Jump to content

Trojan.Vundo.H - can't remove


Recommended Posts

Hi, first, I'll paste my Malwarebytes log, then my HJT log. Everytime I scan with MB, the same infections show up even after a "fix selected" and a reboot. "Fix selected" in HJT doesn't do anything either.

I'd appreciate anyone's help. Thanks!

Malwarebytes' Anti-Malware 1.35

Database version: 1927

Windows 5.1.2600 Service Pack 2

4/1/2009 10:18:32 PM

mbam-log-2009-04-01 (22-18-29).txt

Scan type: Quick Scan

Objects scanned: 98032

Time elapsed: 4 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc0b00e7-e264-473c-8f80-a9023b05f550} (Trojan.Vundo.H) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\emikpyyc (Trojan.Vundo.H) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{fc0b00e7-e264-473c-8f80-a9023b05f550} (Trojan.Vundo.H) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sdevumutokar (Trojan.Agent) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\mlcsjsi.dll (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\itadagakusa.dll (Trojan.Agent) -> No action taken.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:08:00 PM, on 4/1/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O1 - Hosts: ::1 localhost

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: (no name) - {FC0B00E7-E264-473C-8F80-A9023B05F550} - c:\windows\system32\mlcsjsi.dll

O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs

O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [sdevumutokar] rundll32.exe "C:\WINDOWS\itadagakusa.dll",e

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\af982e01-0576-49c2-8024-96999c8526cf.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: *.line6.net

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O20 - Winlogon Notify: emikpyyc - C:\WINDOWS\SYSTEM32\mlcsjsi.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Amazon Download Agent - Amazon.com - C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe

O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\\lic98rmt.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe

O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

Link to post
Share on other sites

  • Staff

Hi,

In your log, it says.."no action taken".

You're supposed to click the removal button for them.

Anyway, Hi, please update MalwareBytes, because the databaseversion is outdated.

Also, your Teatimer is interfering here..

I suggest you to disable it because it can interfere with the changes you'll make on your system.

When everything is done and your log is clean again, you can enable it again.

If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer <== click me for instructions.

  • Start MalwareBytes and click the Update tab. There click "Check for updates"
  • Once the updates are downloaded, perform a full scan again.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Hi miekiemoes,

Thanks for the reply. First, I have been clicking the removal button. Since the files just show up again/don't get deleted, I didn't bother for that particular log file. Anyway, here's the new logs. Thanks for your help.

Malwarebytes' Anti-Malware 1.35

Database version: 1938

Windows 5.1.2600 Service Pack 2

4/3/2009 8:45:23 PM

mbam-log-2009-04-03 (20-45-23).txt

Scan type: Quick Scan

Objects scanned: 98223

Time elapsed: 4 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc0b00e7-e264-473c-8f80-a9023b05f550} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\emikpyyc (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{fc0b00e7-e264-473c-8f80-a9023b05f550} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sdevumutokar (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\mlcsjsi.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\itadagakusa.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:55:39 PM, on 4/3/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O1 - Hosts: ::1 localhost

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: (no name) - {FC0B00E7-E264-473C-8F80-A9023B05F550} - c:\windows\system32\mlcsjsi.dll

O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs

O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [sdevumutokar] rundll32.exe "C:\WINDOWS\ovasegadavemom.dll",e

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\af982e01-0576-49c2-8024-96999c8526cf.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: *.line6.net

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O20 - Winlogon Notify: emikpyyc - C:\WINDOWS\SYSTEM32\mlcsjsi.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Amazon Download Agent - Amazon.com - C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe

O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\\lic98rmt.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe

O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

--

End of file - 6108 bytes

Link to post
Share on other sites

  • Staff

Hi,

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

You still need a reboot here so mbam can clean up these entries.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

Hopefully I was able to disable everything. When I looked at the task manager after the combofix reboot, the only running processes were from the Windows OS. Here's the combofix log. Thanks for your help

ComboFix 09-04-03.01 - Ryan 2009-04-04 0:20:47.3 - NTFSx86 NETWORK

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.764 [GMT -4:00]

Running from: c:\documents and settings\Ryan.BLUE-ENIGMA\Desktop\ComboFix.exe

.

((((((((((((((((((((((((( Files Created from 2009-03-04 to 2009-04-04 )))))))))))))))))))))))))))))))

.

2009-04-01 21:49 . 2009-04-01 21:49 <DIR> d-------- c:\program files\Trend Micro

2009-04-01 21:32 . 2009-04-01 21:32 <DIR> d-------- c:\program files\Bazooka Scanner

2009-04-01 21:16 . 2009-04-01 21:18 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-04-01 21:16 . 2009-04-01 21:18 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy

2009-03-31 23:26 . 2009-03-31 23:26 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\DoctorWeb

2009-03-31 19:30 . 2009-03-31 19:30 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\OTScanIt2

2009-03-31 17:00 . 2009-03-31 18:59 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-31 17:00 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-31 17:00 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-31 16:54 . 2009-03-31 16:54 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\qturuyui

2009-03-31 16:50 . 2009-03-31 16:50 <DIR> d-------- c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\qturuyui

2009-03-31 16:43 . 2009-03-31 16:43 <DIR> d-------- c:\program files\Spyware Doctor

2009-03-31 16:43 . 2009-03-31 16:43 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\PC Tools

2009-03-31 16:43 . 2009-03-31 18:58 <DIR> d-a------ c:\documents and settings\All Users.WINDOWS\Application Data\TEMP

2009-03-31 16:43 . 2008-06-10 21:22 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys

2009-03-31 16:43 . 2008-06-02 15:19 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys

2009-03-31 16:43 . 2008-06-02 15:19 42,376 --a------ c:\windows\system32\drivers\ikfilesec.sys

2009-03-31 16:43 . 2008-06-02 15:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys

2009-03-30 20:52 . 2009-03-30 20:52 <DIR> d-------- c:\program files\ESET

2009-03-30 19:21 . 2009-03-30 19:21 <DIR> d-------- c:\documents and settings\Administrator\Application Data\qturuyui

2009-03-30 19:15 . 2009-03-30 19:15 <DIR> d--h----- c:\windows\system32\GroupPolicy

2009-03-24 20:07 . 2007-12-24 17:37 138,384 --a------ c:\windows\system32\drivers\tmcomm.sys

2009-03-23 23:55 . 2009-03-25 23:13 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\HouseCall 6.6

2009-03-10 23:18 . 2009-03-11 19:01 <DIR> d-------- c:\program files\Big Kahuna Reef

2009-03-10 23:18 . 2009-02-19 17:20 57,344 --a------ c:\windows\system32\Big Kahuna Reef.scr

2009-03-10 23:17 . 2009-03-10 23:17 <DIR> d-------- c:\program files\Amazon

2009-03-10 23:17 . 2009-03-10 23:17 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Amazon

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-31 22:03 --------- d-----w c:\program files\SUPERAntiSpyware

2009-03-31 20:42 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Google Updater

2009-03-31 00:28 --------- d-----w c:\program files\MSECache

2009-03-06 15:43 --------- d-----w c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Azureus

2009-02-27 21:36 --------- d-----w c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Move Networks

.

------- Sigcheck -------

2008-04-13 20:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll

2008-11-26 18:08 295424 40ffc19a8d4875e9e19cecdc76ef9201 c:\windows\system32\termsrv.dll

2004-08-04 08:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\system32\dllcache\termsrv.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC0B00E7-E264-473C-8F80-A9023B05F550}]

2004-08-04 08:00 104448 --a------ c:\windows\system32\mlcsjsi.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"AIM"="c:\program files\AIM\aim.exe" [2003-08-01 61440]

"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"DeadAIM"="c:\program files\AIM\\DeadAIM.ocm" [2004-04-10 144896]

"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2007-08-21 55856]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]

"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]

"Sdevumutokar"="c:\windows\iwoxepodatodejex.dll" [2007-03-08 155648]

"SoundMan"="SOUNDMAN.EXE" [2004-11-15 c:\windows\SOUNDMAN.EXE]

"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-03-31 18:03 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\emikpyyc]

2004-08-04 08:00 104448 c:\windows\system32\mlcsjsi.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli rxmcscox.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]

--a------ 2003-08-01 11:31 61440 c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AmazonGSDownloaderTray]

--a------ 2009-02-02 01:32 246272 c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

--a----t- 2008-09-02 17:33 133104 c:\documents and settings\Ryan.BLUE-ENIGMA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

--a------ 2003-12-22 08:38 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2003-08-04 18:28 49152 c:\program files\HP\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]

--a------ 2008-07-16 09:16 1166216 c:\program files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2007-06-29 06:24 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

--a------ 2008-11-07 20:52 1410296 c:\program files\Valve\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2007-07-12 04:00 132496 c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

--a------ 2008-12-04 14:50 1809648 c:\program files\SUPERAntiSpyware\af982e01-0576-49c2-8024-96999c8526cf.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware hqtray]

--a------ 2007-08-21 19:56 55856 c:\program files\VMware\VMware Player\hqtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

--a------ 2007-08-30 17:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]

--a------ 2008-11-10 13:23 157312 c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2007-12-05 02:41 1626112 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WZCSVC"=2 (0x2)

"VMware NAT Service"=2 (0x2)

"vmount2"=2 (0x2)

"VMnetDHCP"=2 (0x2)

"VMAuthdService"=2 (0x2)

"odserv"=3 (0x3)

"sdAuxService"=2 (0x2)

"aawservice"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\opposing force\\hl.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Flagship Studios\\Mythos\\bin\\Mythos.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\team fortress classic\\hl.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\half-life blue shift\\hl.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\half-life 2 deathmatch\\hl2.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\team fortress 2\\hl2.exe"=

"c:\\Program Files\\Valve\\Steam\\Steam.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=

"c:\\Program Files\\World of Warcraft\\Repair.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\DC++\\DCPlusPlus.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Documents and Settings\\Ryan.BLUE-ENIGMA\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\Ryan.BLUE-ENIGMA\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Microsoft SQL Server\\90\\Shared\\sqlwriter.exe"=

"c:\\Documents and Settings\\Ryan.BLUE-ENIGMA\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 jutkrzan;jutkrzan;c:\windows\system32\drivers\jutkrzan.sys [2004-08-04 23424]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 9968]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-04 55024]

S2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-03-10 317440]

S2 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2006-10-17 69632]

S2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [2007-03-03 202096]

S3 CA_LIC_CLNT;CA License Client;c:\program files\CA\SharedComponents\CA_LIC\lic98rmt.exe [2006-10-17 126976]

S3 GPWADrv;Service for L6 GuitarPort Driver (WDM);c:\windows\system32\drivers\GPWADrv.sys [2004-10-25 331776]

S3 L6DP;L6DP;c:\windows\system32\drivers\l6dp.sys [2002-07-15 26496]

S3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2007-03-03 17264]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]

S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-03-31 356920]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

upltbmxk

.

Contents of the 'Scheduled Tasks' folder

2009-03-31 c:\windows\Tasks\At1.job

- c:\windows\system32\mlcsjsi.dll [2004-08-04 08:00]

2009-03-31 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 15:41]

2009-03-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-764733703-839522115-1003.job

- c:\documents and settings\Ryan.BLUE-ENIGMA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 17:33]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.att.net

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: line6.net

FF - ProfilePath - c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Mozilla\Firefox\Profiles\xr4h4vb6.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: network.proxy.type - 1

FF - plugin: c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Mozilla\Firefox\Profiles\xr4h4vb6.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll

FF - plugin: c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\Ryan.BLUE-ENIGMA\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npincplg.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npJoostPlugin.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-04 00:25:33

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]

"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk23]

"ImagePath"="\??\c:\windows\system32\Drivers\PsSdk23.drv"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-220523388-764733703-839522115-1003\Software\SecuROM\License information*]

"datasecu"=hex:89,ed,38,91,69,7a,61,9d,93,47,58,1c,f3,1c,ef,1a,ef,32,02,49,38,

b4,42,ad,81,fe,53,2d,56,f9,d2,e7,95,2a,8a,69,45,9a,42,e6,20,72,02,25,ff,4f,\

"rkeysecu"=hex:76,42,77,bc,33,29,a5,c4,a2,87,ca,de,fc,c4,7a,d9

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'lsass.exe'(712)

c:\windows\rxmcscox.dll

.

Completion time: 2009-04-04 0:29:00 - machine was rebooted

ComboFix-quarantined-files.txt 2009-04-04 04:28:58

ComboFix2.txt 2009-04-04 03:53:44

ComboFix3.txt 2009-04-04 03:42:31

Pre-Run: 1,030,983,680 bytes free

Post-Run: 1,015,205,888 bytes free

230 --- E O F --- 2008-12-11 05:47:11

Link to post
Share on other sites

  • Staff

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

File::

c:\windows\rxmcscox.dll

c:\windows\system32\mlcsjsi.dll

c:\windows\Tasks\At1.job

c:\windows\system32\drivers\jutkrzan.sys

NetSvcs::

upltbmxk

Driver::

jutkrzan

Registry::

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC0B00E7-E264-473C-8F80-A9023B05F550}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\emikpyyc]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

Hi, here's the new log. Thanks for your help.

ComboFix 09-04-03.01 - Ryan 2009-04-04 10:24:40.4 - NTFSx86 NETWORK

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.692 [GMT -4:00]

Running from: c:\documents and settings\Ryan.BLUE-ENIGMA\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Ryan.BLUE-ENIGMA\Desktop\CFScript.txt

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_JUTKRZAN

-------\Service_jutkrzan

((((((((((((((((((((((((( Files Created from 2009-03-04 to 2009-04-04 )))))))))))))))))))))))))))))))

.

2009-04-01 21:49 . 2009-04-01 21:49 <DIR> d-------- c:\program files\Trend Micro

2009-04-01 21:32 . 2009-04-01 21:32 <DIR> d-------- c:\program files\Bazooka Scanner

2009-04-01 21:16 . 2009-04-01 21:18 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-04-01 21:16 . 2009-04-01 21:18 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy

2009-03-31 23:26 . 2009-03-31 23:26 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\DoctorWeb

2009-03-31 19:30 . 2009-03-31 19:30 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\OTScanIt2

2009-03-31 17:00 . 2009-03-31 18:59 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-31 17:00 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-31 17:00 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-31 16:54 . 2009-03-31 16:54 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\qturuyui

2009-03-31 16:50 . 2009-03-31 16:50 <DIR> d-------- c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\qturuyui

2009-03-31 16:43 . 2009-03-31 16:43 <DIR> d-------- c:\program files\Spyware Doctor

2009-03-31 16:43 . 2009-03-31 16:43 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\PC Tools

2009-03-31 16:43 . 2009-03-31 18:58 <DIR> d-a------ c:\documents and settings\All Users.WINDOWS\Application Data\TEMP

2009-03-31 16:43 . 2008-06-10 21:22 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys

2009-03-31 16:43 . 2008-06-02 15:19 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys

2009-03-31 16:43 . 2008-06-02 15:19 42,376 --a------ c:\windows\system32\drivers\ikfilesec.sys

2009-03-31 16:43 . 2008-06-02 15:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys

2009-03-30 20:52 . 2009-03-30 20:52 <DIR> d-------- c:\program files\ESET

2009-03-30 19:21 . 2009-03-30 19:21 <DIR> d-------- c:\documents and settings\Administrator\Application Data\qturuyui

2009-03-30 19:15 . 2009-03-30 19:15 <DIR> d--h----- c:\windows\system32\GroupPolicy

2009-03-24 20:07 . 2007-12-24 17:37 138,384 --a------ c:\windows\system32\drivers\tmcomm.sys

2009-03-23 23:55 . 2009-03-25 23:13 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\HouseCall 6.6

2009-03-10 23:18 . 2009-03-11 19:01 <DIR> d-------- c:\program files\Big Kahuna Reef

2009-03-10 23:18 . 2009-02-19 17:20 57,344 --a------ c:\windows\system32\Big Kahuna Reef.scr

2009-03-10 23:17 . 2009-03-10 23:17 <DIR> d-------- c:\program files\Amazon

2009-03-10 23:17 . 2009-03-10 23:17 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Amazon

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-31 22:03 --------- d-----w c:\program files\SUPERAntiSpyware

2009-03-31 20:42 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Google Updater

2009-03-31 00:28 --------- d-----w c:\program files\MSECache

2009-03-06 15:43 --------- d-----w c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Azureus

2009-02-27 21:36 --------- d-----w c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Move Networks

.

------- Sigcheck -------

2008-04-13 20:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll

2008-11-26 18:08 295424 40ffc19a8d4875e9e19cecdc76ef9201 c:\windows\system32\termsrv.dll

2004-08-04 08:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\system32\dllcache\termsrv.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC0B00E7-E264-473C-8F80-A9023B05F550}]

2004-08-04 08:00 104448 --a------ c:\windows\system32\mlcsjsi.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"AIM"="c:\program files\AIM\aim.exe" [2003-08-01 61440]

"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"DeadAIM"="c:\program files\AIM\\DeadAIM.ocm" [2004-04-10 144896]

"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2007-08-21 55856]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]

"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]

"Sdevumutokar"="c:\windows\iwoxepodatodejex.dll" [2007-03-08 155648]

"SoundMan"="SOUNDMAN.EXE" [2004-11-15 c:\windows\SOUNDMAN.EXE]

"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-03-31 18:03 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\emikpyyc]

2004-08-04 08:00 104448 c:\windows\system32\mlcsjsi.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli rxmcscox.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]

--a------ 2003-08-01 11:31 61440 c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AmazonGSDownloaderTray]

--a------ 2009-02-02 01:32 246272 c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

--a----t- 2008-09-02 17:33 133104 c:\documents and settings\Ryan.BLUE-ENIGMA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

--a------ 2003-12-22 08:38 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2003-08-04 18:28 49152 c:\program files\HP\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]

--a------ 2008-07-16 09:16 1166216 c:\program files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2007-06-29 06:24 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

--a------ 2008-11-07 20:52 1410296 c:\program files\Valve\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2007-07-12 04:00 132496 c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

--a------ 2008-12-04 14:50 1809648 c:\program files\SUPERAntiSpyware\af982e01-0576-49c2-8024-96999c8526cf.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware hqtray]

--a------ 2007-08-21 19:56 55856 c:\program files\VMware\VMware Player\hqtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

--a------ 2007-08-30 17:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]

--a------ 2008-11-10 13:23 157312 c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2007-12-05 02:41 1626112 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WZCSVC"=2 (0x2)

"VMware NAT Service"=2 (0x2)

"vmount2"=2 (0x2)

"VMnetDHCP"=2 (0x2)

"VMAuthdService"=2 (0x2)

"odserv"=3 (0x3)

"sdAuxService"=2 (0x2)

"aawservice"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\opposing force\\hl.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Flagship Studios\\Mythos\\bin\\Mythos.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\team fortress classic\\hl.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\half-life blue shift\\hl.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\half-life 2 deathmatch\\hl2.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\team fortress 2\\hl2.exe"=

"c:\\Program Files\\Valve\\Steam\\Steam.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=

"c:\\Program Files\\World of Warcraft\\Repair.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\DC++\\DCPlusPlus.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Documents and Settings\\Ryan.BLUE-ENIGMA\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\Ryan.BLUE-ENIGMA\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Microsoft SQL Server\\90\\Shared\\sqlwriter.exe"=

"c:\\Documents and Settings\\Ryan.BLUE-ENIGMA\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 jutkrzan;jutkrzan;c:\windows\system32\drivers\jutkrzan.sys [2004-08-04 23424]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 9968]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-04 55024]

S2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-03-10 317440]

S2 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2006-10-17 69632]

S2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [2007-03-03 202096]

S3 CA_LIC_CLNT;CA License Client;c:\program files\CA\SharedComponents\CA_LIC\lic98rmt.exe [2006-10-17 126976]

S3 GPWADrv;Service for L6 GuitarPort Driver (WDM);c:\windows\system32\drivers\GPWADrv.sys [2004-10-25 331776]

S3 L6DP;L6DP;c:\windows\system32\drivers\l6dp.sys [2002-07-15 26496]

S3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2007-03-03 17264]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]

S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-03-31 356920]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JUTKRZAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

upltbmxk

.

Contents of the 'Scheduled Tasks' folder

2009-03-31 c:\windows\Tasks\At1.job

- c:\windows\system32\mlcsjsi.dll [2004-08-04 08:00]

2009-03-31 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 15:41]

2009-03-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-764733703-839522115-1003.job

- c:\documents and settings\Ryan.BLUE-ENIGMA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 17:33]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.att.net

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: line6.net

FF - ProfilePath - c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Mozilla\Firefox\Profiles\xr4h4vb6.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: network.proxy.type - 1

FF - plugin: c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Mozilla\Firefox\Profiles\xr4h4vb6.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll

FF - plugin: c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\Ryan.BLUE-ENIGMA\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npincplg.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npJoostPlugin.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-04 10:29:59

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]

"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk23]

"ImagePath"="\??\c:\windows\system32\Drivers\PsSdk23.drv"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-220523388-764733703-839522115-1003\Software\SecuROM\License information*]

"datasecu"=hex:89,ed,38,91,69,7a,61,9d,93,47,58,1c,f3,1c,ef,1a,ef,32,02,49,38,

b4,42,ad,81,fe,53,2d,56,f9,d2,e7,95,2a,8a,69,45,9a,42,e6,20,72,02,25,ff,4f,\

"rkeysecu"=hex:76,42,77,bc,33,29,a5,c4,a2,87,ca,de,fc,c4,7a,d9

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'lsass.exe'(720)

c:\windows\rxmcscox.dll

.

Completion time: 2009-04-04 10:33:23 - machine was rebooted

ComboFix-quarantined-files.txt 2009-04-04 14:33:21

ComboFix2.txt 2009-04-04 04:29:01

ComboFix3.txt 2009-04-04 03:53:44

ComboFix4.txt 2009-04-04 03:42:31

Pre-Run: 1,030,758,400 bytes free

Post-Run: 1,015,705,600 bytes free

241 --- E O F --- 2008-12-11 05:47:11

Link to post
Share on other sites

  • Staff

Hi,

Can you try again please, because it looks like you did something wrong with the cfscript. Most probably you forgot the "File::" on top in the script.

So, please create a new cfscript again with the following contents:

File::

c:\windows\rxmcscox.dll

c:\windows\system32\mlcsjsi.dll

c:\windows\Tasks\At1.job

c:\windows\system32\drivers\jutkrzan.sys

NetSvcs::

upltbmxk

Driver::

jutkrzan

Registry::

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC0B00E7-E264-473C-8F80-A9023B05F550}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\emikpyyc]

Then drag it into Combofix and post the new log in your next reply.

Link to post
Share on other sites

Hi, sorry, I think that was the mistake. here's the new log

ComboFix 09-04-03.01 - Ryan 2009-04-04 11:49:08.5 - NTFSx86 NETWORK

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.755 [GMT -4:00]

Running from: c:\documents and settings\Ryan.BLUE-ENIGMA\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Ryan.BLUE-ENIGMA\Desktop\CFScript.txt

FILE ::

c:\windows\rxmcscox.dll

c:\windows\system32\drivers\jutkrzan.sys

c:\windows\system32\mlcsjsi.dll

c:\windows\Tasks\At1.job

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\rxmcscox.dll

c:\windows\system32\drivers\jutkrzan.sys

c:\windows\system32\mlcsjsi.dll

c:\windows\Tasks\At1.job

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_JUTKRZAN

-------\Service_jutkrzan

((((((((((((((((((((((((( Files Created from 2009-03-04 to 2009-04-04 )))))))))))))))))))))))))))))))

.

2009-04-01 21:49 . 2009-04-01 21:49 <DIR> d-------- c:\program files\Trend Micro

2009-04-01 21:32 . 2009-04-01 21:32 <DIR> d-------- c:\program files\Bazooka Scanner

2009-04-01 21:16 . 2009-04-01 21:18 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-04-01 21:16 . 2009-04-01 21:18 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy

2009-03-31 23:26 . 2009-03-31 23:26 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\DoctorWeb

2009-03-31 19:30 . 2009-03-31 19:30 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\OTScanIt2

2009-03-31 17:00 . 2009-03-31 18:59 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-31 17:00 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-31 17:00 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-31 16:54 . 2009-03-31 16:54 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\qturuyui

2009-03-31 16:50 . 2009-03-31 16:50 <DIR> d-------- c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\qturuyui

2009-03-31 16:43 . 2009-03-31 16:43 <DIR> d-------- c:\program files\Spyware Doctor

2009-03-31 16:43 . 2009-03-31 16:43 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\PC Tools

2009-03-31 16:43 . 2009-03-31 18:58 <DIR> d-a------ c:\documents and settings\All Users.WINDOWS\Application Data\TEMP

2009-03-31 16:43 . 2008-06-10 21:22 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys

2009-03-31 16:43 . 2008-06-02 15:19 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys

2009-03-31 16:43 . 2008-06-02 15:19 42,376 --a------ c:\windows\system32\drivers\ikfilesec.sys

2009-03-31 16:43 . 2008-06-02 15:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys

2009-03-30 20:52 . 2009-03-30 20:52 <DIR> d-------- c:\program files\ESET

2009-03-30 19:21 . 2009-03-30 19:21 <DIR> d-------- c:\documents and settings\Administrator\Application Data\qturuyui

2009-03-30 19:15 . 2009-03-30 19:15 <DIR> d--h----- c:\windows\system32\GroupPolicy

2009-03-24 20:07 . 2007-12-24 17:37 138,384 --a------ c:\windows\system32\drivers\tmcomm.sys

2009-03-23 23:55 . 2009-03-25 23:13 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\HouseCall 6.6

2009-03-10 23:18 . 2009-03-11 19:01 <DIR> d-------- c:\program files\Big Kahuna Reef

2009-03-10 23:18 . 2009-02-19 17:20 57,344 --a------ c:\windows\system32\Big Kahuna Reef.scr

2009-03-10 23:17 . 2009-03-10 23:17 <DIR> d-------- c:\program files\Amazon

2009-03-10 23:17 . 2009-03-10 23:17 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Amazon

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-04 15:49 23,424 ----a-w c:\windows\system32\drivers\knucpvxa.sys

2009-03-31 22:03 --------- d-----w c:\program files\SUPERAntiSpyware

2009-03-31 20:42 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Google Updater

2009-03-31 00:28 --------- d-----w c:\program files\MSECache

2009-03-06 15:43 --------- d-----w c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Azureus

2009-02-27 21:36 --------- d-----w c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Move Networks

.

------- Sigcheck -------

2008-04-13 20:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll

2008-11-26 18:08 295424 40ffc19a8d4875e9e19cecdc76ef9201 c:\windows\system32\termsrv.dll

2004-08-04 08:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\system32\dllcache\termsrv.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"AIM"="c:\program files\AIM\aim.exe" [2003-08-01 61440]

"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"DeadAIM"="c:\program files\AIM\\DeadAIM.ocm" [2004-04-10 144896]

"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2007-08-21 55856]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]

"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]

"Sdevumutokar"="c:\windows\iwoxepodatodejex.dll" [2007-03-08 155648]

"SoundMan"="SOUNDMAN.EXE" [2004-11-15 c:\windows\SOUNDMAN.EXE]

"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-03-31 18:03 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]

--a------ 2003-08-01 11:31 61440 c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AmazonGSDownloaderTray]

--a------ 2009-02-02 01:32 246272 c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

--a----t- 2008-09-02 17:33 133104 c:\documents and settings\Ryan.BLUE-ENIGMA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

--a------ 2003-12-22 08:38 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2003-08-04 18:28 49152 c:\program files\HP\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]

--a------ 2008-07-16 09:16 1166216 c:\program files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2007-06-29 06:24 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

--a------ 2008-11-07 20:52 1410296 c:\program files\Valve\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2007-07-12 04:00 132496 c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

--a------ 2008-12-04 14:50 1809648 c:\program files\SUPERAntiSpyware\af982e01-0576-49c2-8024-96999c8526cf.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware hqtray]

--a------ 2007-08-21 19:56 55856 c:\program files\VMware\VMware Player\hqtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

--a------ 2007-08-30 17:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]

--a------ 2008-11-10 13:23 157312 c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2007-12-05 02:41 1626112 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WZCSVC"=2 (0x2)

"VMware NAT Service"=2 (0x2)

"vmount2"=2 (0x2)

"VMnetDHCP"=2 (0x2)

"VMAuthdService"=2 (0x2)

"odserv"=3 (0x3)

"sdAuxService"=2 (0x2)

"aawservice"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\opposing force\\hl.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Flagship Studios\\Mythos\\bin\\Mythos.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\team fortress classic\\hl.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\half-life blue shift\\hl.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\half-life 2 deathmatch\\hl2.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\team fortress 2\\hl2.exe"=

"c:\\Program Files\\Valve\\Steam\\Steam.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=

"c:\\Program Files\\World of Warcraft\\Repair.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\DC++\\DCPlusPlus.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Documents and Settings\\Ryan.BLUE-ENIGMA\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\Ryan.BLUE-ENIGMA\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Microsoft SQL Server\\90\\Shared\\sqlwriter.exe"=

"c:\\Documents and Settings\\Ryan.BLUE-ENIGMA\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 9968]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-04 55024]

S2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-03-10 317440]

S2 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2006-10-17 69632]

S2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [2007-03-03 202096]

S3 CA_LIC_CLNT;CA License Client;c:\program files\CA\SharedComponents\CA_LIC\lic98rmt.exe [2006-10-17 126976]

S3 GPWADrv;Service for L6 GuitarPort Driver (WDM);c:\windows\system32\drivers\GPWADrv.sys [2004-10-25 331776]

S3 L6DP;L6DP;c:\windows\system32\drivers\l6dp.sys [2002-07-15 26496]

S3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2007-03-03 17264]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]

S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-03-31 356920]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JUTKRZAN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

upltbmxk

.

Contents of the 'Scheduled Tasks' folder

2009-03-31 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 15:41]

2009-03-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-764733703-839522115-1003.job

- c:\documents and settings\Ryan.BLUE-ENIGMA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 17:33]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.att.net

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: line6.net

FF - ProfilePath - c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Mozilla\Firefox\Profiles\xr4h4vb6.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: network.proxy.type - 1

FF - plugin: c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Mozilla\Firefox\Profiles\xr4h4vb6.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll

FF - plugin: c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\Ryan.BLUE-ENIGMA\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npincplg.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npJoostPlugin.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-04 11:53:45

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]

"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk23]

"ImagePath"="\??\c:\windows\system32\Drivers\PsSdk23.drv"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-220523388-764733703-839522115-1003\Software\SecuROM\License information*]

"datasecu"=hex:89,ed,38,91,69,7a,61,9d,93,47,58,1c,f3,1c,ef,1a,ef,32,02,49,38,

b4,42,ad,81,fe,53,2d,56,f9,d2,e7,95,2a,8a,69,45,9a,42,e6,20,72,02,25,ff,4f,\

"rkeysecu"=hex:76,42,77,bc,33,29,a5,c4,a2,87,ca,de,fc,c4,7a,d9

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

Completion time: 2009-04-04 11:57:04 - machine was rebooted

ComboFix-quarantined-files.txt 2009-04-04 15:57:01

ComboFix2.txt 2009-04-04 14:33:24

ComboFix3.txt 2009-04-04 04:29:01

ComboFix4.txt 2009-04-04 03:53:44

ComboFix5.txt 2009-04-04 15:46:55

Pre-Run: 1,027,731,456 bytes free

Post-Run: 1,012,133,888 bytes free

241 --- E O F --- 2008-12-11 05:47:11

Link to post
Share on other sites

Hi, here's the new log. Thank you!

ComboFix 09-04-03.01 - Ryan 2009-04-04 12:22:09.6 - NTFSx86 NETWORK

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.766 [GMT -4:00]

Running from: c:\documents and settings\Ryan.BLUE-ENIGMA\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Ryan.BLUE-ENIGMA\Desktop\CFScript.txt

FILE ::

c:\windows\system32\drivers\knucpvxa.sys

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\knucpvxa.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_JUTKRZAN

((((((((((((((((((((((((( Files Created from 2009-03-04 to 2009-04-04 )))))))))))))))))))))))))))))))

.

2009-04-01 21:49 . 2009-04-01 21:49 <DIR> d-------- c:\program files\Trend Micro

2009-04-01 21:32 . 2009-04-01 21:32 <DIR> d-------- c:\program files\Bazooka Scanner

2009-04-01 21:16 . 2009-04-01 21:18 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-04-01 21:16 . 2009-04-01 21:18 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy

2009-03-31 23:26 . 2009-03-31 23:26 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\DoctorWeb

2009-03-31 19:30 . 2009-03-31 19:30 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\OTScanIt2

2009-03-31 17:00 . 2009-03-31 18:59 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-31 17:00 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-31 17:00 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-31 16:54 . 2009-03-31 16:54 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\qturuyui

2009-03-31 16:50 . 2009-03-31 16:50 <DIR> d-------- c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\qturuyui

2009-03-31 16:43 . 2009-03-31 16:43 <DIR> d-------- c:\program files\Spyware Doctor

2009-03-31 16:43 . 2009-03-31 16:43 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\PC Tools

2009-03-31 16:43 . 2009-03-31 18:58 <DIR> d-a------ c:\documents and settings\All Users.WINDOWS\Application Data\TEMP

2009-03-31 16:43 . 2008-06-10 21:22 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys

2009-03-31 16:43 . 2008-06-02 15:19 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys

2009-03-31 16:43 . 2008-06-02 15:19 42,376 --a------ c:\windows\system32\drivers\ikfilesec.sys

2009-03-31 16:43 . 2008-06-02 15:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys

2009-03-30 20:52 . 2009-03-30 20:52 <DIR> d-------- c:\program files\ESET

2009-03-30 19:21 . 2009-03-30 19:21 <DIR> d-------- c:\documents and settings\Administrator\Application Data\qturuyui

2009-03-30 19:15 . 2009-03-30 19:15 <DIR> d--h----- c:\windows\system32\GroupPolicy

2009-03-24 20:07 . 2007-12-24 17:37 138,384 --a------ c:\windows\system32\drivers\tmcomm.sys

2009-03-23 23:55 . 2009-03-25 23:13 <DIR> d-------- c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\HouseCall 6.6

2009-03-10 23:18 . 2009-03-11 19:01 <DIR> d-------- c:\program files\Big Kahuna Reef

2009-03-10 23:18 . 2009-02-19 17:20 57,344 --a------ c:\windows\system32\Big Kahuna Reef.scr

2009-03-10 23:17 . 2009-03-10 23:17 <DIR> d-------- c:\program files\Amazon

2009-03-10 23:17 . 2009-03-10 23:17 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Amazon

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-31 22:03 --------- d-----w c:\program files\SUPERAntiSpyware

2009-03-31 20:42 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Google Updater

2009-03-31 00:28 --------- d-----w c:\program files\MSECache

2009-03-06 15:43 --------- d-----w c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Azureus

2009-02-27 21:36 --------- d-----w c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Move Networks

.

------- Sigcheck -------

2008-04-13 20:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll

2008-11-26 18:08 295424 40ffc19a8d4875e9e19cecdc76ef9201 c:\windows\system32\termsrv.dll

2004-08-04 08:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\system32\dllcache\termsrv.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"AIM"="c:\program files\AIM\aim.exe" [2003-08-01 61440]

"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"DeadAIM"="c:\program files\AIM\\DeadAIM.ocm" [2004-04-10 144896]

"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2007-08-21 55856]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]

"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]

"Sdevumutokar"="c:\windows\iwoxepodatodejex.dll" [2007-03-08 155648]

"SoundMan"="SOUNDMAN.EXE" [2004-11-15 c:\windows\SOUNDMAN.EXE]

"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-03-31 18:03 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]

--a------ 2003-08-01 11:31 61440 c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AmazonGSDownloaderTray]

--a------ 2009-02-02 01:32 246272 c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

--a----t- 2008-09-02 17:33 133104 c:\documents and settings\Ryan.BLUE-ENIGMA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

--a------ 2003-12-22 08:38 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2003-08-04 18:28 49152 c:\program files\HP\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]

--a------ 2008-07-16 09:16 1166216 c:\program files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2007-06-29 06:24 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

--a------ 2008-11-07 20:52 1410296 c:\program files\Valve\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2007-07-12 04:00 132496 c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

--a------ 2008-12-04 14:50 1809648 c:\program files\SUPERAntiSpyware\af982e01-0576-49c2-8024-96999c8526cf.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware hqtray]

--a------ 2007-08-21 19:56 55856 c:\program files\VMware\VMware Player\hqtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

--a------ 2007-08-30 17:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]

--a------ 2008-11-10 13:23 157312 c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2007-12-05 02:41 1626112 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WZCSVC"=2 (0x2)

"VMware NAT Service"=2 (0x2)

"vmount2"=2 (0x2)

"VMnetDHCP"=2 (0x2)

"VMAuthdService"=2 (0x2)

"odserv"=3 (0x3)

"sdAuxService"=2 (0x2)

"aawservice"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\opposing force\\hl.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Flagship Studios\\Mythos\\bin\\Mythos.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\team fortress classic\\hl.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\half-life blue shift\\hl.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\half-life 2 deathmatch\\hl2.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\espm250@tampabay.rr.com\\team fortress 2\\hl2.exe"=

"c:\\Program Files\\Valve\\Steam\\Steam.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=

"c:\\Program Files\\World of Warcraft\\Repair.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\DC++\\DCPlusPlus.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Documents and Settings\\Ryan.BLUE-ENIGMA\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\Ryan.BLUE-ENIGMA\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Microsoft SQL Server\\90\\Shared\\sqlwriter.exe"=

"c:\\Documents and Settings\\Ryan.BLUE-ENIGMA\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 9968]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-04 55024]

S2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-03-10 317440]

S2 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2006-10-17 69632]

S2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [2007-03-03 202096]

S3 CA_LIC_CLNT;CA License Client;c:\program files\CA\SharedComponents\CA_LIC\lic98rmt.exe [2006-10-17 126976]

S3 GPWADrv;Service for L6 GuitarPort Driver (WDM);c:\windows\system32\drivers\GPWADrv.sys [2004-10-25 331776]

S3 L6DP;L6DP;c:\windows\system32\drivers\l6dp.sys [2002-07-15 26496]

S3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2007-03-03 17264]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]

S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-03-31 356920]

.

Contents of the 'Scheduled Tasks' folder

2009-03-31 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 15:41]

2009-03-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-764733703-839522115-1003.job

- c:\documents and settings\Ryan.BLUE-ENIGMA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 17:33]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.att.net

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: line6.net

FF - ProfilePath - c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Mozilla\Firefox\Profiles\xr4h4vb6.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: network.proxy.type - 1

FF - plugin: c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Mozilla\Firefox\Profiles\xr4h4vb6.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll

FF - plugin: c:\documents and settings\Ryan.BLUE-ENIGMA\Application Data\Mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\Ryan.BLUE-ENIGMA\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npincplg.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npJoostPlugin.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-04 12:31:15

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]

"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk23]

"ImagePath"="\??\c:\windows\system32\Drivers\PsSdk23.drv"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-220523388-764733703-839522115-1003\Software\SecuROM\License information*]

"datasecu"=hex:89,ed,38,91,69,7a,61,9d,93,47,58,1c,f3,1c,ef,1a,ef,32,02,49,38,

b4,42,ad,81,fe,53,2d,56,f9,d2,e7,95,2a,8a,69,45,9a,42,e6,20,72,02,25,ff,4f,\

"rkeysecu"=hex:76,42,77,bc,33,29,a5,c4,a2,87,ca,de,fc,c4,7a,d9

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

Completion time: 2009-04-04 12:34:35 - machine was rebooted

ComboFix-quarantined-files.txt 2009-04-04 16:34:33

ComboFix2.txt 2009-04-04 15:57:04

ComboFix3.txt 2009-04-04 14:33:24

ComboFix4.txt 2009-04-04 04:29:01

ComboFix5.txt 2009-04-04 16:21:44

Pre-Run: 1,023,664,128 bytes free

Post-Run: 1,008,640,000 bytes free

229 --- E O F --- 2008-12-11 05:47:11

Link to post
Share on other sites

  • Staff

Hi,

This looks OK again :lol:

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

Hi, MBAM says I'm clean. Are there any other programs I should scan with to make sure I'm clean?

You are amazing. My major is Information Technology and I am curious as to how you are able to analyze log files and create these scripts. I would love to be able to do that. Where can I learn how?

Thanks again,

Ryan

Link to post
Share on other sites

  • Staff

Hi Ryan,

Yes, you're clean again. Malwarebytes already deleted most and then we used Combofix so I can see if there are still leftovers and we deleted those with the script.

I'm already doing this for a couple of years, and after a while, you start to recognise the bad and the good files, how the load etc...

So, it's rather a matter of experience. Yes, you can learn that as well. Just watch others and see how they do it and try to understand :) That's still the best way to learn this.

Glad I could help. :lol:

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.