An infection that I can't find.

**rdomingu** · 2013-03-23, 15:24

Question....

Should I duplicate running this procedure under the other profiles on the machine or did the infection/threat affect only "my" profile?

Thank you
Ray

Standing by awaiting further instructions....

Below is the log of ComboFix AFTER running the CFScript.txt file:

ComboFix 13-03-21.02 - Ray 03/23/2013 9:38.25.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2130 [GMT -4:00]
Running from: c:\documents and settings\Ray\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ray\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
* Created a new restore point
.
FILE ::
"c:\docume~1\Ray\LOCALS~1\Temp\AZULWXOPZZH.exe"
"c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe"
"c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe"
"c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\EventSystem.log
c:\windows\system32\drivers\RKHit.sys
c:\windows\wininit.ini
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_AZULWXOPZZH
-------\Service_AZULWXOPZZH
.
.
((((((((((((((((((((((((( Files Created from 2013-02-23 to 2013-03-23 )))))))))))))))))))))))))))))))
.
.
2013-03-22 14:42 . 2013-03-22 15:20 -------- d-----w- C:\ComboFix Logs 3-22-2013
2013-03-19 21:59 . 2013-03-19 21:59 -------- d-----w- C:\CLEAN BOOT
2013-03-19 21:09 . 2013-03-19 21:04 678912 ----a-w- C:\MicrosoftFixit50598.msi
2013-03-18 19:16 . 2013-03-18 19:16 -------- d-----w- C:\CFScanner
2013-03-17 18:51 . 2013-03-17 18:51 -------- d-----w- C:\sh4ldr
2013-03-10 20:31 . 2013-03-10 20:32 -------- d-----w- C:\Sophos
2013-03-09 00:22 . 2013-03-09 00:23 -------- d-----w- C:\Escort
2013-03-07 20:48 . 2013-03-07 20:48 -------- d-----r- C:\Sandbox
2013-03-07 17:06 . 2013-03-07 17:06 -------- d-----w- C:\rsit
2013-03-07 15:54 . 2013-03-07 15:54 -------- d-----w- C:\Deleted Autoruns
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-08 23:02 . 2013-01-14 15:23 13024 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
2013-02-12 00:32 . 2008-04-13 17:56 12928 ----a-w- c:\windows\system32\drivers\usb8023x.sys
2013-02-12 00:32 . 2008-04-13 17:56 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-05 20:05 . 2012-12-26 20:16 916480 ----a-w- c:\windows\system32\wininet.dll
2013-02-05 20:05 . 2012-12-26 20:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-02-05 20:05 . 2012-12-26 20:16 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-02-05 05:53 . 2012-12-24 06:40 385024 ----a-w- c:\windows\system32\html.iec
2013-01-28 02:36 . 2013-01-28 02:36 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
2013-01-26 04:35 . 2013-01-26 04:35 19528 ----a-w- c:\windows\system32\fbnative.exe
2013-01-26 04:35 . 2013-01-26 04:35 185672 ----a-w- c:\windows\system32\drivers\EuFdDisk.sys
2013-01-26 04:35 . 2013-01-26 04:35 40648 ----a-w- c:\windows\system32\drivers\EUBKMON.sys
2013-01-26 04:35 . 2013-01-26 04:35 14920 ----a-w- c:\windows\system32\drivers\eudskacs.sys
2013-01-26 04:35 . 2013-01-26 04:35 50248 ----a-w- c:\windows\system32\drivers\eubakup.sys
2013-01-26 03:55 . 2013-01-26 03:55 552448 ----a-w- c:\windows\system32\oleaut32.dll
2013-01-25 16:02 . 2013-01-25 16:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2013-01-25 16:02 . 2013-01-25 16:02 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-01-25 16:02 . 2013-01-25 16:02 473072 ----a-w- c:\windows\system32\deployJava1.dll
2013-01-07 01:19 . 2013-01-07 01:19 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-07 00:37 . 2013-01-07 00:37 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20 . 2013-01-04 01:20 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-01-02 06:49 . 2013-01-02 06:49 148992 ----a-w- c:\windows\system32\mpg2splt.ax
2013-01-02 06:49 . 2013-01-02 06:49 1292288 ----a-w- c:\windows\system32\quartz.dll
2012-06-14 22:20 . 2012-06-14 22:20 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-03-19 2363392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartupDelayer"="d:\program files\r2 Studios\Startup Delayer\Startup Launcher.exe" [2013-03-07 1081856]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"SDTray"="d:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 16270848]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-05-31 15496552]
"EaseUs Watch"="c:\program files\EaseUS\Todo Backup\bin\EuWatch.exe" [2013-01-26 70728]
"EaseUs Tray"="c:\program files\EaseUS\Todo Backup\bin\TrayNotify.exe" [2013-01-26 1372232]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2013-03-05 418024]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe" [2012-11-24 356376]
.
c:\documents and settings\Ray\Start Menu\Programs\Startup\
CProcess.exe [2008-5-22 36352]
Efficient Reminder Free.lnk - c:\program files\Efficient Reminder Free\EfficientReminderFree.exe [2013-1-2 10981888]
PlexRadar.lnk - c:\program files\Plextor\PlexUTILITIES\PlexRadar.exe [2013-1-9 2907136]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
del_temp.vbs [2012-2-23 1914]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
HyperSnap-DX 5.lnk - c:\program files\HyperSnap-DX 5\HprSnap5.exe [2004-10-14 1785856]
PlexRadar.lnk - c:\program files\Plextor\PlexUTILITIES\PlexRadar.exe [2013-1-9 2907136]
Watch.lnk - c:\program files\Mustek 1200 UB Plus\Driver\WATCH.exe [2001-11-23 364544]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Ray^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
path=c:\documents and settings\Ray\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
2006-02-14 12:56 460800 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-11-28 19:13 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-13 23:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXMediaServer]
2012-11-13 18:13 450560 ----a-w- c:\program files\DivX\DivX Media Server\DivXMediaServer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2012-11-01 17:56 1263512 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-12-12 18:57 152544 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X Configure]
2006-10-30 12:44 1953792 ----a-r- c:\windows\system32\JMRaidSetup.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2010-12-13 18:37 135536 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 08:12 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2011-06-19 15:50 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"SpyHunter 4 Service"=2 (0x2)
"SDWSCService"=2 (0x2)
"SDUpdateService"=2 (0x2)
"SDScannerService"=2 (0x2)
"SbieSvc"=2 (0x2)
"ose"=3 (0x3)
"NVWMI"=2 (0x2)
"NVSvc"=2 (0x2)
"Nero BackItUp Scheduler 4.0"=2 (0x2)
"MSCamSvc"=2 (0x2)
"MozillaMaintenance"=3 (0x3)
"LightScribeService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"gusvc"=2 (0x2)
"gupdatem"=3 (0x3)
"gupdate1c987ea6b15f84e"=2 (0x2)
"gupdate"=2 (0x2)
"Guard Agent"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"EaseUS Agent"=2 (0x2)
"DWMRCS"=2 (0x2)
"CTAudSvcService"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"Creative Media Toolbox 6 Licensing Service"=3 (0x3)
"Creative Audio Engine Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AdobeFlashPlayerUpdateSvc"=3 (0x3)
"Adobe LM Service"=2 (0x2)
"BMGXXXXXXXX"=3 (0x3)
"BMGX"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride /**comment**(normally it is \"1\")**comment**/"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\BitLord 2\\Bitlord files\\bitlord.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\Agent.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\TbService.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\TBConsoleUI.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDFiles.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"6346:TCP"= 6346:TCP:Limewire
"6346:UDP"= 6346:UDP:Limewire
.
R0 asahxp32;asahxp32;c:\windows\system32\drivers\asahxp32.sys [5/6/2011 5:13 PM 41696]
R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [1/26/2013 12:35 AM 50248]
R0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [1/26/2013 12:35 AM 40648]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [3/7/2013 2:46 PM 33112]
R1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [1/26/2013 12:35 AM 14920]
R1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [1/26/2013 12:35 AM 185672]
R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [11/24/2012 6:33 PM 43608]
R1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [8/13/2012 5:49 PM 144344]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [5/12/2011 2:05 PM 18816]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [6/27/2012 3:09 PM 35672]
R3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [11/24/2012 6:33 PM 24408]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/24/2012 6:33 PM 24920]
S0 fnvu;fnvu;c:\windows\system32\drivers\behy.sys --> c:\windows\system32\drivers\behy.sys [?]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [12/29/2008 11:14 AM 171032]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [12/29/2008 11:14 AM 171032]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [12/29/2008 11:14 AM 1324056]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [12/29/2008 11:14 AM 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [12/29/2008 11:14 AM 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [12/29/2008 11:14 AM 72728]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [1/27/2013 10:36 PM 23456]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [12/21/2012 2:54 PM 13896]
S3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [5/6/2011 3:57 PM 13904]
S3 EsgScanner;EsgScanner;c:\windows\system32\drivers\EsgScanner.sys [6/22/2012 11:01 AM 19984]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [12/21/2012 2:53 PM 9160]
S3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\drivers\mcvidrv.sys [10/10/2012 11:08 PM 34432]
S3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv.sys [10/10/2012 11:08 PM 25088]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [12/13/2010 2:37 PM 30576]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [6/3/2011 8:36 PM 47360]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [1/14/2013 11:23 AM 13024]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
S4 BMGX;BMGX;c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe --> c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe [?]
S4 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2/1/2011 9:56 PM 79360]
S4 Creative Media Toolbox 6 Licensing Service;Creative Media Toolbox 6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\MT6Licensing.exe [2/1/2011 10:10 PM 79360]
S4 EaseUS Agent;EaseUS Agent Service;c:\program files\EaseUS\Todo Backup\bin\Agent.exe [1/26/2013 12:35 AM 68168]
S4 Guard Agent;Guard Agent Service;c:\program files\EaseUS\Todo Backup\bin\GuardAgent.exe [1/26/2013 12:36 AM 23624]
S4 gupdate1c987ea6b15f84e;Google Update Service (gupdate1c987ea6b15f84e);c:\program files\Google\Update\GoogleUpdate.exe [3/6/2011 12:12 AM 136176]
S4 NVWMI;NVIDIA WMI Provider;c:\windows\system32\nvwmi.exe [12/31/1999 8:00 PM 664424]
S4 SDScannerService;Spybot-S&D 2 Scanner Service;d:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [3/12/2013 10:21 AM 1103392]
S4 SDUpdateService;Spybot-S&D 2 Updating Service;d:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [3/12/2013 10:21 AM 1369624]
S4 SDWSCService;Spybot-S&D 2 Security Center Service;d:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [3/12/2013 10:21 AM 168384]
S4 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [1/14/2013 9:33 PM 769920]
S4 TSJSRS;TSJSRS;c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe --> c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe [?]
S4 ZWKKQGF;ZWKKQGF;c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe --> c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-03-19 15:15 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-27 17:47]
.
2013-03-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2013-03-23 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- d:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2013-03-12 18:08]
.
2013-03-23 c:\windows\Tasks\GlaryInitialize.job
- d:\program files\Glary Utilities New 3-7-13\initialize.exe [2013-03-07 20:58]
.
2013-03-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-09-26 17:28]
.
2013-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-06 04:12]
.
2013-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-06 04:12]
.
2013-03-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-651377827-2146997909-1003Core.job
- c:\documents and settings\Ray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-25 22:50]
.
2013-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-651377827-2146997909-1003UA.job
- c:\documents and settings\Ray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-25 22:50]
.
2013-03-13 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- d:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2013-03-12 18:07]
.
2013-03-12 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- d:\program files\Spybot - Search & Destroy 2\SDScan.exe [2013-03-12 18:07]
.
2013-03-23 c:\windows\Tasks\User_Feed_Synchronization-{795DF606-D83B-4891-BD02-5F2638647941}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.optimum.net/
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uInternet Settings,ProxyOverride = *.local;<local>
TCP: DhcpNameServer = 167.206.254.2 167.206.254.1
DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://amer-ml33.amer.csc.com/dwa85W.cab
DPF: {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} - hxxps://lowes.2020.net/planner/Core/Player/2020PlayerAX_WEB_Win32.cab
FF - ProfilePath - c:\documents and settings\Ray\Application Data\Mozilla\Firefox\Profiles\6cr6okv0.default\
FF - ExtSQL: 2013-01-25 11:03; {CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}; c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}
FF - ExtSQL: 2013-02-14 11:38; torntv2@torntv.com; c:\documents and settings\Ray\Application Data\Mozilla\Firefox\Profiles\6cr6okv0.default\extensions\torntv2@torntv.com.xpi
FF - ExtSQL: !HIDDEN! 2011-01-31 18:23; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - user.js: extensions.delta.tlbrSrchUrl -
FF - user.js: extensions.delta.id - 1fde8a400000000000000022152aced0
FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
FF - user.js: extensions.delta.instlDay - 15750
FF - user.js: extensions.delta.vrsn - 1.8.10.0
FF - user.js: extensions.delta.vrsni - 1.8.10.0
FF - user.js: extensions.delta.vrsnTs - 1.8.10.011:39
FF - user.js: extensions.delta.prtnrId - delta
FF - user.js: extensions.delta.prdct - delta
FF - user.js: extensions.delta.aflt - babsst
FF - user.js: extensions.delta.smplGrp - none
FF - user.js: extensions.delta.tlbrId - base
FF - user.js: extensions.delta.instlRef - sst
FF - user.js: extensions.delta.dfltLng - en
FF - user.js: extensions.delta.excTlbr - false
FF - user.js: extensions.delta.admin - false
FF - user.js: extensions.delta.autoRvrt - false
FF - user.js: extensions.delta.rvrt - false
FF - user.js: extensions.delta.newTab - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-03-23 09:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1268)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(6764)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Nero\SMC\NeroDigitalExt.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b\MFC80.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\locator.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\RTHDCPL.EXE
c:\documents and settings\Ray\Start Menu\Programs\Startup\CProcess.exe
c:\windows\StartupMonitor.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
.
**************************************************************************
.
Completion time: 2013-03-23 09:59:51 - machine was rebooted
ComboFix-quarantined-files.txt 2013-03-23 13:59
ComboFix2.txt 2013-03-22 15:19
ComboFix3.txt 2013-03-22 14:54
ComboFix4.txt 2013-03-20 19:57
ComboFix5.txt 2013-03-23 13:34
.
Pre-Run: 49,056,907,264 bytes free
Post-Run: 49,029,246,976 bytes free
.
- - End Of File - - CCF20F4E5031F064D088914B8296D095

**rdomingu** · 2013-03-23, 15:57

Hi,
We are missing the file that is kicking off the reload/restart of 2 of the files in services and drivers we deleted with the above text file/combofix. See attached screen shots of messeges I intercepted during the start-up attempt and a shot of my temp folder and temp folder locked files. Could any of the "locked" keys in the registry be causing this?.....>>>HELP<<<

**shelf life** · 2013-03-23, 17:31

Check malwarebytes for updates and then run it after you do this: Boot your machine into safe mode then navigate to your temp directories and delete what you can. Reboot normally and run malwarebytes. Post the malwarebytes log.

**rdomingu** · 2013-03-23, 19:22

Hi,

In the future please specify how to run MalwareBytes "full" or "quick". Log is of a Full scan. Did not find anything.

Thanks,
Ray
Next???

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.03.23.07

Windows XP Service Pack 3 x86 NTFS (Safe Mode)
Internet Explorer 8.0.6001.18702
Ray :: RIGHTWINXP [administrator]

3/23/2013 1:28:33 PM
mbam-log-2013-03-23 (13-28-33).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 403512
Time elapsed: 16 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

**shelf life** · 2013-03-23, 22:59

Did you delete anything out of the temps while in safe mode? Run combofix once more using the slightly changed script below, like you did before

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:

Code:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BMGXXXXXXXX"=3-
"BMGX"=3-

File::
c:\docume~1\Ray\LOCALS~1\Temp\AZULWXOPZZH.exe
c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe
c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe
c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe

Driver::
AZULWXOPZZH
BMGX.exe
TSJSRS.exe
ZWKKQGF.exe

Name the Notepad file CFScript.txt and Save it to your desktop.
Now locate the file you just saved to your desktop (CFScript.txt) and the combofix icon, also on your desktop.

Using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run, reboot and produce a new log
please post the new combofix log in your reply.

After the above download:
Roguekiller.exe

Download & SAVE to Rougekiller to your desktop
Close any running programs
Double click to start
For Vista or Windows 7, right-click and select run as Admin
Once the Prescan has finished click the scan button
Once the scan is done a report.txt will be on your desktop.
Exit Rougekiller by going to File>Quit.
copy/paste the RKreport saved to your DeskTop

**rdomingu** · 2013-03-24, 00:04

ComboFix 13-03-23.01 - Ray 03/23/2013 18:13:50.26.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2383 [GMT -4:00]
Running from: c:\documents and settings\Ray\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ray\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
FILE ::
"c:\docume~1\Ray\LOCALS~1\Temp\AZULWXOPZZH.exe"
"c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe"
"c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe"
"c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe"
.
.
((((((((((((((((((((((((( Files Created from 2013-02-23 to 2013-03-23 )))))))))))))))))))))))))))))))
.
.
2013-03-22 14:42 . 2013-03-23 14:11 -------- d-----w- C:\ComboFix Logs 3-22-2013
2013-03-19 21:59 . 2013-03-19 21:59 -------- d-----w- C:\CLEAN BOOT
2013-03-19 21:09 . 2013-03-19 21:04 678912 ----a-w- C:\MicrosoftFixit50598.msi
2013-03-18 19:16 . 2013-03-18 19:16 -------- d-----w- C:\CFScanner
2013-03-17 18:51 . 2013-03-17 18:51 -------- d-----w- C:\sh4ldr
2013-03-10 20:31 . 2013-03-10 20:32 -------- d-----w- C:\Sophos
2013-03-09 00:22 . 2013-03-09 00:23 -------- d-----w- C:\Escort
2013-03-07 20:48 . 2013-03-07 20:48 -------- d-----r- C:\Sandbox
2013-03-07 17:06 . 2013-03-07 17:06 -------- d-----w- C:\rsit
2013-03-07 15:54 . 2013-03-07 15:54 -------- d-----w- C:\Deleted Autoruns
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-08 23:02 . 2013-01-14 15:23 13024 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
2013-02-12 00:32 . 2008-04-13 17:56 12928 ----a-w- c:\windows\system32\drivers\usb8023x.sys
2013-02-12 00:32 . 2008-04-13 17:56 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-05 20:05 . 2012-12-26 20:16 916480 ----a-w- c:\windows\system32\wininet.dll
2013-02-05 20:05 . 2012-12-26 20:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-02-05 20:05 . 2012-12-26 20:16 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-02-05 05:53 . 2012-12-24 06:40 385024 ----a-w- c:\windows\system32\html.iec
2013-01-28 02:36 . 2013-01-28 02:36 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
2013-01-26 04:35 . 2013-01-26 04:35 19528 ----a-w- c:\windows\system32\fbnative.exe
2013-01-26 04:35 . 2013-01-26 04:35 185672 ----a-w- c:\windows\system32\drivers\EuFdDisk.sys
2013-01-26 04:35 . 2013-01-26 04:35 40648 ----a-w- c:\windows\system32\drivers\EUBKMON.sys
2013-01-26 04:35 . 2013-01-26 04:35 14920 ----a-w- c:\windows\system32\drivers\eudskacs.sys
2013-01-26 04:35 . 2013-01-26 04:35 50248 ----a-w- c:\windows\system32\drivers\eubakup.sys
2013-01-26 03:55 . 2013-01-26 03:55 552448 ----a-w- c:\windows\system32\oleaut32.dll
2013-01-25 16:02 . 2013-01-25 16:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2013-01-25 16:02 . 2013-01-25 16:02 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-01-25 16:02 . 2013-01-25 16:02 473072 ----a-w- c:\windows\system32\deployJava1.dll
2013-01-07 01:19 . 2013-01-07 01:19 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-07 00:37 . 2013-01-07 00:37 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20 . 2013-01-04 01:20 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-01-02 06:49 . 2013-01-02 06:49 148992 ----a-w- c:\windows\system32\mpg2splt.ax
2013-01-02 06:49 . 2013-01-02 06:49 1292288 ----a-w- c:\windows\system32\quartz.dll
2012-06-14 22:20 . 2012-06-14 22:20 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-03-19 2363392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartupDelayer"="d:\program files\r2 Studios\Startup Delayer\Startup Launcher.exe" [2013-03-07 1081856]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"SDTray"="d:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 16270848]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-05-31 15496552]
"EaseUs Watch"="c:\program files\EaseUS\Todo Backup\bin\EuWatch.exe" [2013-01-26 70728]
"EaseUs Tray"="c:\program files\EaseUS\Todo Backup\bin\TrayNotify.exe" [2013-01-26 1372232]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2013-03-05 418024]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe" [2012-11-24 356376]
.
c:\documents and settings\Ray\Start Menu\Programs\Startup\
CProcess.cfg [2013-3-23 860]
CProcess.exe [2008-5-22 36352]
Efficient Reminder Free.lnk - c:\program files\Efficient Reminder Free\EfficientReminderFree.exe [2013-1-2 10981888]
PlexRadar.lnk - c:\program files\Plextor\PlexUTILITIES\PlexRadar.exe [2013-1-9 2907136]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
del_temp.vbs [2012-2-23 1914]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
HyperSnap-DX 5.lnk - c:\program files\HyperSnap-DX 5\HprSnap5.exe [2004-10-14 1785856]
PlexRadar.lnk - c:\program files\Plextor\PlexUTILITIES\PlexRadar.exe [2013-1-9 2907136]
Watch.lnk - c:\program files\Mustek 1200 UB Plus\Driver\WATCH.exe [2001-11-23 364544]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Ray^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
path=c:\documents and settings\Ray\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
2006-02-14 12:56 460800 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-11-28 19:13 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-13 23:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXMediaServer]
2012-11-13 18:13 450560 ----a-w- c:\program files\DivX\DivX Media Server\DivXMediaServer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2012-11-01 17:56 1263512 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-12-12 18:57 152544 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X Configure]
2006-10-30 12:44 1953792 ----a-r- c:\windows\system32\JMRaidSetup.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2010-12-13 18:37 135536 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 08:12 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2011-06-19 15:50 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"SpyHunter 4 Service"=2 (0x2)
"SDWSCService"=2 (0x2)
"SDUpdateService"=2 (0x2)
"SDScannerService"=2 (0x2)
"SbieSvc"=2 (0x2)
"ose"=3 (0x3)
"NVWMI"=2 (0x2)
"NVSvc"=2 (0x2)
"Nero BackItUp Scheduler 4.0"=2 (0x2)
"MSCamSvc"=2 (0x2)
"MozillaMaintenance"=3 (0x3)
"LightScribeService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"gusvc"=2 (0x2)
"gupdatem"=3 (0x3)
"gupdate1c987ea6b15f84e"=2 (0x2)
"gupdate"=2 (0x2)
"Guard Agent"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"EaseUS Agent"=2 (0x2)
"DWMRCS"=2 (0x2)
"CTAudSvcService"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"Creative Media Toolbox 6 Licensing Service"=3 (0x3)
"Creative Audio Engine Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AdobeFlashPlayerUpdateSvc"=3 (0x3)
"Adobe LM Service"=2 (0x2)
"BMGXXXXXXXX"=3 (0x3)
"BMGX"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride /**comment**(normally it is \"1\")**comment**/"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\BitLord 2\\Bitlord files\\bitlord.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\Agent.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\TbService.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\TBConsoleUI.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDFiles.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"6346:TCP"= 6346:TCP:Limewire
"6346:UDP"= 6346:UDP:Limewire
.
R0 asahxp32;asahxp32;c:\windows\system32\drivers\asahxp32.sys [5/6/2011 5:13 PM 41696]
R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [1/26/2013 12:35 AM 50248]
R0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [1/26/2013 12:35 AM 40648]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [3/7/2013 2:46 PM 33112]
R1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [1/26/2013 12:35 AM 14920]
R1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [1/26/2013 12:35 AM 185672]
R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [11/24/2012 6:33 PM 43608]
R1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [8/13/2012 5:49 PM 144344]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [5/12/2011 2:05 PM 18816]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [6/27/2012 3:09 PM 35672]
R3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [11/24/2012 6:33 PM 24408]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/24/2012 6:33 PM 24920]
S0 fnvu;fnvu;c:\windows\system32\drivers\behy.sys --> c:\windows\system32\drivers\behy.sys [?]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [12/29/2008 11:14 AM 171032]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [12/29/2008 11:14 AM 171032]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [12/29/2008 11:14 AM 1324056]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [12/29/2008 11:14 AM 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [12/29/2008 11:14 AM 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [12/29/2008 11:14 AM 72728]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [1/27/2013 10:36 PM 23456]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [12/21/2012 2:54 PM 13896]
S3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [5/6/2011 3:57 PM 13904]
S3 EsgScanner;EsgScanner;c:\windows\system32\drivers\EsgScanner.sys [6/22/2012 11:01 AM 19984]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [12/21/2012 2:53 PM 9160]
S3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\drivers\mcvidrv.sys [10/10/2012 11:08 PM 34432]
S3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv.sys [10/10/2012 11:08 PM 25088]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [12/13/2010 2:37 PM 30576]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [6/3/2011 8:36 PM 47360]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [1/14/2013 11:23 AM 13024]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
S4 BMGX;BMGX;c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe --> c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe [?]
S4 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2/1/2011 9:56 PM 79360]
S4 Creative Media Toolbox 6 Licensing Service;Creative Media Toolbox 6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\MT6Licensing.exe [2/1/2011 10:10 PM 79360]
S4 EaseUS Agent;EaseUS Agent Service;c:\program files\EaseUS\Todo Backup\bin\Agent.exe [1/26/2013 12:35 AM 68168]
S4 Guard Agent;Guard Agent Service;c:\program files\EaseUS\Todo Backup\bin\GuardAgent.exe [1/26/2013 12:36 AM 23624]
S4 gupdate1c987ea6b15f84e;Google Update Service (gupdate1c987ea6b15f84e);c:\program files\Google\Update\GoogleUpdate.exe [3/6/2011 12:12 AM 136176]
S4 NVWMI;NVIDIA WMI Provider;c:\windows\system32\nvwmi.exe [12/31/1999 8:00 PM 664424]
S4 SDScannerService;Spybot-S&D 2 Scanner Service;d:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [3/12/2013 10:21 AM 1103392]
S4 SDUpdateService;Spybot-S&D 2 Updating Service;d:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [3/12/2013 10:21 AM 1369624]
S4 SDWSCService;Spybot-S&D 2 Security Center Service;d:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [3/12/2013 10:21 AM 168384]
S4 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [1/14/2013 9:33 PM 769920]
S4 TSJSRS;TSJSRS;c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe --> c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe [?]
S4 ZWKKQGF;ZWKKQGF;c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe --> c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-03-19 15:15 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-27 17:47]
.
2013-03-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2013-03-23 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- d:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2013-03-12 18:08]
.
2013-03-23 c:\windows\Tasks\GlaryInitialize.job
- d:\program files\Glary Utilities New 3-7-13\initialize.exe [2013-03-07 20:58]
.
2013-03-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-09-26 17:28]
.
2013-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-06 04:12]
.
2013-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-06 04:12]
.
2013-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-651377827-2146997909-1003Core.job
- c:\documents and settings\Ray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-25 22:50]
.
2013-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-651377827-2146997909-1003UA.job
- c:\documents and settings\Ray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-25 22:50]
.
2013-03-13 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- d:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2013-03-12 18:07]
.
2013-03-12 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- d:\program files\Spybot - Search & Destroy 2\SDScan.exe [2013-03-12 18:07]
.
2013-03-23 c:\windows\Tasks\User_Feed_Synchronization-{795DF606-D83B-4891-BD02-5F2638647941}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.optimum.net/
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uInternet Settings,ProxyOverride = *.local;<local>
TCP: DhcpNameServer = 167.206.254.2 167.206.254.1
DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://amer-ml33.amer.csc.com/dwa85W.cab
DPF: {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} - hxxps://lowes.2020.net/planner/Core/Player/2020PlayerAX_WEB_Win32.cab
FF - ProfilePath - c:\documents and settings\Ray\Application Data\Mozilla\Firefox\Profiles\6cr6okv0.default\
FF - ExtSQL: 2013-01-25 11:03; {CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}; c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}
FF - ExtSQL: 2013-02-14 11:38; torntv2@torntv.com; c:\documents and settings\Ray\Application Data\Mozilla\Firefox\Profiles\6cr6okv0.default\extensions\torntv2@torntv.com.xpi
FF - ExtSQL: !HIDDEN! 2011-01-31 18:23; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - user.js: extensions.delta.tlbrSrchUrl -
FF - user.js: extensions.delta.id - 1fde8a400000000000000022152aced0
FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
FF - user.js: extensions.delta.instlDay - 15750
FF - user.js: extensions.delta.vrsn - 1.8.10.0
FF - user.js: extensions.delta.vrsni - 1.8.10.0
FF - user.js: extensions.delta.vrsnTs - 1.8.10.011:39
FF - user.js: extensions.delta.prtnrId - delta
FF - user.js: extensions.delta.prdct - delta
FF - user.js: extensions.delta.aflt - babsst
FF - user.js: extensions.delta.smplGrp - none
FF - user.js: extensions.delta.tlbrId - base
FF - user.js: extensions.delta.instlRef - sst
FF - user.js: extensions.delta.dfltLng - en
FF - user.js: extensions.delta.excTlbr - false
FF - user.js: extensions.delta.admin - false
FF - user.js: extensions.delta.autoRvrt - false
FF - user.js: extensions.delta.rvrt - false
FF - user.js: extensions.delta.newTab - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-03-23 18:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1264)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3884)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-03-23 18:24:40
ComboFix-quarantined-files.txt 2013-03-23 22:24
ComboFix2.txt 2013-03-22 15:19
ComboFix3.txt 2013-03-22 14:54
ComboFix4.txt 2013-03-20 19:57
ComboFix5.txt 2013-03-23 13:34
.
Pre-Run: 48,996,126,720 bytes free
Post-Run: 48,965,550,080 bytes free
.
- - End Of File - - 2BFD7078171C6FD05360C5B9C5899D10

_________________________________________________________________

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files...3-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Ray [Admin rights]
Mode : Scan -- Date : 03/23/2013 18:57:43
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 1 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3500630AS +++++
--- User ---
[MBR] 1abe93979b2dbe79cf8f51cd4711ed80
[BSP] 21a0857be101ba19f44717e4f1fb3047 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive1: SAMSUNG HD103SI +++++
--- User ---
[MBR] 7c2d1787dda1ca0ab05b91036f3580ec
[BSP] 5c2b22220f055145a9b1c7369ff5f509 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953867 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive2: WDC WD1002FAEX-00Z3A0 +++++
--- User ---
[MBR] 21475e07416da8f21be13708b5f622ca
[BSP] 5711a6dba2474de31ee3d7621a7365f8 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953867 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive3: SATA ST310005 SCSI Disk Device +++++
--- User ---
[MBR] bfdd3ec03803c2ccaf7f86015141d08a
[BSP] f1a4f4c15aeb52ccce9f82a9b658d6f8 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 63 | Size: 953867 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive4: KINGSTON SH103S3120G SCSI Disk Device +++++
--- User ---
[MBR] dd2d907da26384e77088766ef9d6679e
[BSP] c8ef74fb392c575a42233e04e433445d : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 114472 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_03232013_02d1857.txt >>
RKreport[1]_S_03232013_02d1857.txt

**shelf life** · 2013-03-24, 15:12

hi,

Sometimes other software can interfere with combofix trying to make changes. Winpatrol and Spybots tea timer as well as antivirus and other antimalware can interfere. I see your AV was disabled but before running combofix once more please disable/exit the others if they are running, just as a precaution. After reboot they will be active again.

We will use combofix to delete one more file I should have included before.

Code:

File::
c:\windows\system32\drivers\behy.sys

Driver::
fnvu

Run Rougekiller once more like you did before with a change at the end:

Close any running programs
Double click to start
For Vista or Windows 7, right-click and select run as Admin
Once the Prescan has finished click the scan button
Once the scan is done a report.txt will be on your desktop.
Click on the delete button to remove the disable registry item it found.
Wait until the Status box shows "Deleting Finished"
Click on "Report" and copy/paste the content of the Notepad into your next reply.
The log should also be found in RKreport.txt on your Desktop
Exit/Close RogueKiller

Thread: An infection that I can't find.

Thread Tools

Display

Hybrid View

ComboFix with CFScript.txt LOG

Services trying to re-load/re-start

Ran MalwareBytes Successfully

Ran CombiFix and RogueKiller

Posting Permissions