ComboFix 10-11-17.01 - Administrator 11/17/2010 12:43:20.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.354 [GMT -6:00]
Running from: c:\documents and settings\administrator\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\saundech\g2mdlhlpx.exe
c:\documents and settings\saundech\Start Menu\Programs\System Tool
c:\windows\system32\6to4v32.dll
c:\windows\system32\certstore.dat
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
-------\Legacy_SSHNAS
-------\Service_6to4
((((((((((((((((((((((((( Files Created from 2010-10-17 to 2010-11-17 )))))))))))))))))))))))))))))))
.
2010-11-12 20:10 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-12 20:10 . 2010-11-12 20:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-12 20:10 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-12 19:53 . 2010-11-15 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB
2010-11-12 19:36 . 2010-11-12 19:36 -------- d-----w- c:\documents and settings\z
2010-11-12 15:37 . 2010-11-12 15:37 -------- d-----w- c:\documents and settings\administrator\Application Data\Malwarebytes
2010-11-12 15:36 . 2010-11-12 15:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-11 14:58 . 2010-11-11 14:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-11 08:12 . 2010-11-17 18:59 761344 ----a-w- c:\windows\system32\drivers\uwzqnunri.sys
2010-11-11 08:12 . 2010-11-15 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\eDkHf02039
2010-11-11 08:12 . 2010-11-11 08:12 -------- d-----w- c:\documents and settings\All Users\Application Data\eOeFn02039
2010-11-10 13:56 . 2010-11-10 13:56 67336 ----a-w- C:\whtsmk.exe
2010-11-01 14:14 . 2010-11-01 14:14 -------- d-----w- c:\documents and settings\saundech\Application Data\webex
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-02 20:39 . 2009-12-17 18:02 231936 ----a-w- c:\windows\system32\KaceCredentialProvider.dll
2010-09-02 20:39 . 2009-12-17 18:02 387584 ----a-w- c:\windows\system32\KUsrInit.exe
2010-09-02 20:39 . 2009-12-17 18:02 397312 ----a-w- c:\windows\system32\KWinImpl.dll
.
------- Sigcheck -------
[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB896423$\spoolsv.exe
c:\windows\System32\spoolsv.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-02-15 677408]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-03-26 115560]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"KBOXUserExtension"="c:\program files\KACE\KBOX\KBOXUserExtension.exe" [2010-09-02 493056]
"DameWare MRC Agent"="c:\windows\system32\DWRCST.exe" [2010-08-06 85528]
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{B4870B70-F390-11d2-9FB9-F4ED725EA20D}"= "c:\program files\Novell\ZENworks\NalExpEx.dll" [2003-03-24 131072]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\KUsrInit.exe,"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kwinhook]
2009-07-25 00:32 55808 ----a-w- c:\windows\system32\KWinHook.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2112260698-3555690785-471562439-2476\Scripts\Logon\0\0]
"Script"=\\campus.minneapolis.edu\netlogon\deployment\ISRSShortcut.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2112260698-3555690785-471562439-2600\Scripts\Logon\0\0]
"Script"=\\campus.minneapolis.edu\NETLOGON\logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2112260698-3555690785-471562439-2600\Scripts\Logon\0\1]
"Script"=\\campus.minneapolis.edu\NETLOGON\deployment\Outlook.bat
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"LightScribe Control Panel"=c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SoundMAX"=c:\program files\Analog Devices\SoundMAX\Smax4.exe /tray
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
"WatchDog"=c:\program files\InterVideo\DVD Check\DVDCheck.exe
"SoundMAXPnP"=c:\program files\Analog Devices\Core\smax4pnp.exe
"PTHOSTTR"=c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
"QlbCtrl"=%ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
"SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpsvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Symantec AntiVirus\\Smc.exe"=
"c:\\Program Files\\Symantec AntiVirus\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\NOVELL\\GroupWise\\GrpWise.exe"=
"c:\\NOVELL\\GroupWise\\Notify.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:Remote Assistance TCP
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"8014:TCP"= 8014:TCP:SEP11
"6129:TCP"= 6129:TCP:DameWare Mini Remote Control Service
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2/7/2007 10:22 AM 100495]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [10/9/2006 12:31 PM 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [3/29/2007 3:54 PM 13696]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2/15/2007 5:00 AM 26624]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [1/23/2007 7:07 PM 39080]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2/7/2007 10:23 AM 5808]
R2 BlankScreen;HBDevice;c:\windows\system32\drivers\blankscreen.sys [5/9/2007 8:41 AM 4480]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [3/29/2007 4:50 PM 221184]
R2 Kblock;Kblock;c:\windows\system32\drivers\kblock.sys [5/9/2007 8:41 AM 3742]
R2 KBOXSMMP;KBOX SMMP Management Service;c:\program files\KACE\KBOX\KBOXSMMPService.exe [11/8/2010 9:03 AM 2237440]
R2 Mouslock;Mouslock;c:\windows\system32\drivers\mouslock.sys [5/9/2007 8:41 AM 3779]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2/7/2007 5:00 AM 3712]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/22/2010 7:49 PM 102448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [10/26/2005 9:56 AM 36608]
R3 nscmnt;Novell Local Security Context Manager;c:\windows\system32\drivers\Novell\nscmnt.sys [7/12/2002 10:36 AM 17984]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [3/25/2010 9:38 PM 23888]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [11/12/2010 2:10 PM 38224]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S3 xauthnt;Novell XTier Authentication Service;c:\windows\system32\drivers\Novell\xauthnt.sys [6/17/2002 3:32 PM 7728]
--- Other Services/Drivers In Memory ---
*Deregistered* - uwzqnunri
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-01-24 17:30 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.minneapolis.edu/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.minneapolis.edu/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
FF - ProfilePath - c:\documents and settings\administrator\Application Data\Mozilla\Firefox\Profiles\qxfm9nb9.default\
FF - prefs.js: browser.startup.homepage - www.minneapolis.edu
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Search
FF - user.js: browser.search.order.1 - Search
FF - user.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.search-clsid", "{EBB8AFFA-E37E-4315-A2CE-354EC79FEB67}");
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-ZENRC Tray Icon - zentray.exe
Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-17 12:59
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\uwzqnunri]
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\kwinhook.dll
- - - - - - - > 'explorer.exe'(3620)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Symantec AntiVirus\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\DWRCS.EXE
c:\windows\system32\ifxtcs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Novell\ZENworks\nalntsrv.exe
c:\windows\system32\IfxPsdSv.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Symantec AntiVirus\SmcGui.exe
.
**************************************************************************
.
Completion time: 2010-11-17 13:02:00 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-17 19:01
Pre-Run: 61,292,093,440 bytes free
Post-Run: 61,903,986,688 bytes free
- - End Of File - - 208D0D534FB88CEDD80085E21F64C475