[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2004-08-04 16384]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2005-04-25 271872]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-06-18 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-18 688218]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"NDPS"="c:\windows\system32\dpmw32.exe" [2004-05-17 32859]
"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2005-05-18 40960]
"Snippet"="c:\program files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" [2005-02-25 68296]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-12-20 125632]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"WebrootClientUI"="c:\program files\Webroot\Client\SpySweeperUI.exe" [2008-07-16 435616]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"NI Background Service"="c:\program files\Shared\Update Service\BackgroundService.exe" [2008-04-03 77824]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 c:\windows\stsystra.exe]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 c:\windows\system32\nwtray.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlpo_01"="md %USERPROFILE%\Local Settings\Temp" [X]
"nlpo_02"="advpack.dll" [2008-08-26 c:\windows\system32\advpack.dll]
"nlpo_03"="advpack.dll" [2008-08-26 c:\windows\system32\advpack.dll]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Application Explorer.lnk - c:\program files\Novell\ZENworks\NalView.exe [2006-06-13 35840]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2006-06-28 446464]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2004-08-04 03:00 47104 c:\program files\Common Files\Microsoft Shared\Ink\LoginKey.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2006-05-02 08:17 24576 c:\windows\system32\novell\xtnotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 02:41 11776 c:\windows\system32\tabbtnwl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2006-11-01 09:18 32256 c:\windows\system32\tpgwlnot.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpmw32.exe"=
"c:\\Program Files\\Novell\\ZENworks\\RemoteManagement\\RMAgent\\ZenRem32.exe"=
"c:\\Misc\\Symantec Antivirus CE\\DownloadXDB.exe"=
"c:\\Program Files\\IBM\\Sametime Connect\\jre\\bin\\sametime75.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\Maple 11\\jre\\bin\\maple.exe"=
"c:\\Program Files\\Real\\RealPlayer Enterprise\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1761:TCP"= 1761:TCP:ZENworks Remote Management port
"1761:UDP"= 1761:UDP:ZENworks Remote Management port
"2967:TCP"= 2967:TCP:Symantec Antivirus v10 Client
"50000:TCP"= 50000:TCP:Webroot SpySweeper Client Service
"50001:TCP"= 50001:TCP:Webroot SpySweeper Sweep Now Function
"50002:TCP"= 50002:TCP:Webroot SpySweeper Poll Now Function
"50003:TCP"= 50003:TCP:Webroot SpySweeper Webroot Client Service
"7460:TCP"= 7460:TCP:ZENworks Asset Manager (Collection Server)
"7460:UDP"= 7460:UDP:ZENworks Asset Manager (Collection Server)
"7461:TCP"= 7461:TCP:ZENworks Asset Manager (Client Application)
"7461:UDP"= 7461:UDP:ZENworks Asset Manager (Client Application)
"7462:TCP"= 7462:TCP:ZENworks Asset Manager (Management Manager)
"7462:UDP"= 7462:UDP:ZENworks Asset Manager (Management Manager)
"7465:TCP"= 7465:TCP:ZENworks Asset Manager (Task Server)
"7465:UDP"= 7465:UDP:ZENworks Asset Manager (Task Server)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R2 BlankScr;HBDevice;c:\windows\system32\drivers\BlankScr.sys [2005-05-23 6899]
R2 cvintdrv;cvintdrv;c:\windows\system32\drivers\cvintdrv.sys [2007-10-23 4096]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [2006-05-09 167936]
R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;"c:\program files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe" [2007-08-30 49152]
R2 WNTHW;WNTHW;\??\c:\windows\system32\DRIVERS\WNTHW.SYS [2007-08-30 9176]
R2 XTAgent;Novell XTier Agent Services;c:\windows\System32\Novell\XTAgent.exe [2006-05-02 61440]
R3 FinePnt;FinePoint Innovations HID Driver;c:\windows\system32\DRIVERS\FpHidDrv.sys [2006-06-19 18816]
R3 MSTabBtn;Tablet PC Buttons HID Driver;c:\windows\system32\DRIVERS\MSTabBtn.sys [2006-06-19 9600]
S3 LVRS;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs.sys [2008-08-24 627864]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16118eee-730e-11dd-9e49-001b7753c089}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f52ff48a-64cd-11dc-9cb8-001b7753c089}]
\Shell\AutoRun\command - setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
2008-11-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-11-25 16:11:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(912)
c:\program files\novell\zenworks\ZENPOL32.DLL
c:\windows\system32\xmlparse.dll
c:\windows\system32\ZenMup.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\WRLogonNtf.DLL
c:\program files\novell\zenworks\WMNTAPI.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\system32\lkcitdl.exe
c:\windows\system32\lkads.exe
c:\windows\system32\lktsrv.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\lotus\notes\ntmulti.exe
c:\program files\Novell\ZENworks\NALNTSRV.EXE
c:\program files\Shared\Security\nidmsrv.exe
c:\windows\system32\nisvcloc.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Symantec AntiVirus\SavRoam.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Webroot\Client\CommAgent.exe
c:\program files\Novell\ZENworks\Asset Management\Bin\cclient.exe
c:\program files\Novell\ZENworks\WM.EXE
c:\program files\Webroot\Client\SPYSWEEPER.EXE
c:\program files\Novell\ZENworks\WMRUNDLL.EXE
c:\windows\system32\wisptis.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\tabbtnu.exe
c:\program files\Webroot\Client\SSU.EXE
c:\program files\Common Files\Microsoft Shared\Ink\tcserver.exe
c:\program files\Novell\ZENworks\NalAgent.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-11-25 16:18:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-25 21:18:12
ComboFix2.txt 2008-11-25 20:32:02
Pre-Run: 70,024,368,128 bytes free
Post-Run: 70,022,795,264 bytes free
286 --- E O F --- 2008-11-19 06:16:48