CHILL_CO
2008-12-04, 20:59
I tried using Spybot to destroy Virtumonde but it keeps returning. Below is my HJT log and combofix log
HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58, on 2008-12-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ccs.exe
C:\Program Files\Remote Services\AM.utEventServer.exe
C:\Program Files\IP VPN Remote Services\cvpnd.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\slClient.exe
C:\WINDOWS\TIREMOTE\wuser32.exe
C:\WINDOWS\TIREMOTE\TIRemoteService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\Remote Services\AM.blScriptEngine.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\system32\slagent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uap.cag
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Track-It! Workstation Manager Service Monitor] C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ADU] "C:\Program Files\Cisco Aironet\ADU.exe" -nogui
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Verizon IP VPN Remote Services.lnk = C:\Program Files\IP VPN Remote Services\vpngui.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\PkgMgr.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O15 - Trusted Zone: http://*.teamwork
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://dcptrend01:4343/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://dcptrend01:4343/officescan/console/ClientInstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://dcptrend01:4343/officescan/console/ClientInstall/setup.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {2739E75C-A4A1-438D-8914-190654B4E4EA} (epcInstallerConnector Class) - http://dcdcogweb1/cognos8/contributor/controls/epcwebinstaller83.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://dcptrend01:4343/officescan/console/ClientInstall/RemoveCtrl.cab
O16 - DPF: {8B20D871-F641-4891-8A5D-C813FFB017CB} (Contributor Web Client Connector) - http://dcdcogweb1/cognos8/contributor/controls/clientfull83.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cognos.webex.com/client/T25L/webex/ieatgpc.cab
O20 - AppInit_DLLs: cqowgb.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Access Manager Event Service (AM.EventService) - Verizon Business Global LLC - C:\Program Files\Remote Services\AM.utEventServer.exe
O23 - Service: Access Manager Install Service (AM.InstallService) - Verizon Business Global LLC - C:\Program Files\Remote Services\AM.InstallService.exe
O23 - Service: Access Manager Script Service (AM.ScriptService) - Verizon Business Global LLC - C:\Program Files\Remote Services\AM.blScriptEngine.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Configuration Service (CCS) - Unknown owner - C:\WINDOWS\system32\ccs.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\IP VPN Remote Services\cvpnd.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: MCI Wireless Engine - Unknown owner - C:\Program Files\Remote Services\WENGINE2\BWEngine.exe
O23 - Service: MCI WMonitor - Boingo Wireless, Inc. - C:\Program Files\Remote Services\WENGINE2\WMonitor.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ScriptLogic Service (SLClient) - ScriptLogic Corporation - C:\WINDOWS\system32\slClient.exe
O23 - Service: Track-It! Remote Control (TIRmtCtl) - Intuit Track-It! - C:\WINDOWS\TIREMOTE\wuser32.exe
O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Numara Software, Inc. - C:\WINDOWS\TIREMOTE\TIRemoteService.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
--
End of file - 11530 bytes
Combofix log:
ComboFix 08-12-03.04 - gccarole 2008-12-04 11:37:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.485 [GMT -7:00]
Running from: c:\documents and settings\gccarole\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\gccarole\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 )))))))))))))))))))))))))))))))
.
2008-12-03 19:22 . 2008-12-03 19:22 173,456 --a------ C:\FixVundo.exe
2008-12-03 11:52 . 2008-12-04 10:02 151 --a------ c:\windows\wininit.ini
2008-12-02 20:38 . 2008-12-02 20:38 32,256 --a------ c:\documents and settings\gccarole\~.exe
2008-12-02 20:15 . 2004-05-14 16:53 462,848 --a------ c:\windows\system32\ltkrn13n.dll
2008-12-02 20:15 . 2004-05-14 16:53 450,560 --a------ c:\windows\system32\ltimg13n.dll
2008-12-02 20:15 . 2004-05-14 16:53 401,408 --a------ c:\windows\system32\lfcmp13n.dll
2008-12-02 20:15 . 2004-05-14 16:53 299,008 --a------ c:\windows\system32\ltdis13n.dll
2008-12-02 20:15 . 2004-01-12 02:09 206,336 --a------ c:\windows\system32\ltefx13n.dll
2008-12-02 20:15 . 2004-05-14 16:53 163,840 --a------ c:\windows\system32\ltfil13n.dll
2008-12-02 20:15 . 2003-11-04 15:10 69,632 --a------ c:\windows\system32\lfgif13n.dll
2008-12-02 20:15 . 2004-05-14 16:53 57,344 --a------ c:\windows\system32\lfbmp13n.dll
2008-12-02 19:51 . 2008-12-02 19:51 5,424 --a------ C:\ftp_error_check
2008-12-02 19:51 . 2008-12-02 19:51 3,459 --a------ C:\ftp_simple
2008-12-02 19:51 . 2008-12-02 19:51 1,498 --a------ C:\uap_ftptab
2008-12-02 19:39 . 2008-12-02 19:39 867 --a------ C:\checkfilebudg.sh
2008-12-02 19:39 . 2008-12-02 19:39 839 --a------ C:\checkfile.sh
2008-12-02 08:43 . 2008-12-02 09:54 231,424 --a------ C:\OU_Parent.xls
2008-11-25 15:00 . 2008-11-25 15:01 13,824 --a------ C:\Asset_Depr.xls
2008-11-24 09:42 . 2008-11-24 09:42 186,880 --a------ C:\AGU_ACCOUNTS_TREE.xls
2008-11-20 12:29 . 2008-11-20 12:29 30,208 --a------ C:\2815.xls
2008-11-19 07:41 . 2008-11-19 07:41 3,705,812 --a------ C:\FileZilla_3.1.5.1_win32-setup.exe
2008-11-17 12:59 . 2008-11-17 16:05 23,552 --a------ C:\Samples_Carole.xls
2008-11-14 15:33 . 2008-11-25 12:17 24,576 --a------ C:\Tree_Updates.xls
2008-11-13 10:10 . 2008-11-13 10:10 179,200 --a------ C:\OU_State.xls
2008-11-13 09:10 . 2008-11-13 09:11 182,784 --a------ C:\OU_Tree_Missing.xls
2008-11-12 15:57 . 2008-11-12 15:57 26,624 --a------ C:\OU_Help_Darren.xls
2008-11-12 12:37 . 2008-11-12 12:37 26,112 --a------ C:\OU_Help.xls
2008-11-11 16:32 . 2008-11-11 16:32 391,680 --a------ C:\Tree_Checks.xls
2008-11-11 16:04 . 2008-11-12 16:35 65,024 --a------ C:\Missing_Ous.xls
2008-11-11 15:39 . 2008-11-11 15:40 39,936 --a------ C:\Scopes for review.xls
2008-11-11 14:02 . 2008-11-11 14:02 <DIR> d-------- c:\program files\MSECache
2008-11-07 10:42 . 2008-11-10 13:19 18,944 --a------ C:\Period_Counts.xls
2008-11-07 10:03 . 2008-11-17 10:13 228,864 --a------ C:\Scopes.xls
2008-11-06 14:39 . 2008-11-06 16:33 750,592 --a------ C:\Revenue adjustments.xls
2008-11-06 13:07 . 2008-11-06 13:07 235,008 --a------ C:\DIG_MACD.doc
2008-11-06 09:00 . 2008-11-06 10:17 65,536 --a------ C:\Detailed_Ledger.doc
2008-11-05 11:40 . 2008-11-06 10:18 25,600 --a------ C:\Ledger_Info.xls
2008-11-04 08:27 . 2008-11-04 08:28 3,696,811 --a------ C:\FileZilla_3.1.5_win32-setup.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-04 16:35 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-03 23:52 --------- d-----w c:\program files\IP VPN Remote Services
2008-12-03 19:07 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-03 02:56 --------- d-----w c:\documents and settings\gccarole\Application Data\FileZilla
2008-11-19 14:43 --------- d-----w c:\program files\FileZilla FTP Client
2008-10-20 14:37 3,688,730 ----a-w C:\FileZilla_3.1.4.1_win32-setup.exe
2008-10-03 17:12 3,659,444 ----a-w C:\FileZilla_3.1.3.1_win32-setup.exe
2008-09-09 16:51 3,648,871 ----a-w C:\FileZilla_3.1.2_win32-setup.exe
2008-08-27 20:34 3,681,588 ----a-w c:\program files\WS_FTP Pro.zip
2008-05-15 01:43 990,592 ----a-w c:\windows\inf\UIU\A2\HSF_DPV.sys
2008-05-15 01:42 98,752 ----a-w c:\windows\inf\UIU\A29\aeaudio.sys
2008-05-15 01:41 88,363 ----a-w c:\windows\inf\UIU\A18\AGRSMMSG.exe
2008-05-15 01:41 64,512 -c--a-w c:\windows\inf\UIU\agrsmdel.exe
2008-05-15 01:41 64,512 ----a-w c:\windows\inf\UIU\A18\agrsmdel.exe
2008-05-15 01:41 64,512 ----a-w c:\windows\inf\UIU\A12\agrsmdel.exe
2008-05-15 01:41 64,512 ----a-w c:\windows\inf\UIU\A11\agrsmdel.exe
2008-05-15 01:41 6,912 -c--a-w c:\windows\inf\UIU\atibtxbr.sys
2008-05-15 01:41 58,240 -c--a-w c:\windows\inf\UIU\atibtcap.sys
2008-05-15 01:41 1,268,204 ----a-w c:\windows\inf\UIU\A18\AGRSM.sys
2007-06-04 22:28 995,328 -c--a-w c:\windows\inf\UIU\W20MLRES.dll
2007-06-04 22:27 68,710 -c--a-w c:\windows\inf\UIU\A0100\RKSAMPLE.SYS
2007-06-04 22:26 917,504 -c--a-w c:\windows\inf\UIU\A2000\CMIDS3D.DLL
2007-06-04 22:25 98,304 -c--a-w c:\windows\inf\UIU\A0900\34dialog.dll
2007-06-04 22:24 98,752 -c--a-w c:\windows\inf\UIU\A0401\AEAUDIO.sys
2007-06-04 22:23 94,208 -c--a-w c:\windows\inf\UIU\A0102\igfxtray.exe
2006-07-19 17:20 1,895,732 ----a-w c:\documents and settings\gccarole\TextPad 4.zip
2006-05-27 14:41 57,344 ----a-w c:\documents and settings\gccarole\_EZPivotDeleteMe.exe
2007-06-04 20:30 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
2007-06-04 20:24 16,384 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2007-06-04 20:24 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"COMMUNICATOR"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-14 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-14 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-14 131072]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-01-08 356429]
"Track-It! Workstation Manager Service Monitor"="c:\windows\TIREMOTE\TIServiceMonitor.exe" [2008-04-23 165888]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 1015808]
"ADU"="c:\program files\Cisco Aironet\ADU.exe" [2005-05-11 299008]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-06-18 413696]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HDAShCut.exe]
"TpShocks"="TpShocks.exe" [2005-08-22 c:\windows\system32\TpShocks.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2006-11-07 12451]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2007-02-27 561213]
Verizon IP VPN Remote Services.lnk - c:\program files\IP VPN Remote Services\vpngui.exe [2008-05-23 1528880]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=cqowgb.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\TIREMOTE\\wuser32.exe"=
"c:\\WINDOWS\\TIREMOTE\\TIRemoteService.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 atiide;ATI SATA Controller IDE mode;c:\windows\system32\Drivers\atiide.sys [2008-05-14 3456]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\Shockprf.sys [2008-05-23 59904]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2008-05-23 4736]
R2 AM.EventService;Access Manager Event Service;"c:\program files\Remote Services\AM.utEventServer.exe" [2007-07-10 28672]
R2 AM.ScriptService;Access Manager Script Service;"c:\program files\Remote Services\AM.blScriptEngine.exe" [2007-07-10 28672]
R2 CcmExec;SMS Agent Host;c:\windows\system32\CCM\CcmExec.exe [2008-05-20 757792]
R2 SLClient;ScriptLogic Service;c:\windows\system32\slClient.exe [2006-10-19 532480]
R2 TIRmtCtl;Track-It! Remote Control;c:\windows\TIREMOTE\wuser32.exe [2008-05-23 311374]
R2 TIRmtSvc;Track-It! Workstation Manager;c:\windows\TIREMOTE\TIRemoteService.exe [2008-05-23 212480]
R2 TmFilter;Trend Micro Filter;\??\c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [2007-06-12 205328]
R2 TmPreFilter;Trend Micro PreFilter;\??\c:\program files\Trend Micro\OfficeScan Client\TmPreFlt.sys [2007-06-12 36368]
R3 prepdrvr;SMS Process Event Driver;\??\c:\windows\system32\CCM\prepdrv.sys [2008-05-20 23584]
R3 smsmdd;smsmdd;c:\windows\system32\DRIVERS\smsmdm.sys [2008-04-08 12448]
S3 AM.InstallService;Access Manager Install Service;"c:\program files\Remote Services\AM.InstallService.exe" [2007-07-10 81920]
S3 CSCO21;Cisco Aironet 802.11a/b/g Wireless Adapter Service;c:\windows\system32\DRIVERS\csco21.sys [2007-06-04 461728]
S3 MCI Wireless Engine;MCI Wireless Engine;"c:\program files\Remote Services\WENGINE2\BWEngine.exe" [2007-02-01 823296]
S3 MCI WMonitor;MCI WMonitor;"c:\program files\Remote Services\WENGINE2\WMonitor.exe" [2007-02-01 73728]
S3 smstsmgr;SMS Task Sequence Agent;c:\windows\system32\CCM\TSManager.exe /service [2008-05-20 249888]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e3e7261-200b-11dc-a50d-fb48184993d1}]
\Shell\AutoRun\command - D:\UIU.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d6feb01-b53e-11db-883c-8695eaf970df}]
\Shell\AutoRun\command - D:\UIU.EXE
.
- - - - ORPHANS REMOVED - - - -
BHO-{698e7de9-478c-46e3-82be-29654250e227} - c:\windows\system32\cqowgb.dll
BHO-{770E858C-7662-4988-9E49-F3B89587B786} - c:\windows\system32\opnlICRK.dll
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
Notify-mlJYpmJD - mlJYpmJD.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.uap.cag
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
c:\windows\Downloaded Program Files\epcwebinstaller.dll - O16 -: {2739E75C-A4A1-438D-8914-190654B4E4EA}
hxxp://dcdcogweb1/cognos8/contributor/controls/epcwebinstaller83.cab
c:\windows\Downloaded Program Files\epcWebInstaller.inf
O16 -: {8B20D871-F641-4891-8A5D-C813FFB017CB} - hxxp://dcdcogweb1/cognos8/contributor/controls/clientfull83.cab
c:\windows\Downloaded Program Files\clientfull83.inf
FireFox -: Profile - c:\documents and settings\gccarole\Application Data\Mozilla\Firefox\Profiles\smrwz563.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 11:38:41
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(952)
c:\windows\system32\cscogina.dll
c:\windows\system32\csccfg10.dll
c:\windows\system32\csccfg10Res.dll
c:\windows\system32\amgina.dll
c:\windows\system32\netprovcredman.dll
.
Completion time: 2008-12-04 11:39:26
ComboFix-quarantined-files.txt 2008-12-04 18:39:16
Pre-Run: 75,223,871,488 bytes free
Post-Run: 75,211,108,352 bytes free
189 --- E O F --- 2008-08-14 20:01:44
HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58, on 2008-12-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ccs.exe
C:\Program Files\Remote Services\AM.utEventServer.exe
C:\Program Files\IP VPN Remote Services\cvpnd.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\slClient.exe
C:\WINDOWS\TIREMOTE\wuser32.exe
C:\WINDOWS\TIREMOTE\TIRemoteService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\Remote Services\AM.blScriptEngine.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\system32\slagent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uap.cag
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Track-It! Workstation Manager Service Monitor] C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ADU] "C:\Program Files\Cisco Aironet\ADU.exe" -nogui
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Verizon IP VPN Remote Services.lnk = C:\Program Files\IP VPN Remote Services\vpngui.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\PkgMgr.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O15 - Trusted Zone: http://*.teamwork
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://dcptrend01:4343/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://dcptrend01:4343/officescan/console/ClientInstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://dcptrend01:4343/officescan/console/ClientInstall/setup.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {2739E75C-A4A1-438D-8914-190654B4E4EA} (epcInstallerConnector Class) - http://dcdcogweb1/cognos8/contributor/controls/epcwebinstaller83.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://dcptrend01:4343/officescan/console/ClientInstall/RemoveCtrl.cab
O16 - DPF: {8B20D871-F641-4891-8A5D-C813FFB017CB} (Contributor Web Client Connector) - http://dcdcogweb1/cognos8/contributor/controls/clientfull83.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cognos.webex.com/client/T25L/webex/ieatgpc.cab
O20 - AppInit_DLLs: cqowgb.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Access Manager Event Service (AM.EventService) - Verizon Business Global LLC - C:\Program Files\Remote Services\AM.utEventServer.exe
O23 - Service: Access Manager Install Service (AM.InstallService) - Verizon Business Global LLC - C:\Program Files\Remote Services\AM.InstallService.exe
O23 - Service: Access Manager Script Service (AM.ScriptService) - Verizon Business Global LLC - C:\Program Files\Remote Services\AM.blScriptEngine.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Configuration Service (CCS) - Unknown owner - C:\WINDOWS\system32\ccs.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\IP VPN Remote Services\cvpnd.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: MCI Wireless Engine - Unknown owner - C:\Program Files\Remote Services\WENGINE2\BWEngine.exe
O23 - Service: MCI WMonitor - Boingo Wireless, Inc. - C:\Program Files\Remote Services\WENGINE2\WMonitor.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ScriptLogic Service (SLClient) - ScriptLogic Corporation - C:\WINDOWS\system32\slClient.exe
O23 - Service: Track-It! Remote Control (TIRmtCtl) - Intuit Track-It! - C:\WINDOWS\TIREMOTE\wuser32.exe
O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Numara Software, Inc. - C:\WINDOWS\TIREMOTE\TIRemoteService.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
--
End of file - 11530 bytes
Combofix log:
ComboFix 08-12-03.04 - gccarole 2008-12-04 11:37:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.485 [GMT -7:00]
Running from: c:\documents and settings\gccarole\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\gccarole\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 )))))))))))))))))))))))))))))))
.
2008-12-03 19:22 . 2008-12-03 19:22 173,456 --a------ C:\FixVundo.exe
2008-12-03 11:52 . 2008-12-04 10:02 151 --a------ c:\windows\wininit.ini
2008-12-02 20:38 . 2008-12-02 20:38 32,256 --a------ c:\documents and settings\gccarole\~.exe
2008-12-02 20:15 . 2004-05-14 16:53 462,848 --a------ c:\windows\system32\ltkrn13n.dll
2008-12-02 20:15 . 2004-05-14 16:53 450,560 --a------ c:\windows\system32\ltimg13n.dll
2008-12-02 20:15 . 2004-05-14 16:53 401,408 --a------ c:\windows\system32\lfcmp13n.dll
2008-12-02 20:15 . 2004-05-14 16:53 299,008 --a------ c:\windows\system32\ltdis13n.dll
2008-12-02 20:15 . 2004-01-12 02:09 206,336 --a------ c:\windows\system32\ltefx13n.dll
2008-12-02 20:15 . 2004-05-14 16:53 163,840 --a------ c:\windows\system32\ltfil13n.dll
2008-12-02 20:15 . 2003-11-04 15:10 69,632 --a------ c:\windows\system32\lfgif13n.dll
2008-12-02 20:15 . 2004-05-14 16:53 57,344 --a------ c:\windows\system32\lfbmp13n.dll
2008-12-02 19:51 . 2008-12-02 19:51 5,424 --a------ C:\ftp_error_check
2008-12-02 19:51 . 2008-12-02 19:51 3,459 --a------ C:\ftp_simple
2008-12-02 19:51 . 2008-12-02 19:51 1,498 --a------ C:\uap_ftptab
2008-12-02 19:39 . 2008-12-02 19:39 867 --a------ C:\checkfilebudg.sh
2008-12-02 19:39 . 2008-12-02 19:39 839 --a------ C:\checkfile.sh
2008-12-02 08:43 . 2008-12-02 09:54 231,424 --a------ C:\OU_Parent.xls
2008-11-25 15:00 . 2008-11-25 15:01 13,824 --a------ C:\Asset_Depr.xls
2008-11-24 09:42 . 2008-11-24 09:42 186,880 --a------ C:\AGU_ACCOUNTS_TREE.xls
2008-11-20 12:29 . 2008-11-20 12:29 30,208 --a------ C:\2815.xls
2008-11-19 07:41 . 2008-11-19 07:41 3,705,812 --a------ C:\FileZilla_3.1.5.1_win32-setup.exe
2008-11-17 12:59 . 2008-11-17 16:05 23,552 --a------ C:\Samples_Carole.xls
2008-11-14 15:33 . 2008-11-25 12:17 24,576 --a------ C:\Tree_Updates.xls
2008-11-13 10:10 . 2008-11-13 10:10 179,200 --a------ C:\OU_State.xls
2008-11-13 09:10 . 2008-11-13 09:11 182,784 --a------ C:\OU_Tree_Missing.xls
2008-11-12 15:57 . 2008-11-12 15:57 26,624 --a------ C:\OU_Help_Darren.xls
2008-11-12 12:37 . 2008-11-12 12:37 26,112 --a------ C:\OU_Help.xls
2008-11-11 16:32 . 2008-11-11 16:32 391,680 --a------ C:\Tree_Checks.xls
2008-11-11 16:04 . 2008-11-12 16:35 65,024 --a------ C:\Missing_Ous.xls
2008-11-11 15:39 . 2008-11-11 15:40 39,936 --a------ C:\Scopes for review.xls
2008-11-11 14:02 . 2008-11-11 14:02 <DIR> d-------- c:\program files\MSECache
2008-11-07 10:42 . 2008-11-10 13:19 18,944 --a------ C:\Period_Counts.xls
2008-11-07 10:03 . 2008-11-17 10:13 228,864 --a------ C:\Scopes.xls
2008-11-06 14:39 . 2008-11-06 16:33 750,592 --a------ C:\Revenue adjustments.xls
2008-11-06 13:07 . 2008-11-06 13:07 235,008 --a------ C:\DIG_MACD.doc
2008-11-06 09:00 . 2008-11-06 10:17 65,536 --a------ C:\Detailed_Ledger.doc
2008-11-05 11:40 . 2008-11-06 10:18 25,600 --a------ C:\Ledger_Info.xls
2008-11-04 08:27 . 2008-11-04 08:28 3,696,811 --a------ C:\FileZilla_3.1.5_win32-setup.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-04 16:35 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-03 23:52 --------- d-----w c:\program files\IP VPN Remote Services
2008-12-03 19:07 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-03 02:56 --------- d-----w c:\documents and settings\gccarole\Application Data\FileZilla
2008-11-19 14:43 --------- d-----w c:\program files\FileZilla FTP Client
2008-10-20 14:37 3,688,730 ----a-w C:\FileZilla_3.1.4.1_win32-setup.exe
2008-10-03 17:12 3,659,444 ----a-w C:\FileZilla_3.1.3.1_win32-setup.exe
2008-09-09 16:51 3,648,871 ----a-w C:\FileZilla_3.1.2_win32-setup.exe
2008-08-27 20:34 3,681,588 ----a-w c:\program files\WS_FTP Pro.zip
2008-05-15 01:43 990,592 ----a-w c:\windows\inf\UIU\A2\HSF_DPV.sys
2008-05-15 01:42 98,752 ----a-w c:\windows\inf\UIU\A29\aeaudio.sys
2008-05-15 01:41 88,363 ----a-w c:\windows\inf\UIU\A18\AGRSMMSG.exe
2008-05-15 01:41 64,512 -c--a-w c:\windows\inf\UIU\agrsmdel.exe
2008-05-15 01:41 64,512 ----a-w c:\windows\inf\UIU\A18\agrsmdel.exe
2008-05-15 01:41 64,512 ----a-w c:\windows\inf\UIU\A12\agrsmdel.exe
2008-05-15 01:41 64,512 ----a-w c:\windows\inf\UIU\A11\agrsmdel.exe
2008-05-15 01:41 6,912 -c--a-w c:\windows\inf\UIU\atibtxbr.sys
2008-05-15 01:41 58,240 -c--a-w c:\windows\inf\UIU\atibtcap.sys
2008-05-15 01:41 1,268,204 ----a-w c:\windows\inf\UIU\A18\AGRSM.sys
2007-06-04 22:28 995,328 -c--a-w c:\windows\inf\UIU\W20MLRES.dll
2007-06-04 22:27 68,710 -c--a-w c:\windows\inf\UIU\A0100\RKSAMPLE.SYS
2007-06-04 22:26 917,504 -c--a-w c:\windows\inf\UIU\A2000\CMIDS3D.DLL
2007-06-04 22:25 98,304 -c--a-w c:\windows\inf\UIU\A0900\34dialog.dll
2007-06-04 22:24 98,752 -c--a-w c:\windows\inf\UIU\A0401\AEAUDIO.sys
2007-06-04 22:23 94,208 -c--a-w c:\windows\inf\UIU\A0102\igfxtray.exe
2006-07-19 17:20 1,895,732 ----a-w c:\documents and settings\gccarole\TextPad 4.zip
2006-05-27 14:41 57,344 ----a-w c:\documents and settings\gccarole\_EZPivotDeleteMe.exe
2007-06-04 20:30 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
2007-06-04 20:24 16,384 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2007-06-04 20:24 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"COMMUNICATOR"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-14 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-14 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-14 131072]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-01-08 356429]
"Track-It! Workstation Manager Service Monitor"="c:\windows\TIREMOTE\TIServiceMonitor.exe" [2008-04-23 165888]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 1015808]
"ADU"="c:\program files\Cisco Aironet\ADU.exe" [2005-05-11 299008]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-06-18 413696]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HDAShCut.exe]
"TpShocks"="TpShocks.exe" [2005-08-22 c:\windows\system32\TpShocks.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2006-11-07 12451]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2007-02-27 561213]
Verizon IP VPN Remote Services.lnk - c:\program files\IP VPN Remote Services\vpngui.exe [2008-05-23 1528880]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=cqowgb.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\TIREMOTE\\wuser32.exe"=
"c:\\WINDOWS\\TIREMOTE\\TIRemoteService.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 atiide;ATI SATA Controller IDE mode;c:\windows\system32\Drivers\atiide.sys [2008-05-14 3456]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\Shockprf.sys [2008-05-23 59904]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2008-05-23 4736]
R2 AM.EventService;Access Manager Event Service;"c:\program files\Remote Services\AM.utEventServer.exe" [2007-07-10 28672]
R2 AM.ScriptService;Access Manager Script Service;"c:\program files\Remote Services\AM.blScriptEngine.exe" [2007-07-10 28672]
R2 CcmExec;SMS Agent Host;c:\windows\system32\CCM\CcmExec.exe [2008-05-20 757792]
R2 SLClient;ScriptLogic Service;c:\windows\system32\slClient.exe [2006-10-19 532480]
R2 TIRmtCtl;Track-It! Remote Control;c:\windows\TIREMOTE\wuser32.exe [2008-05-23 311374]
R2 TIRmtSvc;Track-It! Workstation Manager;c:\windows\TIREMOTE\TIRemoteService.exe [2008-05-23 212480]
R2 TmFilter;Trend Micro Filter;\??\c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [2007-06-12 205328]
R2 TmPreFilter;Trend Micro PreFilter;\??\c:\program files\Trend Micro\OfficeScan Client\TmPreFlt.sys [2007-06-12 36368]
R3 prepdrvr;SMS Process Event Driver;\??\c:\windows\system32\CCM\prepdrv.sys [2008-05-20 23584]
R3 smsmdd;smsmdd;c:\windows\system32\DRIVERS\smsmdm.sys [2008-04-08 12448]
S3 AM.InstallService;Access Manager Install Service;"c:\program files\Remote Services\AM.InstallService.exe" [2007-07-10 81920]
S3 CSCO21;Cisco Aironet 802.11a/b/g Wireless Adapter Service;c:\windows\system32\DRIVERS\csco21.sys [2007-06-04 461728]
S3 MCI Wireless Engine;MCI Wireless Engine;"c:\program files\Remote Services\WENGINE2\BWEngine.exe" [2007-02-01 823296]
S3 MCI WMonitor;MCI WMonitor;"c:\program files\Remote Services\WENGINE2\WMonitor.exe" [2007-02-01 73728]
S3 smstsmgr;SMS Task Sequence Agent;c:\windows\system32\CCM\TSManager.exe /service [2008-05-20 249888]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e3e7261-200b-11dc-a50d-fb48184993d1}]
\Shell\AutoRun\command - D:\UIU.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d6feb01-b53e-11db-883c-8695eaf970df}]
\Shell\AutoRun\command - D:\UIU.EXE
.
- - - - ORPHANS REMOVED - - - -
BHO-{698e7de9-478c-46e3-82be-29654250e227} - c:\windows\system32\cqowgb.dll
BHO-{770E858C-7662-4988-9E49-F3B89587B786} - c:\windows\system32\opnlICRK.dll
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
Notify-mlJYpmJD - mlJYpmJD.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.uap.cag
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
c:\windows\Downloaded Program Files\epcwebinstaller.dll - O16 -: {2739E75C-A4A1-438D-8914-190654B4E4EA}
hxxp://dcdcogweb1/cognos8/contributor/controls/epcwebinstaller83.cab
c:\windows\Downloaded Program Files\epcWebInstaller.inf
O16 -: {8B20D871-F641-4891-8A5D-C813FFB017CB} - hxxp://dcdcogweb1/cognos8/contributor/controls/clientfull83.cab
c:\windows\Downloaded Program Files\clientfull83.inf
FireFox -: Profile - c:\documents and settings\gccarole\Application Data\Mozilla\Firefox\Profiles\smrwz563.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 11:38:41
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(952)
c:\windows\system32\cscogina.dll
c:\windows\system32\csccfg10.dll
c:\windows\system32\csccfg10Res.dll
c:\windows\system32\amgina.dll
c:\windows\system32\netprovcredman.dll
.
Completion time: 2008-12-04 11:39:26
ComboFix-quarantined-files.txt 2008-12-04 18:39:16
Pre-Run: 75,223,871,488 bytes free
Post-Run: 75,211,108,352 bytes free
189 --- E O F --- 2008-08-14 20:01:44