ComboFix 08-12-13.03 - Tom Moore 2008-12-13 17:49:13.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.409 [GMT -5:00] Running from: c:\documents and settings\Tom Moore\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Tom Moore\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\temp\1cb c:\temp\1cb\syscheck.log c:\temp\DIV55 c:\temp\DIV55\xDb.log c:\windows\system32\bin c:\windows\system32\bszip.dll c:\windows\system32\egojavet.ini c:\windows\system32\Hilopqru.ini c:\windows\system32\Hilopqru.ini2 c:\windows\system32\ki3 c:\windows\system32\orewotek.ini c:\windows\system32\sslqktqg.ini c:\windows\system32\uv9 c:\windows\system32\VC . ((((((((((((((((((((((((( Files Created from 2008-11-14 to 2008-12-14 ))))))))))))))))))))))))))))))) . 2008-12-08 17:42 . 2008-12-08 17:42 d-------- C:\VundoFix Backups 2008-12-07 02:28 . 2008-12-07 02:28 77 --a------ c:\windows\st_affiliate.ini 2008-12-06 18:14 . 2008-12-06 18:14 d-------- C:\_OTMoveIt 2008-12-06 18:12 . 2008-12-13 10:29 d-------- C:\rsit 2008-12-06 18:12 . 2008-12-08 19:18 d-------- c:\program files\trend micro 2008-12-06 13:53 . 2008-12-08 18:55 d-------- c:\program files\Malwarebytes' Anti-Malware 2008-12-06 13:53 . 2008-12-06 13:53 d-------- c:\documents and settings\Tom Moore\Application Data\Malwarebytes 2008-12-06 13:53 . 2008-12-06 13:53 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-12-06 13:53 . 2008-12-03 19:54 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-06 13:53 . 2008-12-03 19:54 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-12-06 12:59 . 2008-12-06 12:59 d-------- C:\_OTScanIt 2008-12-03 20:12 . 2008-12-03 20:12 d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2008-12-03 20:11 . 2008-12-13 10:17 d-------- c:\program files\SUPERAntiSpyware 2008-12-03 20:11 . 2008-12-03 20:11 d-------- c:\program files\Common Files\Wise Installation Wizard 2008-12-03 20:11 . 2008-12-03 20:11 d-------- c:\documents and settings\Tom Moore\Application Data\SUPERAntiSpyware.com 2008-12-03 17:39 . 2008-12-03 17:39 2,713 ---hs---- c:\windows\system32\luhuwuji.exe 2008-12-03 02:38 . 2008-12-03 02:38 2,713 ---hs---- c:\windows\system32\dewegabu.exe 2008-12-02 22:17 . 2008-12-02 22:17 d-------- c:\program files\Common Files\xing shared 2008-12-02 21:37 . 2008-12-13 10:23 d-a------ c:\documents and settings\All Users\Application Data\TEMP 2008-12-02 21:20 . 2008-12-13 01:24 d-------- c:\program files\Spyware Doctor 2008-12-02 21:20 . 2008-12-02 21:20 d-------- c:\documents and settings\Tom Moore\Application Data\PC Tools 2008-12-02 21:20 . 2008-12-03 20:03 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys 2008-12-02 21:20 . 2008-12-03 20:03 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys 2008-12-02 21:20 . 2008-12-03 20:03 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys 2008-12-02 21:20 . 2008-06-02 15:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys 2008-12-02 21:12 . 2008-12-02 21:15 d-------- c:\program files\Norton Security Scan 2008-12-02 21:06 . 2008-12-13 18:18 d-------- c:\documents and settings\All Users\Application Data\Google Updater 2008-12-01 21:05 . 2008-12-02 08:39 d--hs---- c:\windows\VG9tIE1vb3Jl 2008-12-01 21:05 . 2008-12-01 21:05 192,604 --a------ c:\windows\system32\g60.exe 2008-12-01 21:04 . 2008-12-09 10:31 d-------- c:\windows\system32\hov . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-13 23:08 --------- d-----w c:\program files\Symantec AntiVirus 2008-12-12 22:17 --------- d-----w c:\program files\Google 2008-12-09 00:14 --------- d-----w c:\program files\Azureus 2008-12-03 03:17 --------- d-----w c:\program files\Common Files\Real 2008-12-03 02:12 --------- d-----w c:\program files\Common Files\Symantec Shared 2008-12-02 01:48 --------- d-----w c:\documents and settings\Tom Moore\Application Data\Azureus 2008-11-15 16:24 --------- d-----w c:\documents and settings\Tom Moore\Application Data\Move Networks 2008-11-01 18:04 --------- d-----w c:\program files\EndNote 2008-11-01 18:04 --------- d-----w c:\documents and settings\Tom Moore\Application Data\EndNote 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2006-11-18 18:18 35,888 ----a-w c:\documents and settings\Tom Moore\Application Data\GDIPFONTCACHEV1.DAT 2006-07-07 21:17 56 --sh--r c:\windows\system32\84F673CE77.sys 2006-07-07 21:17 3,766 --sha-w c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480] "SDPhotoBar.exe"="c:\smartd~2\SDPhotoBar.exe" [2003-01-10 192512] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-10-30 392832] "DellSupport-"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-13 1809648] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178] "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-03-10 169984] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-23 85696] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-09-15 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-09-15 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-09-15 118784] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] "ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576] "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe] "PMX Daemon"="ICO.EXE" [2006-06-09 c:\windows\system32\ico.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [2008-12-02 136768] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-01-04 49254] Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2006-01-04 1425424] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-27 24576] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-13 10:17 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Trillian\\trillian.exe"= "c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"= "c:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"= "c:\\Program Files\\SUPERAntiSpyware\\RUNSAS.EXE"= R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944] R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024] R3 EraserUtilDrvI7;EraserUtilDrvI7;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys [2008-12-12 99376] R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408] S2 gupdate1c95ca74e23c752;Google Update Service (gupdate1c95ca74e23c752);"c:\program files\Google\Update\GoogleUpdate.exe" /svc [2008-12-12 119280] S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2005-06-23 124608] S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-02 356920] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] \Shell\AutoRun\command - E:\setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{924c159c-7d57-11da-b3a0-00038a000015}] \Shell\AutoRun\command - e:\jdsecure\Windows\JDSecure31.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fdbc732c-ea1c-11db-b474-00142291bfd1}] \Shell\AutoRun\command - E:\autorun.exe . Contents of the 'Scheduled Tasks' folder 2008-12-05 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57] 2008-12-14 c:\windows\Tasks\GoogleUpdateTaskMachine.job - c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 17:16] 2008-12-12 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (TMOORESCHOOL-Tom Moore).job - c:\program files\mcafee.com\vso\mcmnhdlr.exe [] 2008-12-03 c:\windows\Tasks\Norton Security Scan for Tom Moore.job - c:\program files\Norton Security Scan\Nss.exe [2008-09-19 04:18] . - - - - ORPHANS REMOVED - - - - URLSearchHooks-~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) Notify-vtUnmJDU - vtUnmJDU.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mStart Page = hxxp://www.comcast.net/ mWindow Title = Windows Internet Explorer provided by Comcast uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000 . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-13 19:08:23 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(980) c:\program files\SUPERAntiSpyware\SASWINLO.DLL . ------------------------ Other Running Processes ------------------------ . c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Intel\Wireless\Bin\WLKEEPER.exe c:\windows\system32\WLTRYSVC.EXE c:\windows\system32\BCMWLTRY.EXE c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\windows\ehome\ehrecvr.exe c:\windows\ehome\ehSched.exe c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe c:\program files\Dell Support Center\bin\sprtsvc.exe c:\program files\Symantec AntiVirus\Rtvscan.exe c:\windows\ehome\mcrdsvc.exe c:\windows\system32\dllhost.exe c:\windows\system32\wscntfy.exe c:\windows\ehome\ehmsas.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2008-12-13 19:15:03 - machine was rebooted [Tom Moore] ComboFix-quarantined-files.txt 2008-12-14 00:14:38 Pre-Run: 13,409,017,856 bytes free Post-Run: 13,329,514,496 bytes free 232 --- E O F --- 2008-11-13 14:07:05