013-01-26 04:35 14920 ----a-w- c:\windows\system32\drivers\eudskacs.sys
    2013-01-26 04:35 . 2013-01-26 04:35 50248 ----a-w- c:\windows\system32\drivers\eubakup.sys
    2013-01-26 03:55 . 2013-01-26 03:55 552448 ----a-w- c:\windows\system32\oleaut32.dll
    2013-01-25 16:02 . 2013-01-25 16:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2013-01-25 16:02 . 2013-01-25 16:02 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
    2013-01-25 16:02 . 2013-01-25 16:02 473072 ----a-w- c:\windows\system32\deployJava1.dll
    2013-01-07 01:19 . 2013-01-07 01:19 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2013-01-07 00:37 . 2013-01-07 00:37 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2013-01-04 01:20 . 2013-01-04 01:20 1867264 ----a-w- c:\windows\system32\win32k.sys
    2013-01-02 06:49 . 2013-01-02 06:49 148992 ----a-w- c:\windows\system32\mpg2splt.ax
    2013-01-02 06:49 . 2013-01-02 06:49 1292288 ----a-w- c:\windows\system32\quartz.dll
    2012-06-14 22:20 . 2012-06-14 22:20 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-03-19 2363392]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "StartupDelayer"="d:\program files\r2 Studios\Startup Delayer\Startup Launcher.exe" [2013-03-07 1081856]
    "SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
    "SDTray"="d:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
    "RTHDCPL"="RTHDCPL.EXE" [2006-11-14 16270848]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-05-31 15496552]
    "EaseUs Watch"="c:\program files\EaseUS\Todo Backup\bin\EuWatch.exe" [2013-01-26 70728]
    "EaseUs Tray"="c:\program files\EaseUS\Todo Backup\bin\TrayNotify.exe" [2013-01-26 1372232]
    "WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2013-03-05 418024]
    "AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe" [2012-11-24 356376]
    .
    c:\documents and settings\Ray\Start Menu\Programs\Startup\
    CProcess.exe [2008-5-22 36352]
    Efficient Reminder Free.lnk - c:\program files\Efficient Reminder Free\EfficientReminderFree.exe [2013-1-2 10981888]
    PlexRadar.lnk - c:\program files\Plextor\PlexUTILITIES\PlexRadar.exe [2013-1-9 2907136]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    del_temp.vbs [2012-2-23 1914]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
    HyperSnap-DX 5.lnk - c:\program files\HyperSnap-DX 5\HprSnap5.exe [2004-10-14 1785856]
    PlexRadar.lnk - c:\program files\Plextor\PlexUTILITIES\PlexRadar.exe [2013-1-9 2907136]
    Watch.lnk - c:\program files\Mustek 1200 UB Plus\Driver\WATCH.exe [2001-11-23 364544]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
    backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Ray^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
    path=c:\documents and settings\Ray\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
    backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
    2006-02-14 12:56 460800 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVD.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
    2012-11-28 19:13 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-13 23:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXMediaServer]
    2012-11-13 18:13 450560 ----a-w- c:\program files\DivX\DivX Media Server\DivXMediaServer.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
    2012-11-01 17:56 1263512 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2012-12-12 18:57 152544 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X Configure]
    2006-10-30 12:44 1953792 ----a-r- c:\windows\system32\JMRaidSetup.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
    2010-12-13 18:37 135536 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2012-10-25 08:12 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2011-06-19 15:50 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WMPNetworkSvc"=3 (0x3)
    "SpyHunter 4 Service"=2 (0x2)
    "SDWSCService"=2 (0x2)
    "SDUpdateService"=2 (0x2)
    "SDScannerService"=2 (0x2)
    "SbieSvc"=2 (0x2)
    "ose"=3 (0x3)
    "NVWMI"=2 (0x2)
    "NVSvc"=2 (0x2)
    "Nero BackItUp Scheduler 4.0"=2 (0x2)
    "MSCamSvc"=2 (0x2)
    "MozillaMaintenance"=3 (0x3)
    "LightScribeService"=2 (0x2)
    "JavaQuickStarterService"=2 (0x2)
    "iPod Service"=3 (0x3)
    "idsvc"=3 (0x3)
    "gusvc"=2 (0x2)
    "gupdatem"=3 (0x3)
    "gupdate1c987ea6b15f84e"=2 (0x2)
    "gupdate"=2 (0x2)
    "Guard Agent"=2 (0x2)
    "FLEXnet Licensing Service"=3 (0x3)
    "EaseUS Agent"=2 (0x2)
    "DWMRCS"=2 (0x2)
    "CTAudSvcService"=2 (0x2)
    "Creative Service for CDROM Access"=2 (0x2)
    "Creative Media Toolbox 6 Licensing Service"=3 (0x3)
    "Creative Audio Engine Licensing Service"=3 (0x3)
    "Bonjour Service"=2 (0x2)
    "Apple Mobile Device"=2 (0x2)
    "AdobeFlashPlayerUpdateSvc"=3 (0x3)
    "Adobe LM Service"=2 (0x2)
    "BMGXXXXXXXX"=3 (0x3)
    "BMGX"=3 (0x3)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride /**comment**(normally it is \"1\")**comment**/"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
    "c:\\Program Files\\AIM95\\aim.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=
    "c:\\Program Files\\SoulseekNS\\slsk.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\BitLord 2\\Bitlord files\\bitlord.exe"=
    "c:\\Program Files\\EaseUS\\Todo Backup\\bin\\Agent.exe"=
    "c:\\Program Files\\EaseUS\\Todo Backup\\bin\\TbService.exe"=
    "c:\\Program Files\\EaseUS\\Todo Backup\\bin\\TBConsoleUI.exe"=
    "c:\\WINDOWS\\system32\\mmc.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
    "d:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
    "d:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
    "d:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
    "d:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
    "d:\\Program Files\\Spybot - Search & Destroy 2\\SDFiles.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
    "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
    "3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
    "3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
    "50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
    "50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
    "6346:TCP"= 6346:TCP:Limewire
    "6346:UDP"= 6346:UDP:Limewire
    .
    R0 asahxp32;asahxp32;c:\windows\system32\drivers\asahxp32.sys [5/6/2011 5:13 PM 41696]
    R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [1/26/2013 12:35 AM 50248]
    R0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [1/26/2013 12:35 AM 40648]
    R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [3/7/2013 2:46 PM 33112]
    R1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [1/26/2013 12:35 AM 14920]
    R1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [1/26/2013 12:35 AM 185672]
    R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [11/24/2012 6:33 PM 43608]
    R1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [8/13/2012 5:49 PM 144344]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
    R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [5/12/2011 2:05 PM 18816]
    R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [6/27/2012 3:09 PM 35672]
    R3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [11/24/2012 6:33 PM 24408]
    R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/24/2012 6:33 PM 24920]
    S0 fnvu;fnvu;c:\windows\system32\drivers\behy.sys --> c:\windows\system32\drivers\behy.sys [?]
    S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [12/29/2008 11:14 AM 171032]
    S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [12/29/2008 11:14 AM 171032]
    S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [12/29/2008 11:14 AM 1324056]
    S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [12/29/2008 11:14 AM 1324056]
    S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [12/29/2008 11:14 AM 72728]
    S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [12/29/2008 11:14 AM 72728]
    S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [1/27/2013 10:36 PM 23456]
    S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [12/21/2012 2:54 PM 13896]
    S3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [5/6/2011 3:57 PM 13904]
    S3 EsgScanner;EsgScanner;c:\windows\system32\drivers\EsgScanner.sys [6/22/2012 11:01 AM 19984]
    S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [12/21/2012 2:53 PM 9160]
    S3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\drivers\mcvidrv.sys [10/10/2012 11:08 PM 34432]
    S3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv.sys [10/10/2012 11:08 PM 25088]
    S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [12/13/2010 2:37 PM 30576]
    S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [6/3/2011 8:36 PM 47360]
    S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [1/14/2013 11:23 AM 13024]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
    S4 BMGX;BMGX;c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe --> c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe [?]
    S4 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2/1/2011 9:56 PM 79360]
    S4 Creative Media Toolbox 6 Licensing Service;Creative Media Toolbox 6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\MT6Licensing.exe [2/1/2011 10:10 PM 79360]
    S4 EaseUS Agent;EaseUS Agent Service;c:\program files\EaseUS\Todo Backup\bin\Agent.exe [1/26/2013 12:35 AM 68168]
    S4 Guard Agent;Guard Agent Service;c:\program files\EaseUS\Todo Backup\bin\GuardAgent.exe [1/26/2013 12:36 AM 23624]
    S4 gupdate1c987ea6b15f84e;Google Update Service (gupdate1c987ea6b15f84e);c:\program files\Google\Update\GoogleUpdate.exe [3/6/2011 12:12 AM 136176]
    S4 NVWMI;NVIDIA WMI Provider;c:\windows\system32\nvwmi.exe [12/31/1999 8:00 PM 664424]
    S4 SDScannerService;Spybot-S&D 2 Scanner Service;d:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [3/12/2013 10:21 AM 1103392]
    S4 SDUpdateService;Spybot-S&D 2 Updating Service;d:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [3/12/2013 10:21 AM 1369624]
    S4 SDWSCService;Spybot-S&D 2 Security Center Service;d:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [3/12/2013 10:21 AM 168384]
    S4 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [1/14/2013 9:33 PM 769920]
    S4 TSJSRS;TSJSRS;c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe --> c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe [?]
    S4 ZWKKQGF;ZWKKQGF;c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe --> c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe [?]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2010-03-19 15:15 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-03-23 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-27 17:47]
    .
    2013-03-13 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
    .
    2013-03-23 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
    - d:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2013-03-12 18:08]
    .
    2013-03-23 c:\windows\Tasks\GlaryInitialize.job
    - d:\program files\Glary Utilities New 3-7-13\initialize.exe [2013-03-07 20:58]
    .
    2013-03-22 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-09-26 17:28]
    .
    2013-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-06 04:12]
    .
    2013-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-06 04:12]
    .
    2013-03-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-651377827-2146997909-1003Core.job
    - c:\documents and settings\Ray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-25 22:50]
    .
    2013-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-651377827-2146997909-1003UA.job
    - c:\documents and settings\Ray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-25 22:50]
    .
    2013-03-13 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
    - d:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2013-03-12 18:07]
    .
    2013-03-12 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
    - d:\program files\Spybot - Search & Destroy 2\SDScan.exe [2013-03-12 18:07]
    .
    2013-03-23 c:\windows\Tasks\User_Feed_Synchronization-{795DF606-D83B-4891-BD02-5F2638647941}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.optimum.net/
    mStart Page = about:blank
    uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
    uInternet Settings,ProxyOverride = *.local;<local>
    TCP: DhcpNameServer = 167.206.254.2 167.206.254.1
    DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://amer-ml33.amer.csc.com/dwa85W.cab
    DPF: {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} - hxxps://lowes.2020.net/planner/Core/Player/2020PlayerAX_WEB_Win32.cab
    FF - ProfilePath - c:\documents and settings\Ray\Application Data\Mozilla\Firefox\Profiles\6cr6okv0.default\
    FF - ExtSQL: 2013-01-25 11:03; {CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}; c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}
    FF - ExtSQL: 2013-02-14 11:38; torntv2@torntv.com; c:\documents and settings\Ray\Application Data\Mozilla\Firefox\Profiles\6cr6okv0.default\extensions\torntv2@torntv.com.xpi
    FF - ExtSQL: !HIDDEN! 2011-01-31 18:23; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
    FF - user.js: extensions.delta.tlbrSrchUrl -
    FF - user.js: extensions.delta.id - 1fde8a400000000000000022152aced0
    FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
    FF - user.js: extensions.delta.instlDay - 15750
    FF - user.js: extensions.delta.vrsn - 1.8.10.0
    FF - user.js: extensions.delta.vrsni - 1.8.10.0
    FF - user.js: extensions.delta.vrsnTs - 1.8.10.011:39
    FF - user.js: extensions.delta.prtnrId - delta
    FF - user.js: extensions.delta.prdct - delta
    FF - user.js: extensions.delta.aflt - babsst
    FF - user.js: extensions.delta.smplGrp - none
    FF - user.js: extensions.delta.tlbrId - base
    FF - user.js: extensions.delta.instlRef - sst
    FF - user.js: extensions.delta.dfltLng - en
    FF - user.js: extensions.delta.excTlbr - false
    FF - user.js: extensions.delta.admin - false
    FF - user.js: extensions.delta.autoRvrt - false
    FF - user.js: extensions.delta.rvrt - false
    FF - user.js: extensions.delta.newTab - false
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2013-03-23 09:55
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
    @="?????????????????? v1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
    @="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
    @="?????????????????? v2"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
    @="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1268)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    .
    - - - - - - - > 'explorer.exe'(6764)
    c:\windows\system32\WININET.dll
    c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
    c:\windows\system32\ieframe.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\program files\Common Files\Nero\SMC\NeroDigitalExt.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b\MFC80.DLL
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\locator.exe
    c:\windows\system32\wbem\wmiapsrv.exe
    c:\windows\RTHDCPL.EXE
    c:\documents and settings\Ray\Start Menu\Programs\Startup\CProcess.exe
    c:\windows\StartupMonitor.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
    .
    **************************************************************************
    .
    Completion time: 2013-03-23 09:59:51 - machine was rebooted
    ComboFix-quarantined-files.txt 2013-03-23 13:59
    ComboFix2.txt 2013-03-22 15:19
    ComboFix3.txt 2013-03-22 14:54
    ComboFix4.txt 2013-03-20 19:57
    ComboFix5.txt 2013-03-23 13:34
    .
    Pre-Run: 49,056,907,264 bytes free
    Post-Run: 49,029,246,976 bytes free
    .
    - - End Of File - - CCF20F4E5031F064D088914B8296D095

  9. #9
    Junior Member
    Join Date
    Mar 2013
    Posts
    18

    Default Services trying to re-load/re-start

    Hi,
    We are missing the file that is kicking off the reload/restart of 2 of the files in services and drivers we deleted with the above text file/combofix. See attached screen shots of messeges I intercepted during the start-up attempt and a shot of my temp folder and temp folder locked files. Could any of the "locked" keys in the registry be causing this?.....>>>HELP<<<

  10. #10
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,067

    Default

    Check malwarebytes for updates and then run it after you do this: Boot your machine into safe mode then navigate to your temp directories and delete what you can. Reboot normally and run malwarebytes. Post the malwarebytes log.
    How Can I Reduce My Risk?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •