Jump to content

stratocast

Members
  • Posts

    7
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Hi, MBAM says I'm clean. Are there any other programs I should scan with to make sure I'm clean? You are amazing. My major is Information Technology and I am curious as to how you are able to analyze log files and create these scripts. I would love to be able to do that. Where can I learn how? Thanks again, Ryan
  2. Hi, here's the new log. Thank you! ComboFix 09-04-03.01 - Ryan 2009-04-04 12:22:09.6 - NTFSx86 NETWORK Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.766 [GMT -4:00] Running from: c:\documents and settings\Ryan.BLUE-ENIGMA\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Ryan.BLUE-ENIGMA\Desktop\CFScript.txt FILE :: c:\windows\system32\drivers\knucpvxa.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\drivers\knucpvxa.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_JUTKRZAN ((((((((((((((((((((((((( Files Created from 2009-03-04 to 2009-04-04 ))))))))))))))))))))))))))))))) . 2009-04-01 21:49 . 2009-04-01 21:49 <DIR> d-------- c:\program files\Trend Micro 2009-04-01 21:32 . 2009-04-01 21:32 <DIR> d-------- c:\program files\Bazooka Scanner 2009-04-01 21:16 . 2009-04-01 21:18 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2009-04-01 21:16 . 2009-04-01 21:18 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy 2009-03-31 23:26 . 2009-03-31 23:26 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\DoctorWeb 2009-03-31 19:30 . 2009-03-31 19:30 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\OTScanIt2 2009-03-31 17:00 . 2009-03-31 18:59 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-03-31 17:00 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-31 17:00 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-03-31 16:54 . 2009-03-31 16:54 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\qturuyui 2009-03-31 16:50 . 2009-03-31 16:50 <DIR> d-------- c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\qturuyui 2009-03-31 16:43 . 2009-03-31 16:43 <DIR> d-------- c:\program files\Spyware Doctor 2009-03-31 16:43 . 2009-03-31 16:43 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\PC Tools 2009-03-31 16:43 . 2009-03-31 18:58 <DIR> d-a------ c:\documents and settings\All Users.WINDOWS\Application Data\TEMP 2009-03-31 16:43 . 2008-06-10 21:22 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys 2009-03-31 16:43 . 2008-06-02 15:19 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys 2009-03-31 16:43 . 2008-06-02 15:19 42,376 --a------ c:\windows\system32\drivers\ikfilesec.sys 2009-03-31 16:43 . 2008-06-02 15:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys 2009-03-30 20:52 . 2009-03-30 20:52 <DIR> d-------- c:\program files\ESET 2009-03-30 19:21 . 2009-03-30 19:21 <DIR> d-------- c:\documents and settings\Administrator\Application Data\qturuyui 2009-03-30 19:15 . 2009-03-30 19:15 <DIR> d--h----- c:\windows\system32\GroupPolicy 2009-03-24 20:07 . 2007-12-24 17:37 138,384 --a------ c:\windows\system32\drivers\tmcomm.sys 2009-03-23 23:55 . 2009-03-25 23:13 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\HouseCall 6.6 2009-03-10 23:18 . 2009-03-11 19:01 <DIR> d-------- c:\program files\Big Kahuna Reef 2009-03-10 23:18 . 2009-02-19 17:20 57,344 --a------ c:\windows\system32\Big Kahuna Reef.scr 2009-03-10 23:17 . 2009-03-10 23:17 <DIR> d-------- c:\program files\Amazon 2009-03-10 23:17 . 2009-03-10 23:17 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Amazon . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-31 22:03 --------- d-----w c:\program files\SUPERAntiSpyware 2009-03-31 20:42 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Google Updater 2009-03-31 00:28 --------- d-----w c:\program files\MSECache 2009-03-06 15:43 --------- d-----w c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Azureus 2009-02-27 21:36 --------- d-----w c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Move Networks . ------- Sigcheck ------- 2008-04-13 20:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll 2008-11-26 18:08 295424 40ffc19a8d4875e9e19cecdc76ef9201 c:\windows\system32\termsrv.dll 2004-08-04 08:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\system32\dllcache\termsrv.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "AIM"="c:\program files\AIM\aim.exe" [2003-08-01 61440] "NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920] "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648] "DeadAIM"="c:\program files\AIM\\DeadAIM.ocm" [2004-04-10 144896] "VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2007-08-21 55856] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920] "MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208] "Sdevumutokar"="c:\windows\iwoxepodatodejex.dll" [2007-03-08 155648] "SoundMan"="SOUNDMAN.EXE" [2004-11-15 c:\windows\SOUNDMAN.EXE] "nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-03-31 18:03 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM] --a------ 2003-08-01 11:31 61440 c:\program files\AIM\aim.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AmazonGSDownloaderTray] --a------ 2009-02-02 01:32 246272 c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] --a----t- 2008-09-02 17:33 133104 c:\documents and settings\Ryan.BLUE-ENIGMA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager] --a------ 2003-12-22 08:38 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a------ 2003-08-04 18:28 49152 c:\program files\HP\HP Software Update\hpwuSchd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray] --a------ 2008-07-16 09:16 1166216 c:\program files\Spyware Doctor\pctsTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-06-29 06:24 286720 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] --a------ 2008-11-07 20:52 1410296 c:\program files\Valve\Steam\Steam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-07-12 04:00 132496 c:\program files\Java\jre1.6.0_02\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware] --a------ 2008-12-04 14:50 1809648 c:\program files\SUPERAntiSpyware\af982e01-0576-49c2-8024-96999c8526cf.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware hqtray] --a------ 2007-08-21 19:56 55856 c:\program files\VMware\VMware Player\hqtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] --a------ 2007-08-30 17:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher] --a------ 2008-11-10 13:23 157312 c:\program files\Zune\ZuneLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2007-12-05 02:41 1626112 c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WZCSVC"=2 (0x2) "VMware NAT Service"=2 (0x2) "vmount2"=2 (0x2) "VMnetDHCP"=2 (0x2) "VMAuthdService"=2 (0x2) "odserv"=3 (0x3) "sdAuxService"=2 (0x2) "aawservice"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "c:\\Program Files\\Azureus\\Azureus.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Warcraft III\\Warcraft III.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\opposing force\\hl.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Flagship Studios\\Mythos\\bin\\Mythos.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\team fortress classic\\hl.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\half-life blue shift\\hl.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\half-life 2 deathmatch\\hl2.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\team fortress 2\\hl2.exe"= "c:\\Program Files\\Valve\\Steam\\Steam.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"= "c:\\Program Files\\World of Warcraft\\Repair.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\DC++\\DCPlusPlus.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Documents and Settings\\Ryan.BLUE-ENIGMA\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"= "c:\\Documents and Settings\\Ryan.BLUE-ENIGMA\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= "c:\\Program Files\\Microsoft SQL Server\\90\\Shared\\sqlwriter.exe"= "c:\\Documents and Settings\\Ryan.BLUE-ENIGMA\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 9968] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-04 55024] S2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-03-10 317440] S2 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2006-10-17 69632] S2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [2007-03-03 202096] S3 CA_LIC_CLNT;CA License Client;c:\program files\CA\SharedComponents\CA_LIC\lic98rmt.exe [2006-10-17 126976] S3 GPWADrv;Service for L6 GuitarPort Driver (WDM);c:\windows\system32\drivers\GPWADrv.sys [2004-10-25 331776] S3 L6DP;L6DP;c:\windows\system32\drivers\l6dp.sys [2002-07-15 26496] S3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2007-03-03 17264] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408] S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-03-31 356920] . Contents of the 'Scheduled Tasks' folder 2009-03-31 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 15:41] 2009-03-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-764733703-839522115-1003.job - c:\documents and settings\Ryan.BLUE-ENIGMA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 17:33] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.att.net IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 Trusted Zone: line6.net FF - ProfilePath - c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Mozilla\Firefox\Profiles\xr4h4vb6.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - prefs.js: network.proxy.type - 1 FF - plugin: c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Mozilla\Firefox\Profiles\xr4h4vb6.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll FF - plugin: c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Mozilla\plugins\npgoogletalk.dll FF - plugin: c:\documents and settings\Ryan.BLUE-ENIGMA\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npincplg.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npJoostPlugin.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll . ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-04 12:31:15 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql] "ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk23] "ImagePath"="\??\c:\windows\system32\Drivers\PsSdk23.drv" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-220523388-764733703-839522115-1003\Software\SecuROM\License information*] "datasecu"=hex:89,ed,38,91,69,7a,61,9d,93,47,58,1c,f3,1c,ef,1a,ef,32,02,49,38, b4,42,ad,81,fe,53,2d,56,f9,d2,e7,95,2a,8a,69,45,9a,42,e6,20,72,02,25,ff,4f,\ "rkeysecu"=hex:76,42,77,bc,33,29,a5,c4,a2,87,ca,de,fc,c4,7a,d9 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(660) c:\program files\SUPERAntiSpyware\SASWINLO.DLL . Completion time: 2009-04-04 12:34:35 - machine was rebooted ComboFix-quarantined-files.txt 2009-04-04 16:34:33 ComboFix2.txt 2009-04-04 15:57:04 ComboFix3.txt 2009-04-04 14:33:24 ComboFix4.txt 2009-04-04 04:29:01 ComboFix5.txt 2009-04-04 16:21:44 Pre-Run: 1,023,664,128 bytes free Post-Run: 1,008,640,000 bytes free 229 --- E O F --- 2008-12-11 05:47:11
  3. Hi, sorry, I think that was the mistake. here's the new log ComboFix 09-04-03.01 - Ryan 2009-04-04 11:49:08.5 - NTFSx86 NETWORK Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.755 [GMT -4:00] Running from: c:\documents and settings\Ryan.BLUE-ENIGMA\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Ryan.BLUE-ENIGMA\Desktop\CFScript.txt FILE :: c:\windows\rxmcscox.dll c:\windows\system32\drivers\jutkrzan.sys c:\windows\system32\mlcsjsi.dll c:\windows\Tasks\At1.job . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\rxmcscox.dll c:\windows\system32\drivers\jutkrzan.sys c:\windows\system32\mlcsjsi.dll c:\windows\Tasks\At1.job . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_JUTKRZAN -------\Service_jutkrzan ((((((((((((((((((((((((( Files Created from 2009-03-04 to 2009-04-04 ))))))))))))))))))))))))))))))) . 2009-04-01 21:49 . 2009-04-01 21:49 <DIR> d-------- c:\program files\Trend Micro 2009-04-01 21:32 . 2009-04-01 21:32 <DIR> d-------- c:\program files\Bazooka Scanner 2009-04-01 21:16 . 2009-04-01 21:18 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2009-04-01 21:16 . 2009-04-01 21:18 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy 2009-03-31 23:26 . 2009-03-31 23:26 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\DoctorWeb 2009-03-31 19:30 . 2009-03-31 19:30 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\OTScanIt2 2009-03-31 17:00 . 2009-03-31 18:59 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-03-31 17:00 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-31 17:00 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-03-31 16:54 . 2009-03-31 16:54 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\qturuyui 2009-03-31 16:50 . 2009-03-31 16:50 <DIR> d-------- c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\qturuyui 2009-03-31 16:43 . 2009-03-31 16:43 <DIR> d-------- c:\program files\Spyware Doctor 2009-03-31 16:43 . 2009-03-31 16:43 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\PC Tools 2009-03-31 16:43 . 2009-03-31 18:58 <DIR> d-a------ c:\documents and settings\All Users.WINDOWS\Application Data\TEMP 2009-03-31 16:43 . 2008-06-10 21:22 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys 2009-03-31 16:43 . 2008-06-02 15:19 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys 2009-03-31 16:43 . 2008-06-02 15:19 42,376 --a------ c:\windows\system32\drivers\ikfilesec.sys 2009-03-31 16:43 . 2008-06-02 15:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys 2009-03-30 20:52 . 2009-03-30 20:52 <DIR> d-------- c:\program files\ESET 2009-03-30 19:21 . 2009-03-30 19:21 <DIR> d-------- c:\documents and settings\Administrator\Application Data\qturuyui 2009-03-30 19:15 . 2009-03-30 19:15 <DIR> d--h----- c:\windows\system32\GroupPolicy 2009-03-24 20:07 . 2007-12-24 17:37 138,384 --a------ c:\windows\system32\drivers\tmcomm.sys 2009-03-23 23:55 . 2009-03-25 23:13 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\HouseCall 6.6 2009-03-10 23:18 . 2009-03-11 19:01 <DIR> d-------- c:\program files\Big Kahuna Reef 2009-03-10 23:18 . 2009-02-19 17:20 57,344 --a------ c:\windows\system32\Big Kahuna Reef.scr 2009-03-10 23:17 . 2009-03-10 23:17 <DIR> d-------- c:\program files\Amazon 2009-03-10 23:17 . 2009-03-10 23:17 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Amazon . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-04 15:49 23,424 ----a-w c:\windows\system32\drivers\knucpvxa.sys 2009-03-31 22:03 --------- d-----w c:\program files\SUPERAntiSpyware 2009-03-31 20:42 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Google Updater 2009-03-31 00:28 --------- d-----w c:\program files\MSECache 2009-03-06 15:43 --------- d-----w c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Azureus 2009-02-27 21:36 --------- d-----w c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Move Networks . ------- Sigcheck ------- 2008-04-13 20:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll 2008-11-26 18:08 295424 40ffc19a8d4875e9e19cecdc76ef9201 c:\windows\system32\termsrv.dll 2004-08-04 08:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\system32\dllcache\termsrv.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "AIM"="c:\program files\AIM\aim.exe" [2003-08-01 61440] "NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920] "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648] "DeadAIM"="c:\program files\AIM\\DeadAIM.ocm" [2004-04-10 144896] "VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2007-08-21 55856] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920] "MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208] "Sdevumutokar"="c:\windows\iwoxepodatodejex.dll" [2007-03-08 155648] "SoundMan"="SOUNDMAN.EXE" [2004-11-15 c:\windows\SOUNDMAN.EXE] "nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-03-31 18:03 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM] --a------ 2003-08-01 11:31 61440 c:\program files\AIM\aim.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AmazonGSDownloaderTray] --a------ 2009-02-02 01:32 246272 c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] --a----t- 2008-09-02 17:33 133104 c:\documents and settings\Ryan.BLUE-ENIGMA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager] --a------ 2003-12-22 08:38 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a------ 2003-08-04 18:28 49152 c:\program files\HP\HP Software Update\hpwuSchd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray] --a------ 2008-07-16 09:16 1166216 c:\program files\Spyware Doctor\pctsTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-06-29 06:24 286720 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] --a------ 2008-11-07 20:52 1410296 c:\program files\Valve\Steam\Steam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-07-12 04:00 132496 c:\program files\Java\jre1.6.0_02\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware] --a------ 2008-12-04 14:50 1809648 c:\program files\SUPERAntiSpyware\af982e01-0576-49c2-8024-96999c8526cf.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware hqtray] --a------ 2007-08-21 19:56 55856 c:\program files\VMware\VMware Player\hqtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] --a------ 2007-08-30 17:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher] --a------ 2008-11-10 13:23 157312 c:\program files\Zune\ZuneLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2007-12-05 02:41 1626112 c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WZCSVC"=2 (0x2) "VMware NAT Service"=2 (0x2) "vmount2"=2 (0x2) "VMnetDHCP"=2 (0x2) "VMAuthdService"=2 (0x2) "odserv"=3 (0x3) "sdAuxService"=2 (0x2) "aawservice"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "c:\\Program Files\\Azureus\\Azureus.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Warcraft III\\Warcraft III.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\opposing force\\hl.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Flagship Studios\\Mythos\\bin\\Mythos.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\team fortress classic\\hl.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\half-life blue shift\\hl.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\half-life 2 deathmatch\\hl2.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\team fortress 2\\hl2.exe"= "c:\\Program Files\\Valve\\Steam\\Steam.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"= "c:\\Program Files\\World of Warcraft\\Repair.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\DC++\\DCPlusPlus.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Documents and Settings\\Ryan.BLUE-ENIGMA\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"= "c:\\Documents and Settings\\Ryan.BLUE-ENIGMA\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= "c:\\Program Files\\Microsoft SQL Server\\90\\Shared\\sqlwriter.exe"= "c:\\Documents and Settings\\Ryan.BLUE-ENIGMA\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 9968] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-04 55024] S2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-03-10 317440] S2 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2006-10-17 69632] S2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [2007-03-03 202096] S3 CA_LIC_CLNT;CA License Client;c:\program files\CA\SharedComponents\CA_LIC\lic98rmt.exe [2006-10-17 126976] S3 GPWADrv;Service for L6 GuitarPort Driver (WDM);c:\windows\system32\drivers\GPWADrv.sys [2004-10-25 331776] S3 L6DP;L6DP;c:\windows\system32\drivers\l6dp.sys [2002-07-15 26496] S3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2007-03-03 17264] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408] S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-03-31 356920] --- Other Services/Drivers In Memory --- *NewlyCreated* - JUTKRZAN HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs upltbmxk . Contents of the 'Scheduled Tasks' folder 2009-03-31 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 15:41] 2009-03-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-764733703-839522115-1003.job - c:\documents and settings\Ryan.BLUE-ENIGMA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 17:33] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.att.net IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 Trusted Zone: line6.net FF - ProfilePath - c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Mozilla\Firefox\Profiles\xr4h4vb6.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - prefs.js: network.proxy.type - 1 FF - plugin: c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Mozilla\Firefox\Profiles\xr4h4vb6.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll FF - plugin: c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Mozilla\plugins\npgoogletalk.dll FF - plugin: c:\documents and settings\Ryan.BLUE-ENIGMA\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npincplg.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npJoostPlugin.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll . ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-04 11:53:45 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql] "ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk23] "ImagePath"="\??\c:\windows\system32\Drivers\PsSdk23.drv" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-220523388-764733703-839522115-1003\Software\SecuROM\License information*] "datasecu"=hex:89,ed,38,91,69,7a,61,9d,93,47,58,1c,f3,1c,ef,1a,ef,32,02,49,38, b4,42,ad,81,fe,53,2d,56,f9,d2,e7,95,2a,8a,69,45,9a,42,e6,20,72,02,25,ff,4f,\ "rkeysecu"=hex:76,42,77,bc,33,29,a5,c4,a2,87,ca,de,fc,c4,7a,d9 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(656) c:\program files\SUPERAntiSpyware\SASWINLO.DLL . Completion time: 2009-04-04 11:57:04 - machine was rebooted ComboFix-quarantined-files.txt 2009-04-04 15:57:01 ComboFix2.txt 2009-04-04 14:33:24 ComboFix3.txt 2009-04-04 04:29:01 ComboFix4.txt 2009-04-04 03:53:44 ComboFix5.txt 2009-04-04 15:46:55 Pre-Run: 1,027,731,456 bytes free Post-Run: 1,012,133,888 bytes free 241 --- E O F --- 2008-12-11 05:47:11
  4. Hi, here's the new log. Thanks for your help. ComboFix 09-04-03.01 - Ryan 2009-04-04 10:24:40.4 - NTFSx86 NETWORK Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.692 [GMT -4:00] Running from: c:\documents and settings\Ryan.BLUE-ENIGMA\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Ryan.BLUE-ENIGMA\Desktop\CFScript.txt . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_JUTKRZAN -------\Service_jutkrzan ((((((((((((((((((((((((( Files Created from 2009-03-04 to 2009-04-04 ))))))))))))))))))))))))))))))) . 2009-04-01 21:49 . 2009-04-01 21:49 <DIR> d-------- c:\program files\Trend Micro 2009-04-01 21:32 . 2009-04-01 21:32 <DIR> d-------- c:\program files\Bazooka Scanner 2009-04-01 21:16 . 2009-04-01 21:18 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2009-04-01 21:16 . 2009-04-01 21:18 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy 2009-03-31 23:26 . 2009-03-31 23:26 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\DoctorWeb 2009-03-31 19:30 . 2009-03-31 19:30 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\OTScanIt2 2009-03-31 17:00 . 2009-03-31 18:59 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-03-31 17:00 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-31 17:00 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-03-31 16:54 . 2009-03-31 16:54 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\qturuyui 2009-03-31 16:50 . 2009-03-31 16:50 <DIR> d-------- c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\qturuyui 2009-03-31 16:43 . 2009-03-31 16:43 <DIR> d-------- c:\program files\Spyware Doctor 2009-03-31 16:43 . 2009-03-31 16:43 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\PC Tools 2009-03-31 16:43 . 2009-03-31 18:58 <DIR> d-a------ c:\documents and settings\All Users.WINDOWS\Application Data\TEMP 2009-03-31 16:43 . 2008-06-10 21:22 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys 2009-03-31 16:43 . 2008-06-02 15:19 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys 2009-03-31 16:43 . 2008-06-02 15:19 42,376 --a------ c:\windows\system32\drivers\ikfilesec.sys 2009-03-31 16:43 . 2008-06-02 15:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys 2009-03-30 20:52 . 2009-03-30 20:52 <DIR> d-------- c:\program files\ESET 2009-03-30 19:21 . 2009-03-30 19:21 <DIR> d-------- c:\documents and settings\Administrator\Application Data\qturuyui 2009-03-30 19:15 . 2009-03-30 19:15 <DIR> d--h----- c:\windows\system32\GroupPolicy 2009-03-24 20:07 . 2007-12-24 17:37 138,384 --a------ c:\windows\system32\drivers\tmcomm.sys 2009-03-23 23:55 . 2009-03-25 23:13 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\HouseCall 6.6 2009-03-10 23:18 . 2009-03-11 19:01 <DIR> d-------- c:\program files\Big Kahuna Reef 2009-03-10 23:18 . 2009-02-19 17:20 57,344 --a------ c:\windows\system32\Big Kahuna Reef.scr 2009-03-10 23:17 . 2009-03-10 23:17 <DIR> d-------- c:\program files\Amazon 2009-03-10 23:17 . 2009-03-10 23:17 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Amazon . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-31 22:03 --------- d-----w c:\program files\SUPERAntiSpyware 2009-03-31 20:42 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Google Updater 2009-03-31 00:28 --------- d-----w c:\program files\MSECache 2009-03-06 15:43 --------- d-----w c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Azureus 2009-02-27 21:36 --------- d-----w c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Move Networks . ------- Sigcheck ------- 2008-04-13 20:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll 2008-11-26 18:08 295424 40ffc19a8d4875e9e19cecdc76ef9201 c:\windows\system32\termsrv.dll 2004-08-04 08:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\system32\dllcache\termsrv.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC0B00E7-E264-473C-8F80-A9023B05F550}] 2004-08-04 08:00 104448 --a------ c:\windows\system32\mlcsjsi.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "AIM"="c:\program files\AIM\aim.exe" [2003-08-01 61440] "NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920] "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648] "DeadAIM"="c:\program files\AIM\\DeadAIM.ocm" [2004-04-10 144896] "VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2007-08-21 55856] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920] "MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208] "Sdevumutokar"="c:\windows\iwoxepodatodejex.dll" [2007-03-08 155648] "SoundMan"="SOUNDMAN.EXE" [2004-11-15 c:\windows\SOUNDMAN.EXE] "nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-03-31 18:03 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\emikpyyc] 2004-08-04 08:00 104448 c:\windows\system32\mlcsjsi.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli rxmcscox.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM] --a------ 2003-08-01 11:31 61440 c:\program files\AIM\aim.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AmazonGSDownloaderTray] --a------ 2009-02-02 01:32 246272 c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] --a----t- 2008-09-02 17:33 133104 c:\documents and settings\Ryan.BLUE-ENIGMA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager] --a------ 2003-12-22 08:38 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a------ 2003-08-04 18:28 49152 c:\program files\HP\HP Software Update\hpwuSchd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray] --a------ 2008-07-16 09:16 1166216 c:\program files\Spyware Doctor\pctsTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-06-29 06:24 286720 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] --a------ 2008-11-07 20:52 1410296 c:\program files\Valve\Steam\Steam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-07-12 04:00 132496 c:\program files\Java\jre1.6.0_02\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware] --a------ 2008-12-04 14:50 1809648 c:\program files\SUPERAntiSpyware\af982e01-0576-49c2-8024-96999c8526cf.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware hqtray] --a------ 2007-08-21 19:56 55856 c:\program files\VMware\VMware Player\hqtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] --a------ 2007-08-30 17:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher] --a------ 2008-11-10 13:23 157312 c:\program files\Zune\ZuneLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2007-12-05 02:41 1626112 c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WZCSVC"=2 (0x2) "VMware NAT Service"=2 (0x2) "vmount2"=2 (0x2) "VMnetDHCP"=2 (0x2) "VMAuthdService"=2 (0x2) "odserv"=3 (0x3) "sdAuxService"=2 (0x2) "aawservice"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "c:\\Program Files\\Azureus\\Azureus.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Warcraft III\\Warcraft III.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\opposing force\\hl.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Flagship Studios\\Mythos\\bin\\Mythos.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\team fortress classic\\hl.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\half-life blue shift\\hl.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\half-life 2 deathmatch\\hl2.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\team fortress 2\\hl2.exe"= "c:\\Program Files\\Valve\\Steam\\Steam.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"= "c:\\Program Files\\World of Warcraft\\Repair.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\DC++\\DCPlusPlus.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Documents and Settings\\Ryan.BLUE-ENIGMA\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"= "c:\\Documents and Settings\\Ryan.BLUE-ENIGMA\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= "c:\\Program Files\\Microsoft SQL Server\\90\\Shared\\sqlwriter.exe"= "c:\\Documents and Settings\\Ryan.BLUE-ENIGMA\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 R0 jutkrzan;jutkrzan;c:\windows\system32\drivers\jutkrzan.sys [2004-08-04 23424] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 9968] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-04 55024] S2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-03-10 317440] S2 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2006-10-17 69632] S2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [2007-03-03 202096] S3 CA_LIC_CLNT;CA License Client;c:\program files\CA\SharedComponents\CA_LIC\lic98rmt.exe [2006-10-17 126976] S3 GPWADrv;Service for L6 GuitarPort Driver (WDM);c:\windows\system32\drivers\GPWADrv.sys [2004-10-25 331776] S3 L6DP;L6DP;c:\windows\system32\drivers\l6dp.sys [2002-07-15 26496] S3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2007-03-03 17264] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408] S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-03-31 356920] --- Other Services/Drivers In Memory --- *NewlyCreated* - JUTKRZAN HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs upltbmxk . Contents of the 'Scheduled Tasks' folder 2009-03-31 c:\windows\Tasks\At1.job - c:\windows\system32\mlcsjsi.dll [2004-08-04 08:00] 2009-03-31 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 15:41] 2009-03-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-764733703-839522115-1003.job - c:\documents and settings\Ryan.BLUE-ENIGMA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 17:33] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.att.net IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 Trusted Zone: line6.net FF - ProfilePath - c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Mozilla\Firefox\Profiles\xr4h4vb6.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - prefs.js: network.proxy.type - 1 FF - plugin: c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Mozilla\Firefox\Profiles\xr4h4vb6.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll FF - plugin: c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Mozilla\plugins\npgoogletalk.dll FF - plugin: c:\documents and settings\Ryan.BLUE-ENIGMA\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npincplg.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npJoostPlugin.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll . ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-04 10:29:59 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql] "ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk23] "ImagePath"="\??\c:\windows\system32\Drivers\PsSdk23.drv" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-220523388-764733703-839522115-1003\Software\SecuROM\License information*] "datasecu"=hex:89,ed,38,91,69,7a,61,9d,93,47,58,1c,f3,1c,ef,1a,ef,32,02,49,38, b4,42,ad,81,fe,53,2d,56,f9,d2,e7,95,2a,8a,69,45,9a,42,e6,20,72,02,25,ff,4f,\ "rkeysecu"=hex:76,42,77,bc,33,29,a5,c4,a2,87,ca,de,fc,c4,7a,d9 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(664) c:\program files\SUPERAntiSpyware\SASWINLO.DLL - - - - - - - > 'lsass.exe'(720) c:\windows\rxmcscox.dll . Completion time: 2009-04-04 10:33:23 - machine was rebooted ComboFix-quarantined-files.txt 2009-04-04 14:33:21 ComboFix2.txt 2009-04-04 04:29:01 ComboFix3.txt 2009-04-04 03:53:44 ComboFix4.txt 2009-04-04 03:42:31 Pre-Run: 1,030,758,400 bytes free Post-Run: 1,015,705,600 bytes free 241 --- E O F --- 2008-12-11 05:47:11
  5. Hopefully I was able to disable everything. When I looked at the task manager after the combofix reboot, the only running processes were from the Windows OS. Here's the combofix log. Thanks for your help ComboFix 09-04-03.01 - Ryan 2009-04-04 0:20:47.3 - NTFSx86 NETWORK Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.764 [GMT -4:00] Running from: c:\documents and settings\Ryan.BLUE-ENIGMA\Desktop\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2009-03-04 to 2009-04-04 ))))))))))))))))))))))))))))))) . 2009-04-01 21:49 . 2009-04-01 21:49 <DIR> d-------- c:\program files\Trend Micro 2009-04-01 21:32 . 2009-04-01 21:32 <DIR> d-------- c:\program files\Bazooka Scanner 2009-04-01 21:16 . 2009-04-01 21:18 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2009-04-01 21:16 . 2009-04-01 21:18 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy 2009-03-31 23:26 . 2009-03-31 23:26 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\DoctorWeb 2009-03-31 19:30 . 2009-03-31 19:30 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\OTScanIt2 2009-03-31 17:00 . 2009-03-31 18:59 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-03-31 17:00 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-31 17:00 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-03-31 16:54 . 2009-03-31 16:54 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\qturuyui 2009-03-31 16:50 . 2009-03-31 16:50 <DIR> d-------- c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\qturuyui 2009-03-31 16:43 . 2009-03-31 16:43 <DIR> d-------- c:\program files\Spyware Doctor 2009-03-31 16:43 . 2009-03-31 16:43 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\PC Tools 2009-03-31 16:43 . 2009-03-31 18:58 <DIR> d-a------ c:\documents and settings\All Users.WINDOWS\Application Data\TEMP 2009-03-31 16:43 . 2008-06-10 21:22 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys 2009-03-31 16:43 . 2008-06-02 15:19 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys 2009-03-31 16:43 . 2008-06-02 15:19 42,376 --a------ c:\windows\system32\drivers\ikfilesec.sys 2009-03-31 16:43 . 2008-06-02 15:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys 2009-03-30 20:52 . 2009-03-30 20:52 <DIR> d-------- c:\program files\ESET 2009-03-30 19:21 . 2009-03-30 19:21 <DIR> d-------- c:\documents and settings\Administrator\Application Data\qturuyui 2009-03-30 19:15 . 2009-03-30 19:15 <DIR> d--h----- c:\windows\system32\GroupPolicy 2009-03-24 20:07 . 2007-12-24 17:37 138,384 --a------ c:\windows\system32\drivers\tmcomm.sys 2009-03-23 23:55 . 2009-03-25 23:13 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\HouseCall 6.6 2009-03-10 23:18 . 2009-03-11 19:01 <DIR> d-------- c:\program files\Big Kahuna Reef 2009-03-10 23:18 . 2009-02-19 17:20 57,344 --a------ c:\windows\system32\Big Kahuna Reef.scr 2009-03-10 23:17 . 2009-03-10 23:17 <DIR> d-------- c:\program files\Amazon 2009-03-10 23:17 . 2009-03-10 23:17 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Amazon . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-31 22:03 --------- d-----w c:\program files\SUPERAntiSpyware 2009-03-31 20:42 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Google Updater 2009-03-31 00:28 --------- d-----w c:\program files\MSECache 2009-03-06 15:43 --------- d-----w c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Azureus 2009-02-27 21:36 --------- d-----w c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Move Networks . ------- Sigcheck ------- 2008-04-13 20:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll 2008-11-26 18:08 295424 40ffc19a8d4875e9e19cecdc76ef9201 c:\windows\system32\termsrv.dll 2004-08-04 08:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\system32\dllcache\termsrv.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC0B00E7-E264-473C-8F80-A9023B05F550}] 2004-08-04 08:00 104448 --a------ c:\windows\system32\mlcsjsi.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "AIM"="c:\program files\AIM\aim.exe" [2003-08-01 61440] "NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920] "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648] "DeadAIM"="c:\program files\AIM\\DeadAIM.ocm" [2004-04-10 144896] "VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2007-08-21 55856] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920] "MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208] "Sdevumutokar"="c:\windows\iwoxepodatodejex.dll" [2007-03-08 155648] "SoundMan"="SOUNDMAN.EXE" [2004-11-15 c:\windows\SOUNDMAN.EXE] "nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-03-31 18:03 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\emikpyyc] 2004-08-04 08:00 104448 c:\windows\system32\mlcsjsi.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli rxmcscox.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM] --a------ 2003-08-01 11:31 61440 c:\program files\AIM\aim.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AmazonGSDownloaderTray] --a------ 2009-02-02 01:32 246272 c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] --a----t- 2008-09-02 17:33 133104 c:\documents and settings\Ryan.BLUE-ENIGMA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager] --a------ 2003-12-22 08:38 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a------ 2003-08-04 18:28 49152 c:\program files\HP\HP Software Update\hpwuSchd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray] --a------ 2008-07-16 09:16 1166216 c:\program files\Spyware Doctor\pctsTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-06-29 06:24 286720 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] --a------ 2008-11-07 20:52 1410296 c:\program files\Valve\Steam\Steam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-07-12 04:00 132496 c:\program files\Java\jre1.6.0_02\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware] --a------ 2008-12-04 14:50 1809648 c:\program files\SUPERAntiSpyware\af982e01-0576-49c2-8024-96999c8526cf.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware hqtray] --a------ 2007-08-21 19:56 55856 c:\program files\VMware\VMware Player\hqtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] --a------ 2007-08-30 17:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher] --a------ 2008-11-10 13:23 157312 c:\program files\Zune\ZuneLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2007-12-05 02:41 1626112 c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WZCSVC"=2 (0x2) "VMware NAT Service"=2 (0x2) "vmount2"=2 (0x2) "VMnetDHCP"=2 (0x2) "VMAuthdService"=2 (0x2) "odserv"=3 (0x3) "sdAuxService"=2 (0x2) "aawservice"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "c:\\Program Files\\Azureus\\Azureus.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Warcraft III\\Warcraft III.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\opposing force\\hl.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Flagship Studios\\Mythos\\bin\\Mythos.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\team fortress classic\\hl.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\half-life blue shift\\hl.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\half-life 2 deathmatch\\hl2.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\team fortress 2\\hl2.exe"= "c:\\Program Files\\Valve\\Steam\\Steam.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"= "c:\\Program Files\\World of Warcraft\\Repair.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\DC++\\DCPlusPlus.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Documents and Settings\\Ryan.BLUE-ENIGMA\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"= "c:\\Documents and Settings\\Ryan.BLUE-ENIGMA\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= "c:\\Program Files\\Microsoft SQL Server\\90\\Shared\\sqlwriter.exe"= "c:\\Documents and Settings\\Ryan.BLUE-ENIGMA\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 R0 jutkrzan;jutkrzan;c:\windows\system32\drivers\jutkrzan.sys [2004-08-04 23424] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 9968] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-04 55024] S2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-03-10 317440] S2 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2006-10-17 69632] S2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [2007-03-03 202096] S3 CA_LIC_CLNT;CA License Client;c:\program files\CA\SharedComponents\CA_LIC\lic98rmt.exe [2006-10-17 126976] S3 GPWADrv;Service for L6 GuitarPort Driver (WDM);c:\windows\system32\drivers\GPWADrv.sys [2004-10-25 331776] S3 L6DP;L6DP;c:\windows\system32\drivers\l6dp.sys [2002-07-15 26496] S3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2007-03-03 17264] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408] S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-03-31 356920] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs upltbmxk . Contents of the 'Scheduled Tasks' folder 2009-03-31 c:\windows\Tasks\At1.job - c:\windows\system32\mlcsjsi.dll [2004-08-04 08:00] 2009-03-31 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 15:41] 2009-03-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-764733703-839522115-1003.job - c:\documents and settings\Ryan.BLUE-ENIGMA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 17:33] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.att.net IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 Trusted Zone: line6.net FF - ProfilePath - c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Mozilla\Firefox\Profiles\xr4h4vb6.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - prefs.js: network.proxy.type - 1 FF - plugin: c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Mozilla\Firefox\Profiles\xr4h4vb6.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll FF - plugin: c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Mozilla\plugins\npgoogletalk.dll FF - plugin: c:\documents and settings\Ryan.BLUE-ENIGMA\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npincplg.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npJoostPlugin.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll . ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-04 00:25:33 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql] "ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk23] "ImagePath"="\??\c:\windows\system32\Drivers\PsSdk23.drv" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-220523388-764733703-839522115-1003\Software\SecuROM\License information*] "datasecu"=hex:89,ed,38,91,69,7a,61,9d,93,47,58,1c,f3,1c,ef,1a,ef,32,02,49,38, b4,42,ad,81,fe,53,2d,56,f9,d2,e7,95,2a,8a,69,45,9a,42,e6,20,72,02,25,ff,4f,\ "rkeysecu"=hex:76,42,77,bc,33,29,a5,c4,a2,87,ca,de,fc,c4,7a,d9 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(656) c:\program files\SUPERAntiSpyware\SASWINLO.DLL - - - - - - - > 'lsass.exe'(712) c:\windows\rxmcscox.dll . Completion time: 2009-04-04 0:29:00 - machine was rebooted ComboFix-quarantined-files.txt 2009-04-04 04:28:58 ComboFix2.txt 2009-04-04 03:53:44 ComboFix3.txt 2009-04-04 03:42:31 Pre-Run: 1,030,983,680 bytes free Post-Run: 1,015,205,888 bytes free 230 --- E O F --- 2008-12-11 05:47:11
  6. Hi miekiemoes, Thanks for the reply. First, I have been clicking the removal button. Since the files just show up again/don't get deleted, I didn't bother for that particular log file. Anyway, here's the new logs. Thanks for your help. Malwarebytes' Anti-Malware 1.35 Database version: 1938 Windows 5.1.2600 Service Pack 2 4/3/2009 8:45:23 PM mbam-log-2009-04-03 (20-45-23).txt Scan type: Quick Scan Objects scanned: 98223 Time elapsed: 4 minute(s), 8 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc0b00e7-e264-473c-8f80-a9023b05f550} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\emikpyyc (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{fc0b00e7-e264-473c-8f80-a9023b05f550} (Trojan.Vundo.H) -> Delete on reboot. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sdevumutokar (Trojan.Agent) -> Delete on reboot. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\WINDOWS\system32\mlcsjsi.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\itadagakusa.dll (Trojan.Agent) -> Quarantined and deleted successfully. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:55:39 PM, on 4/3/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Safe mode with network support Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O1 - Hosts: ::1 localhost O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: (no name) - {FC0B00E7-E264-473C-8F80-A9023B05F550} - c:\windows\system32\mlcsjsi.dll O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [sdevumutokar] rundll32.exe "C:\WINDOWS\ovasegadavemom.dll",e O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\af982e01-0576-49c2-8024-96999c8526cf.exe O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: *.line6.net O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O20 - Winlogon Notify: emikpyyc - C:\WINDOWS\SYSTEM32\mlcsjsi.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Amazon Download Agent - Amazon.com - C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\\lic98rmt.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe -- End of file - 6108 bytes
  7. Hi, first, I'll paste my Malwarebytes log, then my HJT log. Everytime I scan with MB, the same infections show up even after a "fix selected" and a reboot. "Fix selected" in HJT doesn't do anything either. I'd appreciate anyone's help. Thanks! Malwarebytes' Anti-Malware 1.35 Database version: 1927 Windows 5.1.2600 Service Pack 2 4/1/2009 10:18:32 PM mbam-log-2009-04-01 (22-18-29).txt Scan type: Quick Scan Objects scanned: 98032 Time elapsed: 4 minute(s), 17 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc0b00e7-e264-473c-8f80-a9023b05f550} (Trojan.Vundo.H) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\emikpyyc (Trojan.Vundo.H) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{fc0b00e7-e264-473c-8f80-a9023b05f550} (Trojan.Vundo.H) -> No action taken. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sdevumutokar (Trojan.Agent) -> No action taken. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\WINDOWS\system32\mlcsjsi.dll (Trojan.Vundo.H) -> No action taken. C:\WINDOWS\itadagakusa.dll (Trojan.Agent) -> No action taken. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:08:00 PM, on 4/1/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Safe mode with network support Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Mozilla Firefox\firefox.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O1 - Hosts: ::1 localhost O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: (no name) - {FC0B00E7-E264-473C-8F80-A9023B05F550} - c:\windows\system32\mlcsjsi.dll O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [sdevumutokar] rundll32.exe "C:\WINDOWS\itadagakusa.dll",e O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\af982e01-0576-49c2-8024-96999c8526cf.exe O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: *.line6.net O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O20 - Winlogon Notify: emikpyyc - C:\WINDOWS\SYSTEM32\mlcsjsi.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Amazon Download Agent - Amazon.com - C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\\lic98rmt.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.