ComboFix 08-03-10.1 - rickie 2008-03-12 15:28:53.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.125 [GMT -4:00] Running from: C:\Documents and Settings\rickie\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\rickie\Desktop\CFScript.txt * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] FILE :: C:\WINDOWS\system32\gebcy.dll C:\WINDOWS\system32\jkhhf.dll C:\WINDOWS\system32\kxnnxkyb.dll C:\WINDOWS\system32\nnnkkhg.dll C:\WINDOWS\system32\wbiiwpku.dll . ((((((((((((((((((((((((( Files Created from 2008-02-12 to 2008-03-12 ))))))))))))))))))))))))))))))) . 2008-03-12 15:17 . 2008-03-12 15:17 0 --a------ C:\s4g.oi.tag 2008-03-12 15:17 . 2008-03-12 15:17 0 --a------ C:\s4g.oi 2008-03-12 11:26 . 2008-03-12 11:26 d-------- C:\WINDOWS\ERUNT 2008-03-10 17:11 . 2008-03-10 17:11 65,848 --a------ C:\Documents and Settings\rickie\g2ax_customer_downloadhelper_win32_x86.exe 2008-03-04 17:35 . 2008-03-04 17:35 d-------- C:\Program Files\GClient 2008-03-04 17:35 . 2003-12-01 18:34 327,680 --a------ C:\WINDOWS\msndll.exe 2008-03-04 17:35 . 2003-11-27 23:46 147,456 --a------ C:\WINDOWS\system32\MSDNKEY.dll 2008-03-04 17:35 . 2001-04-10 15:09 140,918 --a------ C:\WINDOWS\Clienta.dib 2008-03-04 17:35 . 2000-03-06 20:55 140,918 --a------ C:\WINDOWS\Client.dib 2008-02-29 16:33 . 2008-03-12 15:12 d-------- C:\Program Files\Spybot - Search & Destroy 2008-02-29 16:33 . 2008-03-12 14:45 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy 2008-02-29 15:31 . 2008-02-29 15:31 d-------- C:\Program Files\DivX 2008-02-29 15:31 . 2008-02-29 15:31 0 --a------ C:\WINDOWS\mozver.dat 2008-02-27 16:36 . 2008-02-27 16:36 32,768 --a------ C:\VNC_bypauth.exe 2008-02-22 16:28 . 2008-02-22 16:28 d-------- C:\Documents and Settings\alex.SBS2003NB\Application Data\Roxio 2008-02-22 16:26 . 2008-03-06 11:15 d---s---- C:\Documents and Settings\alex.SBS2003NB\UserData 2008-02-22 16:26 . 2005-12-11 01:30 d-------- C:\Documents and Settings\alex.SBS2003NB\SecurityScans 2008-02-22 16:26 . 2007-12-03 17:22 d-------- C:\Documents and Settings\alex.SBS2003NB\Application Data\WatchGuard 2008-02-22 16:26 . 2008-01-14 17:03 d-------- C:\Documents and Settings\alex.SBS2003NB\Application Data\Template 2008-02-22 16:26 . 2008-03-06 11:15 d-------- C:\Documents and Settings\alex.SBS2003NB\Application Data\Sonic 2008-02-22 16:26 . 2007-11-01 14:42 d-------- C:\Documents and Settings\alex.SBS2003NB\Application Data\ScanSoft 2008-02-22 16:26 . 2008-02-18 13:12 d-------- C:\Documents and Settings\alex.SBS2003NB\Application Data\OpenOffice.org2 2008-02-22 16:26 . 2008-01-15 12:57 d-------- C:\Documents and Settings\alex.SBS2003NB\Application Data\Leadertech 2008-02-22 16:26 . 2008-01-15 10:10 d-------- C:\Documents and Settings\alex.SBS2003NB\Application Data\Kayako 2008-02-22 16:26 . 2008-03-06 11:15 d-------- C:\Documents and Settings\alex.SBS2003NB\Application Data\ICAClient 2008-02-22 16:26 . 2007-11-01 14:53 d-------- C:\Documents and Settings\alex.SBS2003NB\Application Data\Corel 2008-02-22 16:26 . 2008-01-24 11:19 d-------- C:\Documents and Settings\alex.SBS2003NB\Application Data\Apple Computer 2008-02-22 16:26 . 2007-11-01 14:53 d-------- C:\Documents and Settings\alex.SBS2003NB\_rpcs 2008-02-22 16:26 . 2008-02-14 17:54 484 --a------ C:\Documents and Settings\alex.SBS2003NB\Application Data\wklnhst.dat 2008-02-20 22:05 . 2008-02-20 22:05 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll 2008-02-20 22:05 . 2008-02-20 22:05 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-12 12:49 --------- d-----w C:\Program Files\PowerISO 2008-03-11 20:10 --------- d-----w C:\Program Files\Trend Micro 2008-03-10 21:11 --------- d-----w C:\Program Files\Citrix 2008-03-07 22:35 --------- d-----w C:\Documents and Settings\rickie\Application Data\ICAClient 2008-03-07 22:35 --------- d-----w C:\DOCUME~1\rickie\APPLIC~1\ICAClient 2008-03-07 14:15 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Roxio 2008-03-06 15:15 --------- d-----w C:\Documents and Settings\derrell\Application Data\Roxio 2008-03-06 15:15 --------- d-----w C:\Documents and Settings\derrell\Application Data\ICAClient 2008-03-06 15:15 --------- d-----w C:\Documents and Settings\chuck.SBS2003NB\Application Data\ICAClient 2008-03-06 15:15 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Borland 2008-02-19 16:24 --------- d-----w C:\Program Files\Kayako 2008-02-08 19:03 --------- d-----w C:\Documents and Settings\rickie\Application Data\vlc 2008-02-08 19:03 --------- d-----w C:\DOCUME~1\rickie\APPLIC~1\vlc 2008-02-08 18:58 --------- d-----w C:\Program Files\VideoLAN 2008-02-05 21:39 --------- d-----w C:\Documents and Settings\rickie\Application Data\U3 2008-02-05 21:39 --------- d-----w C:\DOCUME~1\rickie\APPLIC~1\U3 2008-01-29 21:39 --------- d-----w C:\Program Files\Microsoft Silverlight 2008-01-23 22:30 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet 2008-01-23 21:41 --------- d-----w C:\Program Files\Common Files\Adobe 2008-01-23 21:41 --------- d-----w C:\Program Files\Bonjour 2008-01-23 21:34 --------- d-----w C:\Program Files\Common Files\Macrovision Shared 2008-01-21 22:44 --------- d-----w C:\Program Files\TESTOUT 2008-01-16 20:38 --------- d-----w C:\Program Files\TechRepublic Resource CD 2008-01-14 18:48 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 09:18 15360] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "OfficeScanNT Monitor"="C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2007-10-29 12:17 398784] "Track-It! Workstation Manager Service Monitor"="C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe" [2007-06-27 10:34 165888] "Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-12 09:22 143360] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] "RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 11:22 221184] "RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 09:00 1116920] "QuickFinder Scheduler"="C:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE" [2005-12-01 00:45 77892] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-01 13:04 286720] "NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ] "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-01-20 03:09 200704] "!AVG Anti-Spyware"="H:\AVG Anti-Spyware 7.5\avgas.exe" [ ] "Grms Client"="" [] "SDFix"="C:\SDFix\RunThis.bat /second" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "Grms Client"="c:\Program Files\GClient\GClient.exe" [2003-12-01 18:32 331776] C:\Documents and Settings\rickie\Start Menu\Programs\Startup\ Server Management.lnk - \\SBS2003\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe [2005-04-29 17:53:14 30016] C:\DOCUME~1\rickie\STARTM~1\Programs\Startup\ Server Management.lnk - \\SBS2003\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe [2005-04-29 17:53:14 30016] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "HideLogonScripts"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoWelcomeScreen"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "DisablePersonalDirChange"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= F:\SASSEH.DLL [ ] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] F:\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer] C:\Program Files\Citrix\GoToAssist Express Customer\61\g2ax_winlogon.dll 2008-03-10 17:11 45368 C:\Program Files\Citrix\GoToAssist Express Customer\61\g2ax_winlogon.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"= "C:\\Program Files\\TESTOUT\\Cmi\\Navigator.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping "3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP) "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 0 (0x0) R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys [2007-03-07 14:27] R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 10:35] R2 TIRmtCtl;Track-It! Remote Control;C:\WINDOWS\TIREMOTE\wuser32.exe [2007-01-31 10:43] R2 TIRmtSvc;Track-It! Workstation Manager;C:\WINDOWS\TIREMOTE\TIRemoteService.exe [2007-06-27 10:34] S3 GoToAssist Express Customer;GoToAssist Express Customer;"C:\Program Files\Citrix\GoToAssist Express Customer\61\g2ax_service.exe" Start=service [] S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-12 09:30] S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-12 09:30] S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-12 09:30] S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-12 09:30] S3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys [] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K] \Shell\AutoRun\command - K:\Autorun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5ceff32c-ae4e-11dc-9db7-0013209a8d3c}] \Shell\AutoRun\command - K:\LaunchU3.exe -a . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-12 15:32:17 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\Program Files\Citrix\GoToAssist Express Customer\61\g2ax_winlogon.dll PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156] -> C:\WINDOWS\system32\DLAAPI_W.DLL . Completion time: 2008-03-12 15:32:44 . 2008-03-12 18:12:45 --- E O F ---