-
ComboFix with CFScript.txt LOG
Question....
Should I duplicate running this procedure under the other profiles on the machine or did the infection/threat affect only "my" profile?
Thank you
Ray
Standing by awaiting further instructions....
Below is the log of ComboFix AFTER running the CFScript.txt file:
ComboFix 13-03-21.02 - Ray 03/23/2013 9:38.25.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2130 [GMT -4:00]
Running from: c:\documents and settings\Ray\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ray\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
* Created a new restore point
.
FILE ::
"c:\docume~1\Ray\LOCALS~1\Temp\AZULWXOPZZH.exe"
"c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe"
"c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe"
"c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\EventSystem.log
c:\windows\system32\drivers\RKHit.sys
c:\windows\wininit.ini
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_AZULWXOPZZH
-------\Service_AZULWXOPZZH
.
.
((((((((((((((((((((((((( Files Created from 2013-02-23 to 2013-03-23 )))))))))))))))))))))))))))))))
.
.
2013-03-22 14:42 . 2013-03-22 15:20 -------- d-----w- C:\ComboFix Logs 3-22-2013
2013-03-19 21:59 . 2013-03-19 21:59 -------- d-----w- C:\CLEAN BOOT
2013-03-19 21:09 . 2013-03-19 21:04 678912 ----a-w- C:\MicrosoftFixit50598.msi
2013-03-18 19:16 . 2013-03-18 19:16 -------- d-----w- C:\CFScanner
2013-03-17 18:51 . 2013-03-17 18:51 -------- d-----w- C:\sh4ldr
2013-03-10 20:31 . 2013-03-10 20:32 -------- d-----w- C:\Sophos
2013-03-09 00:22 . 2013-03-09 00:23 -------- d-----w- C:\Escort
2013-03-07 20:48 . 2013-03-07 20:48 -------- d-----r- C:\Sandbox
2013-03-07 17:06 . 2013-03-07 17:06 -------- d-----w- C:\rsit
2013-03-07 15:54 . 2013-03-07 15:54 -------- d-----w- C:\Deleted Autoruns
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-08 23:02 . 2013-01-14 15:23 13024 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
2013-02-12 00:32 . 2008-04-13 17:56 12928 ----a-w- c:\windows\system32\drivers\usb8023x.sys
2013-02-12 00:32 . 2008-04-13 17:56 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-05 20:05 . 2012-12-26 20:16 916480 ----a-w- c:\windows\system32\wininet.dll
2013-02-05 20:05 . 2012-12-26 20:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-02-05 20:05 . 2012-12-26 20:16 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-02-05 05:53 . 2012-12-24 06:40 385024 ----a-w- c:\windows\system32\html.iec
2013-01-28 02:36 . 2013-01-28 02:36 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
2013-01-26 04:35 . 2013-01-26 04:35 19528 ----a-w- c:\windows\system32\fbnative.exe
2013-01-26 04:35 . 2013-01-26 04:35 185672 ----a-w- c:\windows\system32\drivers\EuFdDisk.sys
2013-01-26 04:35 . 2013-01-26 04:35 40648 ----a-w- c:\windows\system32\drivers\EUBKMON.sys
2013-01-26 04:35 . 2013-01-26 04:35 14920 ----a-w- c:\windows\system32\drivers\eudskacs.sys
2013-01-26 04:35 . 2013-01-26 04:35 50248 ----a-w- c:\windows\system32\drivers\eubakup.sys
2013-01-26 03:55 . 2013-01-26 03:55 552448 ----a-w- c:\windows\system32\oleaut32.dll
2013-01-25 16:02 . 2013-01-25 16:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2013-01-25 16:02 . 2013-01-25 16:02 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-01-25 16:02 . 2013-01-25 16:02 473072 ----a-w- c:\windows\system32\deployJava1.dll
2013-01-07 01:19 . 2013-01-07 01:19 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-07 00:37 . 2013-01-07 00:37 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20 . 2013-01-04 01:20 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-01-02 06:49 . 2013-01-02 06:49 148992 ----a-w- c:\windows\system32\mpg2splt.ax
2013-01-02 06:49 . 2013-01-02 06:49 1292288 ----a-w- c:\windows\system32\quartz.dll
2012-06-14 22:20 . 2012-06-14 22:20 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-03-19 2363392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartupDelayer"="d:\program files\r2 Studios\Startup Delayer\Startup Launcher.exe" [2013-03-07 1081856]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"SDTray"="d:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 16270848]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-05-31 15496552]
"EaseUs Watch"="c:\program files\EaseUS\Todo Backup\bin\EuWatch.exe" [2013-01-26 70728]
"EaseUs Tray"="c:\program files\EaseUS\Todo Backup\bin\TrayNotify.exe" [2013-01-26 1372232]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2013-03-05 418024]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe" [2012-11-24 356376]
.
c:\documents and settings\Ray\Start Menu\Programs\Startup\
CProcess.exe [2008-5-22 36352]
Efficient Reminder Free.lnk - c:\program files\Efficient Reminder Free\EfficientReminderFree.exe [2013-1-2 10981888]
PlexRadar.lnk - c:\program files\Plextor\PlexUTILITIES\PlexRadar.exe [2013-1-9 2907136]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
del_temp.vbs [2012-2-23 1914]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
HyperSnap-DX 5.lnk - c:\program files\HyperSnap-DX 5\HprSnap5.exe [2004-10-14 1785856]
PlexRadar.lnk - c:\program files\Plextor\PlexUTILITIES\PlexRadar.exe [2013-1-9 2907136]
Watch.lnk - c:\program files\Mustek 1200 UB Plus\Driver\WATCH.exe [2001-11-23 364544]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Ray^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
path=c:\documents and settings\Ray\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
2006-02-14 12:56 460800 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-11-28 19:13 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-13 23:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXMediaServer]
2012-11-13 18:13 450560 ----a-w- c:\program files\DivX\DivX Media Server\DivXMediaServer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2012-11-01 17:56 1263512 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-12-12 18:57 152544 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X Configure]
2006-10-30 12:44 1953792 ----a-r- c:\windows\system32\JMRaidSetup.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2010-12-13 18:37 135536 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 08:12 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2011-06-19 15:50 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"SpyHunter 4 Service"=2 (0x2)
"SDWSCService"=2 (0x2)
"SDUpdateService"=2 (0x2)
"SDScannerService"=2 (0x2)
"SbieSvc"=2 (0x2)
"ose"=3 (0x3)
"NVWMI"=2 (0x2)
"NVSvc"=2 (0x2)
"Nero BackItUp Scheduler 4.0"=2 (0x2)
"MSCamSvc"=2 (0x2)
"MozillaMaintenance"=3 (0x3)
"LightScribeService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"gusvc"=2 (0x2)
"gupdatem"=3 (0x3)
"gupdate1c987ea6b15f84e"=2 (0x2)
"gupdate"=2 (0x2)
"Guard Agent"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"EaseUS Agent"=2 (0x2)
"DWMRCS"=2 (0x2)
"CTAudSvcService"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"Creative Media Toolbox 6 Licensing Service"=3 (0x3)
"Creative Audio Engine Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AdobeFlashPlayerUpdateSvc"=3 (0x3)
"Adobe LM Service"=2 (0x2)
"BMGXXXXXXXX"=3 (0x3)
"BMGX"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride /**comment**(normally it is \"1\")**comment**/"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\BitLord 2\\Bitlord files\\bitlord.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\Agent.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\TbService.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\TBConsoleUI.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
"d:\\Program Files\\Spybot - Search & Destroy 2\\SDFiles.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"6346:TCP"= 6346:TCP:Limewire
"6346:UDP"= 6346:UDP:Limewire
.
R0 asahxp32;asahxp32;c:\windows\system32\drivers\asahxp32.sys [5/6/2011 5:13 PM 41696]
R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [1/26/2013 12:35 AM 50248]
R0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [1/26/2013 12:35 AM 40648]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [3/7/2013 2:46 PM 33112]
R1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [1/26/2013 12:35 AM 14920]
R1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [1/26/2013 12:35 AM 185672]
R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [11/24/2012 6:33 PM 43608]
R1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [8/13/2012 5:49 PM 144344]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [5/12/2011 2:05 PM 18816]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [6/27/2012 3:09 PM 35672]
R3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [11/24/2012 6:33 PM 24408]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/24/2012 6:33 PM 24920]
S0 fnvu;fnvu;c:\windows\system32\drivers\behy.sys --> c:\windows\system32\drivers\behy.sys [?]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [12/29/2008 11:14 AM 171032]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [12/29/2008 11:14 AM 171032]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [12/29/2008 11:14 AM 1324056]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [12/29/2008 11:14 AM 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [12/29/2008 11:14 AM 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [12/29/2008 11:14 AM 72728]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [1/27/2013 10:36 PM 23456]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [12/21/2012 2:54 PM 13896]
S3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [5/6/2011 3:57 PM 13904]
S3 EsgScanner;EsgScanner;c:\windows\system32\drivers\EsgScanner.sys [6/22/2012 11:01 AM 19984]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [12/21/2012 2:53 PM 9160]
S3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\drivers\mcvidrv.sys [10/10/2012 11:08 PM 34432]
S3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv.sys [10/10/2012 11:08 PM 25088]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [12/13/2010 2:37 PM 30576]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [6/3/2011 8:36 PM 47360]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [1/14/2013 11:23 AM 13024]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
S4 BMGX;BMGX;c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe --> c:\docume~1\Ray\LOCALS~1\Temp\BMGX.exe [?]
S4 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2/1/2011 9:56 PM 79360]
S4 Creative Media Toolbox 6 Licensing Service;Creative Media Toolbox 6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\MT6Licensing.exe [2/1/2011 10:10 PM 79360]
S4 EaseUS Agent;EaseUS Agent Service;c:\program files\EaseUS\Todo Backup\bin\Agent.exe [1/26/2013 12:35 AM 68168]
S4 Guard Agent;Guard Agent Service;c:\program files\EaseUS\Todo Backup\bin\GuardAgent.exe [1/26/2013 12:36 AM 23624]
S4 gupdate1c987ea6b15f84e;Google Update Service (gupdate1c987ea6b15f84e);c:\program files\Google\Update\GoogleUpdate.exe [3/6/2011 12:12 AM 136176]
S4 NVWMI;NVIDIA WMI Provider;c:\windows\system32\nvwmi.exe [12/31/1999 8:00 PM 664424]
S4 SDScannerService;Spybot-S&D 2 Scanner Service;d:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [3/12/2013 10:21 AM 1103392]
S4 SDUpdateService;Spybot-S&D 2 Updating Service;d:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [3/12/2013 10:21 AM 1369624]
S4 SDWSCService;Spybot-S&D 2 Security Center Service;d:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [3/12/2013 10:21 AM 168384]
S4 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [1/14/2013 9:33 PM 769920]
S4 TSJSRS;TSJSRS;c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe --> c:\docume~1\Ray\LOCALS~1\Temp\TSJSRS.exe [?]
S4 ZWKKQGF;ZWKKQGF;c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe --> c:\docume~1\Ray\LOCALS~1\Temp\ZWKKQGF.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-03-19 15:15 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-27 17:47]
.
2013-03-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2013-03-23 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- d:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2013-03-12 18:08]
.
2013-03-23 c:\windows\Tasks\GlaryInitialize.job
- d:\program files\Glary Utilities New 3-7-13\initialize.exe [2013-03-07 20:58]
.
2013-03-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-09-26 17:28]
.
2013-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-06 04:12]
.
2013-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-06 04:12]
.
2013-03-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-651377827-2146997909-1003Core.job
- c:\documents and settings\Ray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-25 22:50]
.
2013-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-651377827-2146997909-1003UA.job
- c:\documents and settings\Ray\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-25 22:50]
.
2013-03-13 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- d:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2013-03-12 18:07]
.
2013-03-12 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- d:\program files\Spybot - Search & Destroy 2\SDScan.exe [2013-03-12 18:07]
.
2013-03-23 c:\windows\Tasks\User_Feed_Synchronization-{795DF606-D83B-4891-BD02-5F2638647941}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.optimum.net/
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uInternet Settings,ProxyOverride = *.local;<local>
TCP: DhcpNameServer = 167.206.254.2 167.206.254.1
DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://amer-ml33.amer.csc.com/dwa85W.cab
DPF: {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} - hxxps://lowes.2020.net/planner/Core/Player/2020PlayerAX_WEB_Win32.cab
FF - ProfilePath - c:\documents and settings\Ray\Application Data\Mozilla\Firefox\Profiles\6cr6okv0.default\
FF - ExtSQL: 2013-01-25 11:03; {CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}; c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}
FF - ExtSQL: 2013-02-14 11:38; torntv2@torntv.com; c:\documents and settings\Ray\Application Data\Mozilla\Firefox\Profiles\6cr6okv0.default\extensions\torntv2@torntv.com.xpi
FF - ExtSQL: !HIDDEN! 2011-01-31 18:23; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - user.js: extensions.delta.tlbrSrchUrl -
FF - user.js: extensions.delta.id - 1fde8a400000000000000022152aced0
FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
FF - user.js: extensions.delta.instlDay - 15750
FF - user.js: extensions.delta.vrsn - 1.8.10.0
FF - user.js: extensions.delta.vrsni - 1.8.10.0
FF - user.js: extensions.delta.vrsnTs - 1.8.10.011:39
FF - user.js: extensions.delta.prtnrId - delta
FF - user.js: extensions.delta.prdct - delta
FF - user.js: extensions.delta.aflt - babsst
FF - user.js: extensions.delta.smplGrp - none
FF - user.js: extensions.delta.tlbrId - base
FF - user.js: extensions.delta.instlRef - sst
FF - user.js: extensions.delta.dfltLng - en
FF - user.js: extensions.delta.excTlbr - false
FF - user.js: extensions.delta.admin - false
FF - user.js: extensions.delta.autoRvrt - false
FF - user.js: extensions.delta.rvrt - false
FF - user.js: extensions.delta.newTab - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-03-23 09:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1268)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(6764)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Nero\SMC\NeroDigitalExt.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b\MFC80.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\locator.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\RTHDCPL.EXE
c:\documents and settings\Ray\Start Menu\Programs\Startup\CProcess.exe
c:\windows\StartupMonitor.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
.
**************************************************************************
.
Completion time: 2013-03-23 09:59:51 - machine was rebooted
ComboFix-quarantined-files.txt 2013-03-23 13:59
ComboFix2.txt 2013-03-22 15:19
ComboFix3.txt 2013-03-22 14:54
ComboFix4.txt 2013-03-20 19:57
ComboFix5.txt 2013-03-23 13:34
.
Pre-Run: 49,056,907,264 bytes free
Post-Run: 49,029,246,976 bytes free
.
- - End Of File - - CCF20F4E5031F064D088914B8296D095
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
