ComboFix 09-07-13.01 - rogerg 07/14/2009 10:28.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1512 [GMT -7:00]
Running from: c:\documents and settings\Rogerg\Desktop\Combo-Fix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
----- BITS: Possible infected sites -----
hxxp://tsc003
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_UACd.sys
((((((((((((((((((((((((( Files Created from 2009-06-14 to 2009-07-14 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Philips Intelligent Agent"="c:\program files\Philips\Intelligent Agent\Philips Intelligent Agent.exe" [2008-02-22 613792]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"systray"="c:\program files\Dell\Dell Mobile Broadband\systray.exe" [2008-03-05 331851]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]
"SPC1300"="c:\windows\vspc1300.exe" [2007-05-31 675840]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-03-26 228088]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-25 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-06-15 124656]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2003-07-13 155648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2009-06-29 827904]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-11-17 1626112]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-11-17 86016]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
SetPoint.lnk - c:\program files\SetPoint\SetPoint.exe [2009-7-8 532480]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
R0 cerc6;cerc6; [x]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\DRIVERS\rcvpn.sys [2005-11-08 24876]
R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-06-15 115952]
S1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\Drivers\RCFOX.sys [2008-03-19 86552]
S2 OCS INVENTORY;OCS INVENTORY SERVICE;c:\program files\OCS Inventory Agent\ocsservice.exe [2007-02-27 61440]
S2 SonyIEx;SonyIEx;c:\windows\system32\SonyIEx.exe [2005-05-30 126976]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-06-16 101936]
S3 NWDellModem;Dell Wireless Mobile Broadband Modem Driver;c:\windows\system32\DRIVERS\nwdelmdm.sys [2007-11-02 166144]
S3 NWDellPort;Dell Wireless Mobile Broadband Status Port Driver;c:\windows\system32\DRIVERS\nwdelser.sys [2007-11-02 166144]
S3 phaudlwr;Philips Audio Filter;c:\windows\system32\DRIVERS\phaudlwr.sys [2007-07-16 88320]
S3 SPC1300;USB2.0 PC Camera (SPC1300);c:\windows\system32\DRIVERS\spc1300.sys [2007-10-18 3033728]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-07-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = tscpxy.timec.com:8080
uInternet Settings,ProxyOverride = transnet*;transapps*;10.*;ex001.timec*;timec.webex*;email.timec*;<local>;*.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-14 10:36
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\drivers\hjgruiomnendew.sys 67072 bytes executable
c:\docume~1\Rogerg\LOCALS~1\Temp\hjgrui000 0 bytes
c:\windows\TEMP\hjgruimccfunvrsx.tmp 91 bytes
c:\windows\TEMP\hjgruiwwxvnstspi.tmp 18944 bytes executable
c:\windows\system32\hjgruioxqqhqnp.dat 73881 bytes
c:\windows\system32\hjgruirrnevdqu.dat 91 bytes
c:\windows\system32\hjgruirsbodtkp.dll 18944 bytes executable
c:\windows\system32\hjgruirvylffvb.dll 42496 bytes executable
scan completed successfully
hidden files: 8
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hjgruivustkxuq]
"imagepath"="\systemroot\system32\drivers\hjgruiomnendew.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1488)
c:\windows\system32\WININET.dll
c:\windows\system32\netprovcredman.dll
- - - - - - - > 'lsass.exe'(1552)
c:\windows\system32\WININET.dll
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2009-07-14 10:39
ComboFix-quarantined-files.txt 2009-07-14 17:39
Pre-Run: 19,299,282,944 bytes free
Post-Run: 19,919,282,176 bytes free
126 --- E O F --- 2009-07-11 01:18