ComboFix 08-03-10.1 - rickie 2008-03-12 10:08:01.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.104 [GMT -4:00] Running from: C:\Documents and Settings\rickie\Desktop\ComboFix.exe * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr0.dat C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr1.dat C:\WINDOWS\BM933d738a.xml C:\WINDOWS\pskt.ini C:\WINDOWS\system32\bykxnnxk.ini C:\WINDOWS\system32\fhhkj.ini C:\WINDOWS\system32\fhhkj.ini2 C:\WINDOWS\system32\hhkmp.ini C:\WINDOWS\system32\hhkmp.ini2 C:\WINDOWS\system32\kqyulvqq.dll C:\WINDOWS\system32\kxnnxkyb.dll C:\WINDOWS\system32\nnnkkhg.dll C:\WINDOWS\system32\pmkhh.dll C:\WINDOWS\system32\wbiiwpku.dll ----- BITS: Possible infected sites ----- hxxp://sbs2003 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_IPRIP -------\Iprip ((((((((((((((((((((((((( Files Created from 2008-02-12 to 2008-03-12 ))))))))))))))))))))))))))))))) . 2008-03-12 10:19 . 0 C:\snk.7c.tag 2008-03-12 10:19 . 0 C:\snk.7c 2008-03-11 17:27 . 2008-03-12 08:58 d-------- C:\VundoFix Backups 2008-03-10 17:11 . 2008-03-10 17:11 65,848 --a------ C:\Documents and Settings\rickie\g2ax_customer_downloadhelper_win32_x86.exe 2008-03-04 17:35 . 2008-03-04 17:35 d-------- C:\Program Files\GClient 2008-03-04 17:35 . 2003-12-01 18:34 327,680 --a------ C:\WINDOWS\msndll.exe 2008-03-04 17:35 . 2003-11-27 23:46 147,456 --a------ C:\WINDOWS\system32\MSDNKEY.dll 2008-03-04 17:35 . 2001-04-10 15:09 140,918 --a------ C:\WINDOWS\Clienta.dib 2008-03-04 17:35 . 2000-03-06 20:55 140,918 --a------ C:\WINDOWS\Client.dib 2008-02-29 16:33 . 2008-02-29 16:33 d-------- C:\Program Files\Spybot - Search & Destroy 2008-02-29 16:33 . 2008-03-07 10:41 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy 2008-02-29 15:31 . 2008-02-29 15:31 d-------- C:\Program Files\DivX 2008-02-29 15:31 . 2008-02-29 15:31 0 --a------ C:\WINDOWS\mozver.dat 2008-02-27 16:36 . 2008-02-27 16:36 32,768 --a------ C:\VNC_bypauth.exe 2008-02-22 16:28 . 2008-02-22 16:28 d-------- C:\Documents and Settings\alex.SBS2003NB\Application Data\Roxio 2008-02-22 16:26 . 2008-03-06 11:15 d---s---- C:\Documents and Settings\alex.SBS2003NB\UserData 2008-02-22 16:26 . 2005-12-11 01:30 d-------- C:\Documents and Settings\alex.SBS2003NB\SecurityScans 2008-02-22 16:26 . 2007-12-03 17:22 d-------- C:\Documents and Settings\alex.SBS2003NB\Application Data\WatchGuard 2008-02-22 16:26 . 2008-01-14 17:03 d-------- C:\Documents and Settings\alex.SBS2003NB\Application Data\Template 2008-02-22 16:26 . 2008-03-06 11:15 d-------- C:\Documents and Settings\alex.SBS2003NB\Application Data\Sonic 2008-02-22 16:26 . 2007-11-01 14:42 d-------- C:\Documents and Settings\alex.SBS2003NB\Application Data\ScanSoft 2008-02-22 16:26 . 2008-02-18 13:12 d-------- C:\Documents and Settings\alex.SBS2003NB\Application Data\OpenOffice.org2 2008-02-22 16:26 . 2008-01-15 12:57 d-------- C:\Documents and Settings\alex.SBS2003NB\Application Data\Leadertech 2008-02-22 16:26 . 2008-01-15 10:10 d-------- C:\Documents and Settings\alex.SBS2003NB\Application Data\Kayako 2008-02-22 16:26 . 2008-03-06 11:15 d-------- C:\Documents and Settings\alex.SBS2003NB\Application Data\ICAClient 2008-02-22 16:26 . 2007-11-01 14:53 d-------- C:\Documents and Settings\alex.SBS2003NB\Application Data\Corel 2008-02-22 16:26 . 2008-01-24 11:19 d-------- C:\Documents and Settings\alex.SBS2003NB\Application Data\Apple Computer 2008-02-22 16:26 . 2007-11-01 14:53 d-------- C:\Documents and Settings\alex.SBS2003NB\_rpcs 2008-02-22 16:26 . 2008-02-14 17:54 484 --a------ C:\Documents and Settings\alex.SBS2003NB\Application Data\wklnhst.dat 2008-02-20 22:05 . 2008-02-20 22:05 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll 2008-02-20 22:05 . 2008-02-20 22:05 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-12 12:49 --------- d-----w C:\Program Files\PowerISO 2008-03-11 20:10 --------- d-----w C:\Program Files\Trend Micro 2008-03-10 21:11 --------- d-----w C:\Program Files\Citrix 2008-03-07 22:35 --------- d-----w C:\Documents and Settings\rickie\Application Data\ICAClient 2008-03-07 22:35 --------- d-----w C:\DOCUME~1\rickie\APPLIC~1\ICAClient 2008-03-07 14:15 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Roxio 2008-03-06 15:15 --------- d-----w C:\Documents and Settings\derrell\Application Data\Roxio 2008-03-06 15:15 --------- d-----w C:\Documents and Settings\derrell\Application Data\ICAClient 2008-03-06 15:15 --------- d-----w C:\Documents and Settings\chuck.SBS2003NB\Application Data\ICAClient 2008-03-06 15:15 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Borland 2008-02-19 16:24 --------- d-----w C:\Program Files\Kayako 2008-02-08 19:03 --------- d-----w C:\Documents and Settings\rickie\Application Data\vlc 2008-02-08 19:03 --------- d-----w C:\DOCUME~1\rickie\APPLIC~1\vlc 2008-02-08 18:58 --------- d-----w C:\Program Files\VideoLAN 2008-02-05 21:39 --------- d-----w C:\Documents and Settings\rickie\Application Data\U3 2008-02-05 21:39 --------- d-----w C:\DOCUME~1\rickie\APPLIC~1\U3 2008-01-29 21:39 --------- d-----w C:\Program Files\Microsoft Silverlight 2008-01-23 22:30 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet 2008-01-23 21:41 --------- d-----w C:\Program Files\Common Files\Adobe 2008-01-23 21:41 --------- d-----w C:\Program Files\Bonjour 2008-01-23 21:34 --------- d-----w C:\Program Files\Common Files\Macrovision Shared 2008-01-21 22:44 --------- d-----w C:\Program Files\TESTOUT 2008-01-16 20:38 --------- d-----w C:\Program Files\TechRepublic Resource CD 2008-01-14 18:48 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2338f27d-c1f2-4582-876b-c62f2dcdb127}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40AFA95A-E52D-49E2-ABFA-D8F011CC5642}] C:\WINDOWS\system32\gebcy.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4986C8B2-43FB-45C0-BF9E-40BD9A90AA10}] C:\WINDOWS\system32\jkhhf.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70CB6D7B-352A-4209-B0CA-EEC411FCDF4D}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7735F01C-3689-4659-B7E9-55EB9A876149}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9383002-FC55-4330-B9C9-67E03BC5C840}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 09:18 15360] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [ ] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 17:46 1460560] "Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 15:46 77824] "OfficeScanNT Monitor"="C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2007-10-29 12:17 398784] "Track-It! Workstation Manager Service Monitor"="C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe" [2007-06-27 10:34 165888] "Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-12 09:22 143360] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] "RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 11:22 221184] "RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 09:00 1116920] "QuickFinder Scheduler"="C:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE" [2005-12-01 00:45 77892] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 15:49 94208] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 15:50 114688] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-01 13:04 286720] "NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ] "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-01-20 03:09 200704] "!AVG Anti-Spyware"="H:\AVG Anti-Spyware 7.5\avgas.exe" [ ] "Grms Client"="" [] "BM933d738a"="C:\WINDOWS\system32\wbiiwpku.dll" [ ] "900e4016"="C:\WINDOWS\system32\kxnnxkyb.dll" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "Grms Client"="c:\Program Files\GClient\GClient.exe" [2003-12-01 18:32 331776] C:\Documents and Settings\rickie\Start Menu\Programs\Startup\ Server Management.lnk - \\SBS2003\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe [2005-04-29 17:53:14 30016] C:\DOCUME~1\rickie\STARTM~1\Programs\Startup\ Server Management.lnk - \\SBS2003\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe [2005-04-29 17:53:14 30016] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "HideLogonScripts"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoWelcomeScreen"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "DisablePersonalDirChange"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= F:\SASSEH.DLL [ ] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] F:\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer] C:\Program Files\Citrix\GoToAssist Express Customer\61\g2ax_winlogon.dll 2008-03-10 17:11 45368 C:\Program Files\Citrix\GoToAssist Express Customer\61\g2ax_winlogon.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnkkhg] nnnkkhg.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"= "C:\\Program Files\\TESTOUT\\Cmi\\Navigator.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping "3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP) "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 0 (0x0) R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys [2007-03-07 14:27] R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 10:35] R2 TIRmtCtl;Track-It! Remote Control;C:\WINDOWS\TIREMOTE\wuser32.exe [2007-01-31 10:43] R2 TIRmtSvc;Track-It! Workstation Manager;C:\WINDOWS\TIREMOTE\TIRemoteService.exe [2007-06-27 10:34] S3 GoToAssist Express Customer;GoToAssist Express Customer;"C:\Program Files\Citrix\GoToAssist Express Customer\61\g2ax_service.exe" Start=service [] S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-12 09:30] S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-12 09:30] S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-12 09:30] S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-12 09:30] S3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys [] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K] \Shell\AutoRun\command - K:\Autorun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5ceff32c-ae4e-11dc-9db7-0013209a8d3c}] \Shell\AutoRun\command - K:\LaunchU3.exe -a . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-12 10:19:28 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\Program Files\Citrix\GoToAssist Express Customer\61\g2ax_winlogon.dll PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156] -> C:\WINDOWS\system32\DLAAPI_W.DLL . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe C:\WINDOWS\system32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe C:\Program Files\Trend Micro\Client Server Security Agent\Misc\xpupg.exe C:\Program Files\Trend Micro\Client Server Security Agent\pccntupd.exe C:\WINDOWS\system32\wscntfy.exe . ************************************************************************** . Completion time: 2008-03-12 10:23:33 - machine was rebooted ComboFix-quarantined-files.txt 2008-03-12 14:23:29 . 2008-02-14 14:07:36 --- E O F ---