ComboFix 11-10-27.05 - Administrator 10/28/2011 13:00:50.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1021.506 [GMT -4:00]
Running from: c:\documents and settings\administrator.GIBRALTARDESIGN\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\dwagner\My Documents\prf2B.tmp
c:\documents and settings\dwagner\My Documents\prf6FD.tmp
c:\documents and settings\hheaddy\Application Data\inst.exe
c:\documents and settings\mmatasovsky\Application Data\desktop.ini
c:\documents and settings\mmatasovsky\Application Data\ntuser.dat
c:\documents and settings\mmatasovsky\Application Data\xssend2
c:\documents and settings\mmatasovsky\GoToAssistDownloadHelper.exe
c:\documents and settings\mmatasovsky\My Documents\DPE.DUS
c:\program files\messenger\msmsgsin.exe
c:\program files\msn\msncorefiles\copymar.exe
c:\program files\msn\msncorefiles\custdial.dll
c:\program files\msn\msncorefiles\logonmgr.dll
C:\Thumbs.db
c:\windows\ehome\medctrro.exe
c:\windows\ehome\snchk.exe
c:\windows\help\tours\htmltour\unlock_playing.htm
c:\windows\system32\d3d9caps.dat
c:\windows\system32\GroupPolicy\User\Scripts\scripts.ini
.
.
((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-28 )))))))))))))))))))))))))))))))
.
.
2011-10-28 13:07 . 2011-10-28 13:07 -------- d-----w- c:\windows\LastGood
2011-10-26 15:21 . 2011-10-26 15:21 -------- d-----w- C:\_OTL
2011-10-26 15:17 . 2011-10-26 15:20 -------- d-----w- c:\documents and settings\administrator.GIBRALTARDESIGN\Local Settings\Application Data\Adobe
2011-10-25 18:59 . 2011-10-25 18:59 -------- d-sh--w- c:\documents and settings\administrator.GIBRALTARDESIGN\PrivacIE
2011-10-25 18:59 . 2011-10-26 18:19 -------- d-----w- c:\documents and settings\administrator.GIBRALTARDESIGN\Local Settings\Application Data\Google
2011-10-18 15:57 . 2011-10-18 16:00 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2011-10-18 15:57 . 2011-10-18 16:01 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-10-18 15:51 . 2011-10-18 15:51 -------- d-----w- c:\program files\CCleaner
2011-10-13 18:18 . 2011-10-13 18:18 -------- d-----w- c:\program files\IIS Express
2011-10-11 20:28 . 2011-10-28 17:44 -------- d-----w- c:\documents and settings\mmatasovsky
2011-10-07 12:28 . 2011-10-07 12:28 -------- d-----w- c:\program files\UltraVNC
2011-10-05 13:29 . 2011-10-05 13:29 -------- d-----w- c:\documents and settings\dwagner\Application Data\Malwarebytes
2011-10-05 13:29 . 2011-10-05 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-10-05 13:29 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-05 13:29 . 2011-10-05 13:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-04 21:46 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-10-04 21:46 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2004-02-27 15:04 599040 ----a-w- c:\windows\system32\crypt32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-09-28 77824]
"Track-It! Workstation Manager Service Monitor"="c:\windows\TIREMOTE\TIServiceMonitor.exe" [2008-08-13 165888]
"ShowWnd"="ShowWnd.exe" [2003-09-19 36864]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-06-23 7393280]
"NGTray"="c:\program files\Symantec\Ghost\ngtray.exe" [2007-11-15 206216]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-07-20 7090176]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 61952]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-09-11 115560]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2009-3-3 1537064]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2004-2-4 106560]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoNTSecurity"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1282138258-1106520001-315636210-1017\Scripts\Logoff\0\0]
"Script"=\\Gdiweb\cadutilities\Back Burner Batch Scripts\Netstart_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1282138258-1106520001-315636210-1017\Scripts\Logon\0\0]
"Script"=\\Gdiweb\cadutilities\Back Burner Batch Scripts\Netstop_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1282138258-1106520001-315636210-1018\Scripts\Logoff\0\0]
"Script"=\\Gdiweb\cadutilities\Back Burner Batch Scripts\Netstart_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1282138258-1106520001-315636210-1018\Scripts\Logon\0\0]
"Script"=\\Gdiweb\cadutilities\Back Burner Batch Scripts\Netstop_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1282138258-1106520001-315636210-1019\Scripts\Logoff\0\0]
"Script"=\\Gdiweb\cadutilities\Back Burner Batch Scripts\Netstart_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1282138258-1106520001-315636210-1019\Scripts\Logon\0\0]
"Script"=\\Gdiweb\cadutilities\Back Burner Batch Scripts\Netstop_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-1224\Scripts\Logoff\0\0]
"Script"=\\Gdicad\cadutilities\Back Burner Batch Scripts\Netstart_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-1224\Scripts\Logon\0\0]
"Script"=\\Gdicad\cadutilities\Back Burner Batch Scripts\Netstop_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-4111\Scripts\Logoff\0\0]
"Script"=\\Gdiweb\cadutilities\Back Burner Batch Scripts\Netstart_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-4111\Scripts\Logoff\1\0]
"Script"=\\Gdiweb\CadUtilities\Back Burner Batch Scripts\Netstart_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-4111\Scripts\Logon\0\0]
"Script"=\\Gdiweb\cadutilities\Back Burner Batch Scripts\Netstop_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-4111\Scripts\Logon\1\0]
"Script"=\\Gdiweb\CadUtilities\Back Burner Batch Scripts\Netstop_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-500\Scripts\Logoff\0\0]
"Script"=\\Gdiweb\cadutilities\Back Burner Batch Scripts\Netstart_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-500\Scripts\Logoff\1\0]
"Script"=\\Gdiweb\CadUtilities\Back Burner Batch Scripts\Netstart_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-500\Scripts\Logon\0\0]
"Script"=\\Gdiweb\cadutilities\Back Burner Batch Scripts\Netstop_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-500\Scripts\Logon\1\0]
"Script"=\\Gdiweb\CadUtilities\Back Burner Batch Scripts\Netstop_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-6620\Scripts\Logoff\0\0]
"Script"=\\Gdicad\cadutilities\Back Burner Batch Scripts\Netstart_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-6620\Scripts\Logon\0\0]
"Script"=\\Gdicad\cadutilities\Back Burner Batch Scripts\Netstop_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NetALoader"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Symantec\\Ghost\\ngctw32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
R2 NGCLIENT;Symantec Ghost Client Agent;c:\program files\Symantec\Ghost\ngctw32.exe [11/14/2007 8:49 PM 660872]
R2 RSMWebServer;RSMWebServer;c:\program files\N-able Technologies\NRM\RSMWinService.exe [10/12/2011 3:25 PM 19968]
R2 TIRmtSvc;Track-It! Workstation Manager;c:\windows\TIREMOTE\TIRemoteService.exe [4/30/2008 10:50 AM 213504]
R2 uvnc_service;uvnc_service;c:\program files\UltraVNC\winvnc.exe [10/7/2011 8:28 AM 1830856]
R2 Windows Agent Maintenance Service;Windows Agent Maintenance Service;c:\program files\N-able Technologies\Windows Agent\bin\AgentMaint.exe [8/18/2011 7:21 PM 28672]
R2 Windows Agent Service;Windows Agent Service;c:\program files\N-able Technologies\Windows Agent\bin\agent.exe [8/18/2011 7:21 PM 204800]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/28/2011 5:53 PM 105592]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe --> c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe [?]
S3 winrdp_service;winrdp_service;c:\program files\N-able Technologies\NRM\UltraVNCServer\winrdp.exe [10/12/2011 3:25 PM 1642496]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/23/2001 8:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-08 c:\windows\Tasks\defrag.job
- c:\windows\system32\defrag.exe [2004-02-27 00:12]
.
2007-11-19 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-02-05 19:52]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
Trusted Zone: aol.com\free
TCP: DhcpNameServer = 10.10.10.11 10.10.10.4
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SigmatelSysTrayApp - sttray.exe
SafeBoot-Symantec Antvirus
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2011-10-28 13:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-368597260-1834286960-2103163636-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5f,ef,96,6a,d7,e6,4e,4f,a8,6c,b6,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5f,ef,96,6a,d7,e6,4e,4f,a8,6c,b6,\
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
Completion time: 2011-10-28 14:10:14
ComboFix-quarantined-files.txt 2011-10-28 18:09
.
Pre-Run: 10,493,296,640 bytes free
Post-Run: 11,338,915,840 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - E0D676E9F1FF1CC89D08CABD702F217B