Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:18:46 PM, on 5/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\PROGRA~1\SHOREL~1\SHOREW~1\STCHost.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\SHOREL~1\SHOREW~1\CSISCMGR.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Maxthon\Maxthon.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://omniportal/_l...eateMySite.aspx
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ShoreTel Personal Call Manager] C:\Program Files\Shoreline Communications\ShoreWare Client\StartCli.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebo...toUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - http://helpdesk/aspn...ib/mcsimenu.CAB
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {3AC3D009-2E89-4F1E-9F51-04D4FBD50122} (Shoretel SClientInstall) - http://phoneserver/s...ientInstall.ocx
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin....nderControl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1187991743073
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1187991733903
O16 - DPF: {74233DB3-F72F-44EA-94DC-258A624037E6} (ComponentOne FlexGrid 8.0 (UNICODE Light)) - http://helpdesk/aspn...lib/VSFlex8.CAB
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://bmm.imgag.com.../crusher-us.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://omniture.web...bex/ieatgpc.cab
O16 - DPF: {FDF527BA-DDDA-11D3-AA82-006094EB09CB} (Altiris Clipboard Helper) - http://helpdesk/aspn...eXClipboard.CAB
O16 - DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} (Plaxo Auto-Import Utility) - http://www.plaxo.com...upldr-2k-xp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = orm.omniture.com
O17 - HKLM\Software\..\Telephony: DomainName = orm.omniture.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = orm.omniture.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = orm.omniture.com
O20 - AppInit_DLLs: AMINIT.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: gxryxboe - C:\WINDOWS\SYSTEM32\gxryxboe.dll
O23 - Service: Microsoft DDE+ server (246e082e) - Unknown owner - C:\WINDOWS\system32\.246e082e\246e082e.exe (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\system32\ccsrvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 12080 bytes
And, here is a log from Combofix:
ComboFix 08-05-19.4 - njensen 2008-05-20 13:59:30.1 - NTFSx86
Running from: C:\Documents and Settings\njensen\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
----- BITS: Possible infected sites -----
hxxp://mom
.
((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))
.
2008-05-20 12:19 . 2008-05-20 12:19 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-05-20 12:19 . 2008-05-20 12:19 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-05-20 11:51 . 2008-05-20 11:51 <DIR> d-------- C:\Documents and Settings\njensen\Application Data\Sunbelt Software
2008-05-20 10:41 . 2008-05-20 11:46 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-05-19 15:23 . 2008-05-19 15:23 <DIR> d-------- C:\VundoFix Backups
2008-05-19 14:55 . 2008-05-19 14:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-19 13:01 . 2008-05-19 13:02 <DIR> d-------- C:\Program Files\Panda Security
2008-05-19 12:10 . 2008-05-19 12:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-19 12:08 . 2008-05-20 13:39 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-19 12:08 . 2008-05-19 12:08 <DIR> d-------- C:\Documents and Settings\njensen\Application Data\SUPERAntiSpyware.com
2008-05-19 08:57 . 2008-03-01 07:06 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-05-19 08:57 . 2007-04-17 03:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-05-19 08:57 . 2007-03-07 23:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-05-19 08:57 . 2008-03-01 07:06 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-05-19 08:57 . 2008-03-01 07:06 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-05-19 08:57 . 2008-03-01 07:06 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-05-19 08:57 . 2008-03-01 07:06 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-05-19 08:57 . 2008-03-01 07:06 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-05-19 08:57 . 2008-02-22 04:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-05-15 15:41 . 2008-05-19 09:08 <DIR> d-------- C:\Program Files\Maxthon2
2008-05-15 14:22 . 2008-05-15 15:03 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-15 13:11 . 2008-05-15 13:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-05-15 13:11 . 2008-05-15 13:11 262,144 --a------ C:\Documents and Settings\MC62A0~1
2008-05-15 13:11 . 2008-05-15 13:11 262,144 --a------ C:\Documents and Settings\MC4723~1
2008-05-15 13:11 . 2008-05-15 13:11 262,144 --a------ C:\Documents and Settings\JMCDON~3
2008-05-15 13:09 . 2008-05-15 13:09 262,144 --a------ C:\Documents and Settings\MCROOK~4
2008-05-15 13:09 . 2008-05-15 13:09 262,144 --a------ C:\Documents and Settings\MCROOK~3
2008-05-15 13:09 . 2008-05-15 13:09 262,144 --a------ C:\Documents and Settings\JMCDON~2
2008-05-15 11:43 . 2008-05-15 11:47 8,192 --a------ C:\Documents and Settings\MCROOK~2
2008-05-15 11:43 . 2008-05-15 11:47 8,192 --a------ C:\Documents and Settings\MCROOK~1
2008-05-15 11:43 . 2008-05-15 11:47 8,192 --a------ C:\Documents and Settings\JMCDON~1
2008-05-15 11:04 . 2008-05-15 11:04 <DIR> d-------- C:\Documents and Settings\njensen\Application Data\Malwarebytes
2008-05-15 11:03 . 2008-05-15 11:03 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-15 11:03 . 2008-05-15 11:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-15 11:03 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-15 11:03 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-14 16:48 . 2008-05-14 16:48 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-14 16:48 . 2008-05-14 16:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-14 16:38 . 2008-05-15 08:53 2,518 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-14 16:36 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-14 16:36 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-14 16:36 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-14 16:36 . 2008-04-23 22:14 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-14 16:36 . 2008-04-23 22:14 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-14 16:36 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-14 16:36 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-14 16:36 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-14 14:57 . 2008-05-14 14:57 249,856 --a------ C:\WINDOWS\system32\gxryxboe.dll
2008-04-30 11:43 . 2008-04-30 11:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-04-29 10:22 . 2008-04-29 10:22 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-04-29 10:20 . 2008-04-29 10:20 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-04-29 10:14 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\003498_.tmp
2008-04-29 09:57 . 2008-04-29 09:57 <DIR> d-------- C:\Documents and Settings\njensen\Application Data\Windows Desktop Search
2008-04-28 09:05 . 2008-04-28 09:05 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-28 09:05 . 2008-04-28 09:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-20 19:40 --------- d-----w C:\Documents and Settings\njensen\Application Data\ShoreWare Client
2008-05-20 19:38 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-05-20 18:17 --------- d-----w C:\Documents and Settings\njensen\Application Data\Apple Computer
2008-05-19 18:08 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-19 17:51 --------- d-----w C:\Program Files\Maxthon
2008-05-15 21:42 --------- d-----w C:\Documents and Settings\njensen\Application Data\MxBoost
2008-05-14 21:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-08 18:33 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-08 18:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-02 17:30 --------- d-----w C:\Program Files\CCleaner
2008-04-29 15:54 --------- d-----w C:\Program Files\Windows Desktop Search
2008-04-14 11:55 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 11:46 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 11:43 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 11:43 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 11:43 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 11:43 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 11:43 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 11:43 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 11:43 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 11:41 98,304 ----a-w C:\WINDOWS\system32\actxprxy.dll
2008-04-14 11:40 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 11:40 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 11:40 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 11:40 102,912 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-14 07:00 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-14 06:58 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-14 06:54 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-14 06:51 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-14 06:50 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-14 06:50 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-14 06:50 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-14 06:49 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-14 06:49 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-14 06:49 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-14 06:49 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-14 06:49 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-14 06:48 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-14 06:47 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-14 06:47 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-14 06:47 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-14 06:46 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-14 06:46 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-14 06:45 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-14 06:45 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-14 06:45 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-14 06:45 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-14 06:44 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-14 06:44 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-14 06:30 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-14 06:30 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-14 06:30 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-14 06:27 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-14 06:27 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-14 06:27 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-14 06:27 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-14 06:27 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-14 06:27 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-14 06:27 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-14 06:26 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-14 06:26 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-14 06:26 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-14 06:26 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-14 06:26 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-14 06:26 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-14 06:26 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-14 06:26 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-14 06:26 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-14 06:26 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-14 06:25 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-14 06:24 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-14 06:23 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-14 06:23 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-14 06:23 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-14 06:23 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-04-14 06:21 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-14 06:21 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-14 06:21 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-14 06:21 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-14 06:21 101,120 ----a-w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-14 06:16 59,136 ----a-w C:\WINDOWS\system32\drivers\rfcomm.sys
2008-04-14 06:16 37,888 ------w C:\WINDOWS\system32\drivers\bthmodem.sys
2008-04-14 06:16 36,480 ------w C:\WINDOWS\system32\drivers\bthprint.sys
2008-04-14 06:16 273,024 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-14 06:16 25,600 ------w C:\WINDOWS\system32\drivers\hidbth.sys
2008-04-14 06:16 25,344 ----a-w C:\WINDOWS\system32\drivers\sonydcam.sys
2008-04-14 06:16 18,944 ----a-w C:\WINDOWS\system32\drivers\bthusb.sys
2008-04-14 06:16 17,024 ----a-w C:\WINDOWS\system32\drivers\bthenum.sys
2008-04-14 06:16 121,984 ------w C:\WINDOWS\system32\drivers\usbvideo.sys
2008-04-14 06:14 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-14 06:14 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-14 06:14 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-14 06:14 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-14 06:13 9,728 ------w C:\WINDOWS\system32\comsdupd.exe
2008-04-14 06:13 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys
2008-04-14 06:13 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe
2008-04-14 06:13 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys
2008-04-14 06:11 52,352 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-14 06:11 42,112 ----a-w C:\WINDOWS\system32\drivers\imapi.sys
2008-04-14 06:09 92,544 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"ShoreTel Personal Call Manager"="C:\Program Files\Shoreline Communications\ShoreWare Client\StartCli.exe" [2007-09-14 15:39 41000]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-08-30 09:13 160568]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-20 13:39 1510640]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 05:42 110592 C:\WINDOWS\system32\bthprops.cpl]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-01 16:46 7561216]
"nwiz"="nwiz.exe" [2006-05-01 15:46 1519616 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2006-05-01 15:46 73728 C:\WINDOWS\system32\nvhotkey.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 18:30 282624 C:\WINDOWS\stsystra.exe]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-10-05 23:11 866584]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-02-20 12:29 1191936]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 14:13 176128]
"AeXAgentLogon"="C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2007-02-18 17:58 143360]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 19:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 20:33 125168]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-02-20 22:56:11 1528880]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-20 13:38 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gxryxboe]
gxryxboe.dll 2008-05-14 14:57 249856 C:\WINDOWS\system32\gxryxboe.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=AMINIT.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.voxacm150"= vct32150.acm
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=AgentUnInstall.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1887399213-3708965502-2405855065-2262\Scripts\Logon\0\0]
"Script"=office-vpn-route.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1887399213-3708965502-2405855065-2558\Scripts\Logon\0\0]
"Script"=office-vpn-route.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1887399213-3708965502-2405855065-3979\Scripts\Logon\0\0]
"Script"=office-vpn-route.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1887399213-3708965502-2405855065-4485\Scripts\Logon\0\0]
"Script"=office-vpn-route.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1887399213-3708965502-2405855065-5526\Scripts\Logon\0\0]
"Script"=office-vpn-route.bat
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\246e082e]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--a------ 2005-12-09 21:29 49152 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 14:10 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDF Complete]
--a------ 2004-03-24 10:13 177152 C:\Program Files\PDF Complete\pdfsty.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R1 CCDevice;CCDevice;C:\WINDOWS\system32\drivers\CCDevice.sys [2007-03-07 15:22]
S2 246e082e;Microsoft DDE+ server;C:\WINDOWS\system32\.246e082e\246e082e.exe []
*Newly Created Service* - CATCHME
*Newly Created Service* - SASDIFSV
.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 18:56:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-20 19:40:12 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 14:02:10
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\CSGina.dll
-> C:\WINDOWS\system32\gxryxboe.dll
.
Completion time: 2008-05-20 14:03:40
ComboFix-quarantined-files.txt 2008-05-20 20:03:20
Pre-Run: 63,942,602,752 bytes free
Post-Run: 64,008,585,216 bytes free
275 --- E O F --- 2008-05-19 15:09:05