ComboFix 09-11-21.03 - price 11/22/2009 9:58.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2963 [GMT -8:00]
Running from: e:\debug malware\Software\ComboFix\Combo-Fix.exe
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {0DAA9119-FD08-45C7-A0D4-435C2125DC25}
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {63AEB1F9-3232-41B0-85E9-57A26F039C34}
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {E6508629-3691-4CDC-A98C-DBB1C46CE0E8}
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {EE66AC07-84E2-41D3-A1F6-CAA0156912A4}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {07F71C9E-8DE4-4226-B23A-C065A56821F8}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {0BEAD907-62D3-45B6-91D7-1B7B378434FD}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {495CC023-7AA3-4062-9163-DAFC95BCCB95}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {6789DEB4-4214-4AE8-A310-E2DED4AE8079}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {9DFB6C67-B09B-451B-96C8-8F03241927EE}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {D5C7FEBD-12D0-4782-8AD7-6B290082768C}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {DE57F669-2848-4BDC-83C0-C5C7E3AF3D7B}
FW: Trend Micro OfficeScan Enterprise Client Firewall *disabled* {63AEB1F9-3232-41B0-85E9-57A26F039C34}
FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled* {71A20E43-2C24-456C-AF94-9682743CB5C4}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\price\Local Settings\Application Data\{74F017F0-8506-4FFF-A5F6-F564D8E279FF}
c:\documents and settings\price\Local Settings\Application Data\{74F017F0-8506-4FFF-A5F6-F564D8E279FF}\chrome.manifest
c:\documents and settings\price\Local Settings\Application Data\{74F017F0-8506-4FFF-A5F6-F564D8E279FF}\chrome\content\_cfg.js
c:\documents and settings\price\Local Settings\Application Data\{74F017F0-8506-4FFF-A5F6-F564D8E279FF}\chrome\content\overlay.xul
c:\documents and settings\price\Local Settings\Application Data\{74F017F0-8506-4FFF-A5F6-F564D8E279FF}\install.rdf
c:\documents and settings\price\ntuser.dll
c:\documents and settings\price\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\price\Start Menu\Programs\Startup\scandisk.lnk
c:\recycler\S-1-5-21-1024183140-2997838336-3344170229-500
c:\recycler\S-1-5-21-1154051771-3337579795-2169959840-500
c:\recycler\S-1-5-21-1687308215-1492714699-3125069277-500
c:\recycler\S-1-5-21-1715567821-1637723038-725345543-1004
c:\recycler\S-1-5-21-1715567821-1637723038-725345543-500
c:\recycler\S-1-5-21-1808509001-2669391744-3598713614-1015
c:\recycler\S-1-5-21-1916751870-1504642916-2163861243-500
c:\recycler\S-1-5-21-2210005112-3894602836-3136207814-500
c:\recycler\S-1-5-21-2641836117-3391798788-1020401150-1003
c:\recycler\S-1-5-21-2641836117-3391798788-1020401150-500
c:\recycler\S-1-5-21-2820340151-974736829-3225031353-500
c:\recycler\S-1-5-21-3029029702-2035401049-268590511-1015
c:\recycler\S-1-5-21-381596900-2956720227-2096382093-500
c:\recycler\S-1-5-21-4176429844-1514365582-2073545320-500
c:\recycler\S-1-5-21-546876832-141316095-377355887-500
c:\recycler\S-1-5-21-859959763-3936455684-3026372322-1015
c:\windows\evebamom.dll
c:\windows\irc.txt
c:\windows\system32\BtwSrv.dll
c:\windows\system32\Cache
c:\windows\system32\fuyewabe.dll
c:\windows\system32\Install.txt
c:\windows\system32\kekilule.exe
c:\windows\system32\lsm32.sys
c:\windows\system32\pawebehe.exe
c:\windows\system32\pepilose.exe
c:\windows\system32\ratirupu.dll
c:\windows\system32\wulukimi.exe
----- BITS: Possible infected sites -----
hxxp://uscymcli001.net.plm.eds.comhxxp://sus134.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
-------\Service_6to4
((((((((((((((((((((((((( Files Created from 2009-10-22 to 2009-11-22 )))))))))))))))))))))))))))))))
.
2009-11-21 15:46 . 2009-11-21 15:46 10752 ----a-w- c:\windows\DCEBoot.exe
2009-11-18 02:52 . 2009-11-21 15:13 120 ----a-w- c:\windows\Xluxeqicox.dat
2009-11-18 02:52 . 2009-11-21 09:28 0 ----a-w- c:\windows\Hlusuqahiv.bin
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-22 18:08 . 2009-10-23 05:05 6174 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-11-18 03:01 . 2009-09-02 14:43 -------- d-----w- c:\program files\stt
2009-10-26 20:43 . 2009-10-16 04:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-23 04:31 . 2009-06-19 00:19 70920 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-23 02:14 . 2009-10-23 02:14 -------- d-----w- c:\documents and settings\price\Application Data\Winamp
2009-10-23 02:14 . 2009-10-23 02:14 -------- d-----w- c:\program files\Winamp
2009-10-23 02:14 . 2009-10-23 02:14 -------- d-----w- c:\program files\Winamp Toolbar
2009-10-23 02:14 . 2009-10-23 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Winamp Toolbar
2009-10-16 04:21 . 2009-10-16 03:54 -------- d-----w- c:\program files\eqsydv
2009-10-16 04:13 . 2009-10-16 04:13 -------- d-----w- c:\documents and settings\price\Application Data\Malwarebytes
2009-10-16 04:13 . 2009-10-16 04:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-14 03:56 . 2009-10-13 04:05 -------- d-----w- c:\program files\Cheat Engine
2009-10-14 02:41 . 2008-06-29 05:17 26945 ----a-w- c:\windows\system32\nvModes.dat
2009-09-10 21:54 . 2009-10-16 04:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-10-16 04:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-09 02:25 . 2009-09-09 02:25 1886320 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\GoogleToolbarInstaller_en_signed.exe
2008-06-12 12:53 . 2008-09-22 22:57 3125248 ----a-w- c:\program files\Common Files\sapxlhelper.dll
2008-06-12 12:53 . 2008-09-22 22:57 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll
2008-06-12 12:53 . 2008-09-22 22:57 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll
2008-06-12 12:53 . 2008-09-22 22:57 949760 ----a-w- c:\program files\Common Files\SAPActiveXL_nosig.xlt
2008-06-12 12:53 . 2008-09-22 22:57 955904 ----a-w- c:\program files\Common Files\SAPActiveXL.xlt
2008-06-12 12:53 . 2008-09-22 22:57 40960 ----a-w- c:\program files\Common Files\DigitalSignature.ocx
2007-07-09 21:30 . 2007-07-09 21:30 57344 ----a-w- c:\program files\internet explorer\plugins\PluginWrapper.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2009-05-06 1262888]
[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-09 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SIECACST"="c:\program files\Siemens\CardOS API\bin\siecacst.exe" [2007-08-02 81920]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2009-06-04 5069648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-29 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-29 81920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-04-18 159744]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"OdTray.exe"="c:\program files\Juniper Networks\Odyssey Access Client\OdTray.exe" [2007-03-16 1028160]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\Pccntmon.exe" [2009-07-27 718120]
"Malwarebytes Anti-Malware (reboot)"="e:\debug malware\Software\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"Ptipbmf"="ptipbmf.dll" - c:\windows\system32\ptipbmf.dll [2007-10-20 118784]
"PtiuPbmd"="ulutil2.dll" - c:\windows\system32\ulutil2.dll [2003-11-05 110592]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-02-19 303104]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-04-29 1626112]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-04-29 67584]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2009-06-04 5069648]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2008-06-29 05:49 122949 ----a-w- c:\windows\system32\odyEvent.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 aacsas;Adaptec SAS/SATA-II RAID Miniport Driver;c:\windows\system32\drivers\aacsas.sys [9/15/2008 9:12 AM 81035]
R0 adp94xx;adp94xx;c:\windows\system32\drivers\adp94xx.sys [9/15/2008 9:12 AM 360960]
R0 AFAMgt;AFAMgt;c:\windows\system32\drivers\afamgt.sys [9/15/2008 9:12 AM 91707]
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [9/15/2008 9:12 AM 119808]
R0 amdbusdr;amdbusdr;c:\windows\system32\drivers\AmdBusDr.sys [9/15/2008 9:12 AM 29696]
R0 arcm_x86;arcm_x86;c:\windows\system32\drivers\arcm_x86.sys [9/15/2008 9:12 AM 25888]
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [9/15/2008 9:12 AM 6016]
R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [9/15/2008 9:12 AM 7680]
R0 FastSx;FastSx;c:\windows\system32\drivers\FastSx.sys [9/15/2008 9:12 AM 167424]
R0 fasttrak;fasttrak;c:\windows\system32\drivers\Fasttrak.sys [9/15/2008 9:12 AM 65536]
R0 fttxr5_O;fttxr5_O;c:\windows\system32\drivers\fttxr5_O.sys [9/15/2008 9:12 AM 177152]
R0 fttxr52P;fttxr52P;c:\windows\system32\drivers\fttxr52P.sys [9/15/2008 9:12 AM 160256]
R0 HpCISSm2;HpCISSm2;c:\windows\system32\drivers\HpCISSm2.sys [9/15/2008 9:12 AM 23040]
R0 Hpt366;Hpt366;c:\windows\system32\drivers\Hpt366.sys [9/15/2008 9:12 AM 22880]
R0 hpt374;hpt374;c:\windows\system32\drivers\hpt374.sys [9/15/2008 9:12 AM 108150]
R0 hptiop;hptiop;c:\windows\system32\drivers\hptiop.sys [9/15/2008 9:12 AM 14496]
R0 hptmv;hptmv;c:\windows\system32\drivers\hptmv.sys [9/15/2008 9:12 AM 65024]
R0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [9/15/2008 9:12 AM 26112]
R0 m5228;m5228;c:\windows\system32\drivers\m5228.sys [9/15/2008 9:12 AM 45069]
R0 m5281;m5281;c:\windows\system32\drivers\m5281.sys [9/15/2008 9:12 AM 51072]
R0 m5287;m5287;c:\windows\system32\drivers\m5287.sys [9/15/2008 9:12 AM 103680]
R0 m5288;m5288;c:\windows\system32\drivers\m5288.sys [9/15/2008 9:12 AM 210304]
R0 m5289;m5289;c:\windows\system32\drivers\m5289.sys [9/15/2008 9:12 AM 52480]
R0 MegaIDE;MegaIDE;c:\windows\system32\drivers\MegaIDE.sys [9/15/2008 9:12 AM 163277]
R0 MegaINTL;MegaINTL;c:\windows\system32\drivers\MegaINTL.sys [9/15/2008 9:12 AM 177536]
R0 mv614x;mv614x;c:\windows\system32\drivers\mv614x.sys [9/15/2008 9:12 AM 34432]
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [9/15/2008 9:12 AM 143360]
R0 mv64xx;mv64xx;c:\windows\system32\drivers\mv64xx.sys [9/15/2008 9:12 AM 212480]
R0 mvSata;mvSata;c:\windows\system32\drivers\mvsata.sys [9/15/2008 9:12 AM 43520]
R0 nfrd960;IBM ServeRAID 4M/4L/4Mx/4Lx/5i/6M/6i/7k Device Driver;c:\windows\system32\drivers\nfrd960.sys [9/15/2008 9:12 AM 74747]
R0 odFips;odFips;c:\windows\system32\drivers\odFIPS.sys [1/23/2006 1:19 PM 254208]
R0 Pnp649r;CMD IDE Raid Controller;c:\windows\system32\drivers\pnp649r.sys [9/15/2008 9:12 AM 66889]
R0 Pnp680;SiI 680 ATA Controller;c:\windows\system32\drivers\PnP680.sys [9/15/2008 9:12 AM 71720]
R0 raidsrc;raidsrc;c:\windows\system32\drivers\raidsrc.sys [9/15/2008 9:12 AM 45392]
R0 S150sx8;S150sx8;c:\windows\system32\drivers\S150sx8.sys [9/15/2008 9:12 AM 36864]
R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [9/15/2008 9:12 AM 110128]
R0 SI3114;SiI-3114 SATALink Controller;c:\windows\system32\drivers\SI3114.sys [9/15/2008 9:12 AM 61952]
R0 SI3124;SiI-3124 SATALink Controller;c:\windows\system32\drivers\SI3124.sys [9/15/2008 9:12 AM 81960]
R0 SI3124r;SiI-3124 SATARaid Controller;c:\windows\system32\drivers\SI3124r.sys [9/15/2008 9:12 AM 100881]
R0 Si3124r5;SiI-3124 SoftRaid 5 Controller;c:\windows\system32\drivers\3124r5A2.sys [9/15/2008 9:12 AM 207152]
R0 Si3531;SiI-3531 SATA Controller;c:\windows\system32\drivers\Si3531.sys [9/15/2008 9:12 AM 210736]
R0 SiSRaid1;SiSRaid1;c:\windows\system32\drivers\SiSRaid1.sys [9/15/2008 9:11 AM 46464]
R0 SiSRaid4;SiSRaid4;c:\windows\system32\drivers\sisraid4.sys [9/15/2008 9:11 AM 68864]
R0 sisraidx;sisraidx;c:\windows\system32\drivers\sisraidx.sys [9/15/2008 9:11 AM 47616]
R0 sptrak;sptrak;c:\windows\system32\drivers\sptrak.sys [9/15/2008 9:12 AM 41216]
R0 ulsata2;ulsata2;c:\windows\system32\drivers\ulsata2.sys [9/15/2008 9:12 AM 125952]
R0 viapdsk;VIA ATA/ATAPI Host Controller;c:\windows\system32\drivers\viapdsk.sys [9/15/2008 9:11 AM 29184]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [4/28/2006 5:57 AM 17968]
R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [12/11/2006 9:12 AM 87664]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [11/9/2005 5:34 PM 225808]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [11/9/2005 5:34 PM 36368]
R2 wsnm;VMware VDM Client Service;c:\program files\VMware\VMware VDM\Client\bin\wsnm.exe [5/8/2008 2:51 PM 131072]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [8/4/2009 7:15 AM 24521]
R3 jnprna;Juniper Network Agent Miniport;c:\windows\system32\drivers\jnprna.sys [11/14/2006 8:49 AM 398720]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [5/25/2009 5:34 AM 338960]
R3 TmPfw;OfficeScan NT Firewall;c:\program files\Trend Micro\OfficeScan Client\TmPfw.exe [5/25/2009 5:34 AM 488768]
R3 WSUSBDMAN;VMware VDM Virtual Client USB Manager;c:\windows\system32\drivers\WSUSBDMAN.sys [5/8/2008 2:45 PM 21504]
S0 2310_00;2310_00;c:\windows\system32\drivers\2310_00.sys [9/15/2008 9:12 AM 100224]
S0 hptmv6;hptmv6;c:\windows\system32\drivers\hptmv6.sys [9/15/2008 9:12 AM 93696]
S0 hptpro;hptpro;c:\windows\system32\drivers\hptpro.sys [9/15/2008 9:12 AM 9809]
S0 lsi_sas2;lsi_sas2;c:\windows\system32\drivers\lsi_sas2.sys [9/15/2008 9:12 AM 93184]
S0 rr172x;rr172x;c:\windows\system32\drivers\rr172x.sys [9/15/2008 9:12 AM 83200]
S0 rr174x;rr174x;c:\windows\system32\drivers\rr174x.sys [9/15/2008 9:12 AM 107296]
S0 rr232x;rr232x;c:\windows\system32\drivers\rr232x.sys [9/15/2008 9:12 AM 101888]
S0 rr2340;rr2340;c:\windows\system32\drivers\rr2340.sys [9/15/2008 9:12 AM 102400]
S2 MobileAutmationAgentService;iPass Endpoint Policy Management Agent;"c:\program files\mobile automation\rstate.exe" --> c:\program files\mobile automation\rstate.exe [?]
S2 SttService;Stt Services;c:\windows\SttService.exe [9/2/2009 6:43 AM 36923]
S3 EacService;Juniper TNC Endpoint Assessment;c:\program files\Common Files\Juniper Networks\TNC Client\jTnccService.exe [3/16/2007 4:33 PM 81992]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\Nortel Networks\Extranet_serv.exe [8/4/2009 7:15 AM 835584]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/4/2004 4:00 AM 14336]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [8/4/2009 7:15 AM 155216]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [5/25/2009 5:30 AM 652552]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder
2009-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2009-11-18 c:\windows\Tasks\stt_inv_report_24.job
- c:\program files\stt\stt_report_controller.bat [2009-09-02 16:02]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.google.com/IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Eqiwek - c:\windows\evebamom.dll
AddRemove-eMusic Promotion - c:\program files\Winamp\eMusic\Uninst-eMusic-promotion.exe
AddRemove-HijackThis - E:\HijackThis.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-11-22 10:46
Windows 5.1.2600 Service Pack 3 NTFS
scanning hȋdden processes ...
scanning hȋdden autostart entries ...
scanning hȋdden files ...
scan completed successfully
hȋdden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,
http://www.gmer.netdevice: opened successfully
user: MBR read successfully
called modules: >>UNKNOWN [0x80800000]<< >>UNKNOWN [0xF7657000]<< >>UNKNOWN [0xF7647000]<< >>UNKNOWN [0xF72A1000]<< >>UNKNOWN [0x80A0D000]<< >>UNKNOWN [0xF7A4F000]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0xf765bf28
\Driver\ACPI -> 0xf735ecb8
\Driver\atapi -> 0xf72a7852
\Driver\iaStor -> 0xf7214002
IoDeviceObjectType -> DeleteProcedure -> 0x808ac6a8
ParseProcedure -> 0x808ab7e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> 0x808ac6a8
ParseProcedure -> 0x808ab7e8
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0xf695ebb0
PacketIndicateHandler -> 0xf696ba21
SendHandler -> 0xf694987b
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(912)
c:\windows\system32\odyEvent.dll
- - - - - - - > 'explorer.exe'(3540)
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Juniper Networks\Odyssey Access Client\odClientService.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Dell\OpenManage\Client\Iap.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Trend Micro\OfficeScan Client\ntrtscan.exe
c:\windows\system32\nvsvc32.exe
c:\program files\SigmaTel\C-Major Audio\WDM\StacSV.exe
c:\program files\Trend Micro\OfficeScan Client\tmlisten.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\TEMP\XQA53D.EXE
c:\program files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2009-11-22 10:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-22 18:49
Pre-Run: 147,931,267,072 bytes free
Post-Run: 147,994,546,176 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional 3gb Switch" /noexecute=optin /fastdetect /3gb
- - End Of File - - CCB95517B94ADA89529E086E9F1DBB70