ComboFix 08-12-05.01 - VGandhi 2008-12-05 13:27:24.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1593 [GMT -5:00] Running from: c:\documents and settings\vgandhi\Desktop\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 ))))))))))))))))))))))))))))))) . 2008-12-05 12:14 . 2008-12-05 12:25 d-------- C:\Lop SD 2008-12-05 12:12 . 2008-12-05 12:16 d-------- c:\program files\Windows Live Safety Center 2008-12-05 10:43 . 2008-12-05 10:43 d-------- c:\program files\Trend Micro 2008-11-29 20:52 . 2008-11-29 20:52 d-------- c:\program files\Common Files\Wise Installation Wizard 2008-11-29 12:54 . 2008-11-29 20:48 d-------- c:\documents and settings\vgandhi\Application Data\DivX 2008-11-29 12:52 . 2008-09-19 16:57 129,784 --------- c:\windows\system32\pxafs.dll 2008-11-29 12:52 . 2008-09-19 16:57 9,464 --------- c:\windows\system32\drivers\cdralw2k.sys 2008-11-29 12:52 . 2008-09-19 16:57 9,336 --------- c:\windows\system32\drivers\cdr4_xp.sys 2008-11-29 12:51 . 2008-11-29 12:52 d-------- c:\program files\DivX 2008-11-28 21:38 . 2008-11-28 21:38 0 --a------ c:\windows\nsreg.dat 2008-11-15 16:11 . 2008-11-15 16:11 d-------- c:\program files\MSXML 6.0 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-05 14:34 --------- d-----w c:\documents and settings\vgandhi\Application Data\Juniper Networks 2008-12-05 14:34 --------- d-----w c:\documents and settings\All Users\Application Data\Juniper Networks 2008-11-30 01:53 --------- d-----w c:\program files\Lavasoft 2008-11-29 17:18 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2008-11-28 13:04 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet 2008-11-13 18:51 --------- d-----w c:\program files\CSC Nortel VPN Client 2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-19 11:46 --------- d-----w c:\documents and settings\vgandhi\Application Data\Skype 2008-10-19 11:21 --------- d-----w c:\documents and settings\vgandhi\Application Data\skypePM 2008-10-19 11:18 --------- d-----w c:\program files\Skype 2008-10-19 11:18 --------- d-----w c:\program files\Common Files\Skype 2008-10-19 11:18 --------- d-----w c:\documents and settings\All Users\Application Data\Skype 2008-10-15 18:47 --------- d-----w c:\documents and settings\vgandhi\Application Data\U3 2004-08-03 16:55 217,405 ----a-w c:\windows\system32\config\systemprofile\WaitTime.EXE 2004-08-03 16:55 217,405 ----a-w c:\documents and settings\CGadmin\WaitTime.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360] "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184] "vidxhp"="c:\documents and settings\vgandhi\Application Data\Google\ggqjh22510678.exe" [2008-12-05 124416] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000] "TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 94208] "Realtime Monitor"="c:\progra~1\CA\ETRUST~1\realmon.exe" [2004-04-06 504080] "ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-05-17 413696] "ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-05-17 126976] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-09-15 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-09-15 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-09-15 118784] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-31 185896] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696] "ATIModeChange"="Ati2mdxx.exe" [2001-09-05 c:\windows\system32\Ati2mdxx.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "disablecad"= 0 (0x0) "LogonType"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoMSAppLogo5ChannelNotify"= 0 (0x0) "NoSMConfigurePrograms"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "GreyMSIAds"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify] 2007-05-17 10:41 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] 2005-07-05 22:45 28672 c:\windows\system32\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2005-11-30 19:16 24576 c:\windows\system32\tphklock.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.X264"= x264vfw.dll "vidc.GEOS"= c:\windows\system32\v8200\GEO-MPEG4\2008.1.7.18.9\GeoCodecD.dll "vidc.GEOV"= c:\windows\system32\v8200\GEO-MPEG4\2008.1.7.18.9\GeoCodec.dll "vidc.GEOX"= c:\windows\system32\v8200\GEO-MPEG4\2008.1.7.18.9\GeoCodec.dll "vidc.GM40"= c:\windows\system32\v8200\GEO-MPEG4-ASP\2008.1.23.13.16\GXAMP4.dll "vidc.GMP4"= c:\windows\system32\v8200\GEO-MPEG4-ASP\2008.1.23.13.16\GXAMP4.dll "vidc.GM4H"= c:\windows\system32\v8200\GEO-MPEG4-ASP\2008.1.23.13.16\GXAMP4D.dll "vidc.GM4S"= c:\windows\system32\v8200\GEO-MPEG4-ASP\2008.1.23.13.16\GXAMP4D.dll "vidc.G264"= c:\windows\system32\v8200\GEO-H264\2008.1.7.18.7\GX264.dll "vidc.G26S"= c:\windows\system32\v8200\GEO-H264\2008.1.7.18.7\GX264D.dll "vidc.GM20"= c:\windows\system32\v8200\GEO-MPEG2\2008.1.11.20.2\GXGM20.dll "vidc.GJPG"= c:\windows\system32\v8200\GEO-JPEG\2008.1.24.19.52\GXJPG.dll "vidc.GAVC"= c:\windows\system32\v8200\GEO-H264-V2\2008.1.18.16.54\GXAVC.dll "vidc.GAVS"= c:\windows\system32\v8200\GEO-H264-V2\2008.1.18.16.54\GXAVCD.dll "msacm.geoadpcm"= c:\windows\system32\v8200\GEO-ADPCM\2007.8.13.17.32\GeoADPCM.acm [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli ACGina [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1530212641-2372712455-1428225574-43393\Scripts\Logon\[u]0[/u]\[u]0[/u]] "Script"=\\amer.globalcsc.net\SysVol\amer.globalcsc.net\Policies\{D73A465F-2C76-4553-99E9-B31D712935B6}\User\Scripts\Logon\cguser.vbs [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1530212641-2372712455-1428225574-43393\Scripts\Logon\[u]0[/u]\1] "Script"=\\amer.globalcsc.net\SysVol\amer.globalcsc.net\Policies\{D73A465F-2C76-4553-99E9-B31D712935B6}\User\Scripts\Logon\drive-remap.vbs [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\CA\\eTrust Antivirus\\InoRpc.exe"= "c:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe"= "c:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"= "c:\\Program Files\\CA\\eTrust Antivirus\\InoNmSrv.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) R0 Shockprf;Shockprf;c:\windows\system32\DRIVERS\Apsx86.sys [2007-03-02 100656] R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\DRIVERS\ApsHM86.sys [2007-03-02 19760] R1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2007-06-27 11520] R1 IBMTPCHK;IBMTPCHK;\??\c:\windows\system32\Drivers\IBMBLDID.sys [2007-06-27 4224] R2 cscmarimba;cscmarimba;c:\program files\cscmarimba\tuner\Tuner.exe [2007-04-25 36953] R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\DRIVERS\eacfilt.sys [2008-04-09 9817] R3 IPSECSHM;Nortel IPSECSHM Adapter;c:\windows\system32\DRIVERS\ipsecw2k.sys [2008-04-09 117760] R4 black;black;c:\windows\system32\drivers\BlackDrv.sys [2005-07-25 229367] S2 BlackICE;BlackICE;"c:\program files\ISS\issSensors\DesktopProtection\blackd.exe" [2005-07-25 847872] S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys [2008-04-09 117760] S3 RapFile;RapFile;\??\c:\windows\system32\drivers\RapFile.sys [2005-07-25 36676] S3 RapNet;RapNet;\??\c:\windows\system32\drivers\RapNet.sys [2005-07-25 24344] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] \Shell\AutoRun\command - F:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0023215b-7144-11dd-9c8b-444553544200}] \Shell\AutoRun\command - E:\setupSNK.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e8bd362-9ae3-11dd-9c94-444553544200}] \Shell\AutoRun\command - F:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{91cf65c2-2993-11db-b2f5-0012f0f0644f}] \Shell\AutoRun\command - E:\autohtml.exe /s [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}] rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\wmactedp.inf,PerUserStub . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 c:\windows\Downloaded Program Files\npdolctl.dll - O16 -: {5BDBA960-6534-11D3-97C7-00500422B550} hxxps://amer-ml31.amer.csc.com/download/dolcontrol.cab c:\windows\Downloaded Program Files\lotusdownloader.inf c:\windows\Downloaded Program Files\OCXDownloadChecker_8198.ocx - O16 -: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} hxxp://216.138.75.38/cab/OCXChecker_8198.cab c:\windows\Downloaded Program Files\OCXDownloadChecker.inf FireFox -: Profile - c:\documents and settings\vgandhi\Application Data\Mozilla\Firefox\Profiles\5bpgz38g.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ FF -: plugin - c:\program files\Adobe\Acrobat 8.0\Acrobat\browser\nppdf32.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-05 13:36:34 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1844) c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll c:\windows\system32\tphklock.dll - - - - - - - > 'lsass.exe'(1900) c:\program files\ThinkPad\ConnectUtilities\ACGina.dll c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll c:\program files\ThinkPad\ConnectUtilities\ACON.dll c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ibmpmsvc.exe c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe c:\program files\Lotus\Notes\ntmulti.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\windows\system32\TPHDEXLG.exe c:\windows\system32\wdfmgr.exe c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe c:\program files\ThinkPad\UltraNav Wizard\UNavTray.exe c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe c:\program files\cscmarimba\tuner\lib\minituner.exe c:\windows\system32\taskmgr.exe . ************************************************************************** . Completion time: 2008-12-05 13:41:47 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-05 18:41:42 ComboFix2.txt 2008-12-05 18:13:51 Pre-Run: 6,318,759,936 bytes free Post-Run: 6,302,437,376 bytes free 223 --- E O F --- 2008-11-29 17:18:34