big_n_blue
2008-04-25, 19:03
I have been infected. Spybot found virtumonde and cannot remove it. I have even tried in Safe mode. So, Here are the log file from combofix and HJT. Please advise of how to remove this stinkin' thing.
TIA!
----------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:03, on 2008-04-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Centenn.ial\Audit\CAgent32.exe
C:\Centenn.ial\Audit\xferwan.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\_integra\bin\ccmagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\_integra\bin\shstart.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Palm\Hotsync.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alconnet.com/us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [Discovery User Input] C:\Discovery\User Input\userin32.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CCM User Profile Manager] "c:\_integra\upm\bin\CCM_User.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [DVDSentry] c:\WINDOWS\system32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HotSync] "C:\Program Files\PalmSource\Desktop\HotSync.exe" -AllUsers
O4 - HKCU\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKUS\S-1-5-19\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-746137067-823518204-1801674531-1299506\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'USS00434')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.alconnet.com/us
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.storageguardsoft.com
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = alconnet.com
O17 - HKLM\Software\..\Telephony: DomainName = alconnet.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{6750ACDD-16E8-4577-955B-2F86055B2E2E}: NameServer = 161.61.35.61,161.61.45.40
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = alconnet.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = alconnet.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = alconnet.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = alconnet.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = alconnet.com
O20 - Winlogon Notify: jkkIBRjH - jkkIBRjH.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CentennialClientAgent - Centennial Software Limited - C:\Centenn.ial\Audit\CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial Software Limited - C:\Centenn.ial\Audit\xferwan.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: FLEXlm server for PTC - Macrovision Corporation - C:\ptc\flexnet\i486_nt\obj\lmgrd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Neoteris Setup Service - Juniper Networks - c:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: ApplicationVantage Agent (VantageAgent) - Compuware - C:\Program Files\Compuware\ApplicationVantage Agent\OPTSA.exe
O23 - Service: Symantec LiveState Agent for Windows (WControl) - Symantec Corporation - c:\_integra\bin\ccmagent.exe
--
End of file - 8767 bytes
---------------------------------------------
ComboFix 08-04-22.5 - US028339 2008-04-24 8:44:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.809 [GMT -5:00]
Running from: C:\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\efcBttus.dll
C:\WINDOWS\system32\EMWxayxx.ini
C:\WINDOWS\system32\EMWxayxx.ini2
C:\WINDOWS\system32\fqhhatuq.ini
C:\WINDOWS\system32\jkkIBRjH.dll
C:\WINDOWS\system32\jorcfxow.dll
C:\WINDOWS\system32\lfmxwlmb.dll
C:\WINDOWS\system32\lqfvwcdc.dll
C:\WINDOWS\system32\ncvkenhy.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qutahhqf.dll
C:\WINDOWS\system32\vtUlMgET.dll
C:\WINDOWS\system32\xxyaxWME.dll
C:\WINDOWS\system32\xyxhduuf.dll
C:\WINDOWS\system32\yhnekvcn.ini
E:\robocopy.exe
.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.
2008-04-24 08:40 . 2008-04-24 08:26 1,774,233 --a------ C:\ComboFix.exe
2008-04-24 08:39 . 2008-04-24 08:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-23 15:24 . 2008-04-23 15:24 <DIR> d-------- C:\Documents and Settings\us028339\Application Data\AdwareAlert
2008-04-23 11:08 . 2008-04-23 11:08 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-04-23 09:41 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-04-23 09:41 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-04-23 09:41 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-04-23 09:41 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-04-23 09:34 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-04-23 09:34 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-04-23 08:33 . 2008-04-23 08:33 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-23 08:33 . 2008-04-23 08:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-22 22:54 . 2008-04-22 22:54 0 --a------ C:\WINDOWS\vpc32.INI
2008-04-22 22:27 . 2008-04-22 22:27 109,738 --a------ C:\WINDOWS\BM57e3040f.xml
2008-04-21 22:42 . 2008-04-21 22:42 37,376 --a------ C:\WINDOWS\17PHolmes572.exe
2008-04-21 22:40 . 2008-04-21 22:41 <DIR> d-------- C:\WINDOWS\system32\xcsDd01
2008-04-21 22:40 . 2008-04-21 22:40 <DIR> d-------- C:\Temp\berDrv11
2008-04-21 22:40 . 2008-04-21 22:40 <DIR> d-------- C:\Temp
2008-04-21 22:40 . 2008-04-21 22:40 37,376 --a------ C:\WINDOWS\mrofinu572.exe
2008-04-01 15:18 . 2007-12-04 17:10 16,640 -ra------ C:\WINDOWS\system32\drivers\PalmUSBD.sys
2008-04-01 15:17 . 2008-04-01 15:17 <DIR> d-------- C:\Program Files\Palm
2008-04-01 15:16 . 2008-04-01 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HotSync
2008-04-01 15:08 . 2008-04-01 15:08 <DIR> d-------- C:\Documents and Settings\us028339\Application Data\HotSync
2008-04-01 15:08 . 2008-04-01 15:08 94 --a------ C:\WINDOWS\family.ini
2008-04-01 14:56 . 2008-04-01 14:56 <DIR> d-------- C:\Documents and Settings\us028339\Application Data\Arcsoft
2008-03-31 07:25 . 2008-03-31 07:25 <DIR> d-------- C:\Documents and Settings\us025524\Application Data\Juniper Networks
2008-03-31 06:58 . 2008-03-31 06:58 3,840 --a------ C:\WINDOWS\DellBIOS.Sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-23 14:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-23 03:18 --------- d-----w C:\Documents and Settings\us028339\Application Data\LimeWire
2008-04-23 03:12 --------- d-----w C:\Program Files\Java
2008-03-25 13:22 --------- d-----w C:\Program Files\pdf995
2008-03-18 18:18 --------- d-----w C:\Program Files\Creative
2008-03-18 18:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-18 18:11 --------- d-----w C:\Documents and Settings\us028339\Application Data\Any Video Converter
2008-03-18 17:43 --------- d-----w C:\Documents and Settings\us028339\Application Data\Leadertech
2008-03-18 17:35 --------- d-----w C:\Program Files\Common Files\JFTech
2008-01-30 04:28 19,952 ----a-w C:\Documents and Settings\us028339\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdwareAlert"="C:\Program Files\AdwareAlert\AdwareAlert.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Discovery User Input"="C:\Discovery\User Input\userin32.exe" [2005-12-05 06:56 212992]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 00:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"CCM User Profile Manager"="c:\_integra\upm\bin\CCM_User.exe" [2006-02-08 15:08 479232]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 11:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe" [2006-08-03 00:48 124656]
"DVDSentry"="c:\WINDOWS\system32\DSentry.exe" [2003-02-06 15:41 28672]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2007-11-19 15:48 684032]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"HotSync"="C:\Program Files\PalmSource\Desktop\HotSync.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="cmd.exe" [2006-08-29 22:19 388608 C:\WINDOWS\system32\cmd.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\Hotsync.exe [2008-01-03 18:28:08 1392640]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"Intellimenus"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoManageMyComputerVerb"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkIBRjH]
jkkIBRjH.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2006-09-05 12:02 8704 C:\WINDOWS\system32\PCANotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=TimeService.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R2 CWEnprobe;Vantage Packet Capture Driver;C:\WINDOWS\system32\DRIVERS\cwenprobe.sys [2006-04-05 23:59]
R2 Neoteris Setup Service;Neoteris Setup Service;"c:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe" [2007-04-10 19:58]
R2 smefs;SMEFileSystem;C:\WINDOWS\system32\drivers\smefs.sys [2006-06-06 11:47]
R2 VantageAgent;ApplicationVantage Agent;"C:\Program Files\Compuware\ApplicationVantage Agent\OPTSA.exe" [2006-04-06 00:43]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2007-07-16 14:56]
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2002-04-22 15:50]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2002-05-01 00:16]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2005-04-21 22:58]
R3 smedrv;SMEDriver;C:\WINDOWS\system32\drivers\smedrv.sys [2006-06-06 11:47]
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2002-05-01 00:16]
S3 CdProbe;CdProbe;C:\WINDOWS\system32\DRIVERS\cdprobe.sys [2007-11-19 13:09]
S3 ExtranetAccess;Contivity VPN Service;"C:\Program Files\Nortel Networks\Extranet_serv.exe" [2002-05-01 00:09]
S3 pnetmdm;PdaNet Modem;C:\WINDOWS\system32\DRIVERS\pnetmdm.sys [2006-01-01 21:20]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\wmactedp.inf,PerUserStub,,4
.
Contents of the 'Scheduled Tasks' folder
"2008-04-23 20:24:34 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2007-11-19 18:39:51 C:\WINDOWS\Tasks\RuleSetLock.job"
- c:\_integra\tmp\Ruleset_Lock.bat
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 08:55:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\scardsvr.exe
C:\CENTENN.IAL\AUDIT\cagent32.exe
C:\CENTENN.IAL\AUDIT\xferwan.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\snmp.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\_INTEGRA\BIN\CCMAGENT.EXE
C:\WINDOWS\system32\ati2evxx.exe
C:\_INTEGRA\BIN\SHSTART.EXE
.
**************************************************************************
.
Completion time: 2008-04-24 8:59:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-24 13:59:08
Pre-Run: 27,876,049,408 bytes free
Post-Run: 28,065,035,776 bytes free
189
TIA!
----------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:03, on 2008-04-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Centenn.ial\Audit\CAgent32.exe
C:\Centenn.ial\Audit\xferwan.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\_integra\bin\ccmagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\_integra\bin\shstart.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Palm\Hotsync.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alconnet.com/us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [Discovery User Input] C:\Discovery\User Input\userin32.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CCM User Profile Manager] "c:\_integra\upm\bin\CCM_User.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [DVDSentry] c:\WINDOWS\system32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HotSync] "C:\Program Files\PalmSource\Desktop\HotSync.exe" -AllUsers
O4 - HKCU\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKUS\S-1-5-19\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-746137067-823518204-1801674531-1299506\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'USS00434')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.alconnet.com/us
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.storageguardsoft.com
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = alconnet.com
O17 - HKLM\Software\..\Telephony: DomainName = alconnet.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{6750ACDD-16E8-4577-955B-2F86055B2E2E}: NameServer = 161.61.35.61,161.61.45.40
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = alconnet.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = alconnet.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = alconnet.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = alconnet.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = alconnet.com
O20 - Winlogon Notify: jkkIBRjH - jkkIBRjH.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CentennialClientAgent - Centennial Software Limited - C:\Centenn.ial\Audit\CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial Software Limited - C:\Centenn.ial\Audit\xferwan.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: FLEXlm server for PTC - Macrovision Corporation - C:\ptc\flexnet\i486_nt\obj\lmgrd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Neoteris Setup Service - Juniper Networks - c:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: ApplicationVantage Agent (VantageAgent) - Compuware - C:\Program Files\Compuware\ApplicationVantage Agent\OPTSA.exe
O23 - Service: Symantec LiveState Agent for Windows (WControl) - Symantec Corporation - c:\_integra\bin\ccmagent.exe
--
End of file - 8767 bytes
---------------------------------------------
ComboFix 08-04-22.5 - US028339 2008-04-24 8:44:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.809 [GMT -5:00]
Running from: C:\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\efcBttus.dll
C:\WINDOWS\system32\EMWxayxx.ini
C:\WINDOWS\system32\EMWxayxx.ini2
C:\WINDOWS\system32\fqhhatuq.ini
C:\WINDOWS\system32\jkkIBRjH.dll
C:\WINDOWS\system32\jorcfxow.dll
C:\WINDOWS\system32\lfmxwlmb.dll
C:\WINDOWS\system32\lqfvwcdc.dll
C:\WINDOWS\system32\ncvkenhy.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qutahhqf.dll
C:\WINDOWS\system32\vtUlMgET.dll
C:\WINDOWS\system32\xxyaxWME.dll
C:\WINDOWS\system32\xyxhduuf.dll
C:\WINDOWS\system32\yhnekvcn.ini
E:\robocopy.exe
.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.
2008-04-24 08:40 . 2008-04-24 08:26 1,774,233 --a------ C:\ComboFix.exe
2008-04-24 08:39 . 2008-04-24 08:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-23 15:24 . 2008-04-23 15:24 <DIR> d-------- C:\Documents and Settings\us028339\Application Data\AdwareAlert
2008-04-23 11:08 . 2008-04-23 11:08 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-04-23 09:41 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-04-23 09:41 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-04-23 09:41 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-04-23 09:41 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-04-23 09:34 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-04-23 09:34 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-04-23 08:33 . 2008-04-23 08:33 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-23 08:33 . 2008-04-23 08:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-22 22:54 . 2008-04-22 22:54 0 --a------ C:\WINDOWS\vpc32.INI
2008-04-22 22:27 . 2008-04-22 22:27 109,738 --a------ C:\WINDOWS\BM57e3040f.xml
2008-04-21 22:42 . 2008-04-21 22:42 37,376 --a------ C:\WINDOWS\17PHolmes572.exe
2008-04-21 22:40 . 2008-04-21 22:41 <DIR> d-------- C:\WINDOWS\system32\xcsDd01
2008-04-21 22:40 . 2008-04-21 22:40 <DIR> d-------- C:\Temp\berDrv11
2008-04-21 22:40 . 2008-04-21 22:40 <DIR> d-------- C:\Temp
2008-04-21 22:40 . 2008-04-21 22:40 37,376 --a------ C:\WINDOWS\mrofinu572.exe
2008-04-01 15:18 . 2007-12-04 17:10 16,640 -ra------ C:\WINDOWS\system32\drivers\PalmUSBD.sys
2008-04-01 15:17 . 2008-04-01 15:17 <DIR> d-------- C:\Program Files\Palm
2008-04-01 15:16 . 2008-04-01 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HotSync
2008-04-01 15:08 . 2008-04-01 15:08 <DIR> d-------- C:\Documents and Settings\us028339\Application Data\HotSync
2008-04-01 15:08 . 2008-04-01 15:08 94 --a------ C:\WINDOWS\family.ini
2008-04-01 14:56 . 2008-04-01 14:56 <DIR> d-------- C:\Documents and Settings\us028339\Application Data\Arcsoft
2008-03-31 07:25 . 2008-03-31 07:25 <DIR> d-------- C:\Documents and Settings\us025524\Application Data\Juniper Networks
2008-03-31 06:58 . 2008-03-31 06:58 3,840 --a------ C:\WINDOWS\DellBIOS.Sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-23 14:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-23 03:18 --------- d-----w C:\Documents and Settings\us028339\Application Data\LimeWire
2008-04-23 03:12 --------- d-----w C:\Program Files\Java
2008-03-25 13:22 --------- d-----w C:\Program Files\pdf995
2008-03-18 18:18 --------- d-----w C:\Program Files\Creative
2008-03-18 18:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-18 18:11 --------- d-----w C:\Documents and Settings\us028339\Application Data\Any Video Converter
2008-03-18 17:43 --------- d-----w C:\Documents and Settings\us028339\Application Data\Leadertech
2008-03-18 17:35 --------- d-----w C:\Program Files\Common Files\JFTech
2008-01-30 04:28 19,952 ----a-w C:\Documents and Settings\us028339\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdwareAlert"="C:\Program Files\AdwareAlert\AdwareAlert.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Discovery User Input"="C:\Discovery\User Input\userin32.exe" [2005-12-05 06:56 212992]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 00:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"CCM User Profile Manager"="c:\_integra\upm\bin\CCM_User.exe" [2006-02-08 15:08 479232]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 11:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe" [2006-08-03 00:48 124656]
"DVDSentry"="c:\WINDOWS\system32\DSentry.exe" [2003-02-06 15:41 28672]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2007-11-19 15:48 684032]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"HotSync"="C:\Program Files\PalmSource\Desktop\HotSync.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="cmd.exe" [2006-08-29 22:19 388608 C:\WINDOWS\system32\cmd.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\Hotsync.exe [2008-01-03 18:28:08 1392640]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"Intellimenus"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoManageMyComputerVerb"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkIBRjH]
jkkIBRjH.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2006-09-05 12:02 8704 C:\WINDOWS\system32\PCANotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=TimeService.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R2 CWEnprobe;Vantage Packet Capture Driver;C:\WINDOWS\system32\DRIVERS\cwenprobe.sys [2006-04-05 23:59]
R2 Neoteris Setup Service;Neoteris Setup Service;"c:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe" [2007-04-10 19:58]
R2 smefs;SMEFileSystem;C:\WINDOWS\system32\drivers\smefs.sys [2006-06-06 11:47]
R2 VantageAgent;ApplicationVantage Agent;"C:\Program Files\Compuware\ApplicationVantage Agent\OPTSA.exe" [2006-04-06 00:43]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2007-07-16 14:56]
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2002-04-22 15:50]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2002-05-01 00:16]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2005-04-21 22:58]
R3 smedrv;SMEDriver;C:\WINDOWS\system32\drivers\smedrv.sys [2006-06-06 11:47]
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2002-05-01 00:16]
S3 CdProbe;CdProbe;C:\WINDOWS\system32\DRIVERS\cdprobe.sys [2007-11-19 13:09]
S3 ExtranetAccess;Contivity VPN Service;"C:\Program Files\Nortel Networks\Extranet_serv.exe" [2002-05-01 00:09]
S3 pnetmdm;PdaNet Modem;C:\WINDOWS\system32\DRIVERS\pnetmdm.sys [2006-01-01 21:20]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\wmactedp.inf,PerUserStub,,4
.
Contents of the 'Scheduled Tasks' folder
"2008-04-23 20:24:34 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2007-11-19 18:39:51 C:\WINDOWS\Tasks\RuleSetLock.job"
- c:\_integra\tmp\Ruleset_Lock.bat
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 08:55:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\scardsvr.exe
C:\CENTENN.IAL\AUDIT\cagent32.exe
C:\CENTENN.IAL\AUDIT\xferwan.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\snmp.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\_INTEGRA\BIN\CCMAGENT.EXE
C:\WINDOWS\system32\ati2evxx.exe
C:\_INTEGRA\BIN\SHSTART.EXE
.
**************************************************************************
.
Completion time: 2008-04-24 8:59:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-24 13:59:08
Pre-Run: 27,876,049,408 bytes free
Post-Run: 28,065,035,776 bytes free
189