Thread: Moved
View Single Post
Old 05-09-2008, 09:25 AM   #4 (permalink)
techfem
Registered User
 
Join Date: May 2008
Posts: 8
OS: XP SP2


Re: Simultaneous Viruses
Disregard the last post; I was able to get someone at the user's home to restore the internet connection.

I will post the logs below.

While I was waiting for a response the last few days I successfully deleted much of the virus problems. But there is only one issue that remains. When this user logs on through VPN, it connects, and it connects to the Exchange server through Outlook. However, when trying to connect to the network drive, windows explorer only shows a blank right panel. You can successfully ping the server, but cannot map the drive under any name or IP address. When trying to browse the local host you also get a blank explorer pane. Windows Explorer is completely functional in all other aspects except computer and network browsing. Any thoughts on that?

Thanks!!!



SDFix: Version 1.181
Run by Administrator on Fri 05/09/2008 at 08:47 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\lass.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 08:57:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 11 Aug 2004 10,912 A.SH. --- "C:\WINDOWS\system32\Proxy.Dll"
Sun 13 Mar 2005 8,432 A.SH. --- "C:\WINDOWS\system32\drivers\lass.sys"
Sat 3 May 2008 397,824 ..SH. --- "C:\Program Files\Common Files\Microsoft Shared\MSInfo\Upseyup.exe"

Finished!

ComboFix 08-05-08.1 - Administrator 2008-05-09 10:19:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.587 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\cfx32.ocx
C:\WINDOWS\system32\x64

----- BITS: Possible infected sites -----

hxxp://server2
.
((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-05-09 08:44 . 2008-05-09 08:44 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-09 08:40 . 2008-05-09 08:59 <DIR> d-------- C:\SDFix
2008-05-08 21:36 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-08 21:36 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-08 14:34 . 2008-04-13 19:12 116,224 --a------ C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-05-08 14:34 . 2008-04-13 19:12 18,944 --a------ C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-05-08 14:33 . 2008-04-13 13:45 31,744 --a------ C:\WINDOWS\system32\dllcache\wceusbsh.sys
2008-05-08 14:33 . 2008-04-13 13:46 19,200 --a------ C:\WINDOWS\system32\dllcache\wstcodec.sys
2008-05-08 14:33 . 2008-04-13 13:36 8,832 --a------ C:\WINDOWS\system32\dllcache\wmiacpi.sys
2008-05-08 14:33 . 2008-04-13 19:12 8,192 --a------ C:\WINDOWS\system32\dllcache\wshirda.dll
2008-05-08 14:32 . 2008-04-13 19:12 53,760 --a------ C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2008-05-08 14:31 . 2008-04-13 13:45 60,032 --a------ C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-05-08 14:31 . 2008-04-13 13:45 26,112 --a------ C:\WINDOWS\system32\dllcache\usbser.sys
2008-05-08 14:31 . 2008-04-13 13:45 17,152 --a------ C:\WINDOWS\system32\dllcache\usbohci.sys
2008-05-08 14:31 . 2008-04-13 13:45 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-05-08 14:30 . 2008-04-13 19:12 82,944 --a------ C:\WINDOWS\system32\dllcache\tp4mon.exe
2008-05-08 14:29 . 2008-04-13 13:40 149,376 --a------ C:\WINDOWS\system32\dllcache\tffsport.sys
2008-05-08 14:29 . 2008-04-13 13:46 15,232 --a------ C:\WINDOWS\system32\dllcache\streamip.sys
2008-05-08 14:28 . 2008-04-13 13:40 7,552 --a------ C:\WINDOWS\system32\dllcache\sonyait.sys
2008-05-08 14:27 . 2008-04-13 13:36 16,000 --a------ C:\WINDOWS\system32\dllcache\smbbatt.sys
2008-05-08 14:27 . 2008-04-13 13:46 11,136 --a------ C:\WINDOWS\system32\dllcache\slip.sys
2008-05-08 14:27 . 2008-04-13 13:36 6,912 --a------ C:\WINDOWS\system32\dllcache\smbclass.sys
2008-05-08 14:26 . 2008-04-13 13:45 11,520 --a------ C:\WINDOWS\system32\dllcache\scsiscan.sys
2008-05-08 14:25 . 2008-04-13 13:40 43,904 --a------ C:\WINDOWS\system32\dllcache\sbp2port.sys
2008-05-08 14:25 . 2008-04-13 19:12 29,696 --a------ C:\WINDOWS\system32\dllcache\rw450ext.dll
2008-05-08 14:25 . 2008-04-13 19:12 27,648 --a------ C:\WINDOWS\system32\dllcache\rw430ext.dll
2008-05-08 14:24 . 2008-04-13 19:12 159,232 --a------ C:\WINDOWS\system32\dllcache\ptpusd.dll
2008-05-08 14:24 . 2008-04-13 13:40 79,104 --a------ C:\WINDOWS\system32\dllcache\rocket.sys
2008-05-08 14:24 . 2008-04-13 13:40 6,016 --a------ C:\WINDOWS\system32\dllcache\qic157.sys
2008-05-08 14:23 . 2008-04-13 19:12 363,520 --a------ C:\WINDOWS\system32\dllcache\psisdecd.dll
2008-05-08 14:23 . 2008-04-13 19:10 259,328 --a------ C:\WINDOWS\system32\dllcache\perm3dd.dll
2008-05-08 14:23 . 2008-04-13 19:10 211,584 --a------ C:\WINDOWS\system32\dllcache\perm2dll.dll
2008-05-08 14:23 . 2008-04-13 19:12 33,280 --a------ C:\WINDOWS\system32\dllcache\psisrndr.ax
2008-05-08 14:23 . 2008-04-13 13:44 28,032 --a------ C:\WINDOWS\system32\dllcache\perm3.sys
2008-05-08 14:23 . 2008-04-13 13:44 27,904 --a------ C:\WINDOWS\system32\dllcache\perm2.sys
2008-05-08 14:23 . 2008-04-13 13:41 17,664 --a------ C:\WINDOWS\system32\dllcache\ppa3.sys
2008-05-08 14:23 . 2008-04-13 13:40 8,832 --a------ C:\WINDOWS\system32\dllcache\powerfil.sys
2008-05-08 14:21 . 2008-04-13 13:31 2,065,792 --a------ C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-05-08 14:21 . 2008-04-13 13:46 61,696 --a------ C:\WINDOWS\system32\dllcache\ohci1394.sys
2008-05-08 14:21 . 2008-04-13 13:54 28,672 --a------ C:\WINDOWS\system32\dllcache\nscirda.sys
2008-05-08 14:21 . 2008-04-13 13:46 10,880 --a------ C:\WINDOWS\system32\dllcache\ndisip.sys
2008-05-08 14:20 . 2008-04-13 13:46 85,248 --a------ C:\WINDOWS\system32\dllcache\nabtsfec.sys
2008-05-08 14:20 . 2008-04-13 13:46 49,024 --a------ C:\WINDOWS\system32\dllcache\mstape.sys
2008-05-08 14:20 . 2008-04-13 13:54 22,016 --a------ C:\WINDOWS\system32\dllcache\msircomm.sys
2008-05-08 14:20 . 2008-04-13 13:39 5,504 --a------ C:\WINDOWS\system32\dllcache\mstee.sys
2008-05-08 14:19 . 2008-04-13 19:12 56,832 --a------ C:\WINDOWS\system32\dllcache\msdvbnp.ax
2008-05-08 14:19 . 2008-04-13 13:46 51,200 --a------ C:\WINDOWS\system32\dllcache\msdv.sys
2008-05-08 14:19 . 2008-04-13 13:41 26,112 --a------ C:\WINDOWS\system32\dllcache\memstpci.sys
2008-05-08 14:19 . 2008-04-13 13:46 15,232 --a------ C:\WINDOWS\system32\dllcache\mpe.sys
2008-05-08 14:18 . 2008-04-13 19:11 253,952 --a------ C:\WINDOWS\system32\dllcache\kdsusd.dll
2008-05-08 14:18 . 2008-04-13 19:12 91,136 --a------ C:\WINDOWS\system32\dllcache\kswdmcap.ax
2008-05-08 14:18 . 2008-04-13 19:12 61,952 --a------ C:\WINDOWS\system32\dllcache\kstvtune.ax
2008-05-08 14:18 . 2008-04-13 19:11 48,640 --a------ C:\WINDOWS\system32\dllcache\kdsui.dll
2008-05-08 14:18 . 2008-04-13 19:12 43,008 --a------ C:\WINDOWS\system32\dllcache\ksxbar.ax
2008-05-08 14:18 . 2008-04-13 13:40 34,688 --a------ C:\WINDOWS\system32\dllcache\lbrtfdc.sys
2008-05-08 14:18 . 2008-04-13 13:40 7,040 --a------ C:\WINDOWS\system32\dllcache\ltotape.sys
2008-05-08 14:17 . 2008-04-13 19:12 151,552 --a------ C:\WINDOWS\system32\dllcache\irftp.exe
2008-05-08 14:17 . 2008-04-13 13:54 88,192 --a------ C:\WINDOWS\system32\dllcache\irda.sys
2008-05-08 14:17 . 2008-04-13 19:11 28,160 --a------ C:\WINDOWS\system32\dllcache\irmon.dll
2008-05-08 14:17 . 2008-04-13 19:12 16,384 --a------ C:\WINDOWS\system32\dllcache\ipsink.ax
2008-05-08 14:17 . 2008-04-13 19:09 6,144 --a------ C:\WINDOWS\system32\dllcache\kbd106.dll
2008-05-08 14:16 . 2008-04-13 19:11 702,845 --a------ C:\WINDOWS\system32\dllcache\i81xdnt5.dll
2008-05-08 14:14 . 2008-04-13 13:45 59,136 --a------ C:\WINDOWS\system32\dllcache\gckernel.sys
2008-05-08 14:14 . 2008-04-13 13:40 28,288 --a------ C:\WINDOWS\system32\dllcache\grserial.sys
2008-05-08 14:14 . 2008-04-13 13:36 20,352 --a------ C:\WINDOWS\system32\dllcache\hidbatt.sys
2008-05-08 14:14 . 2008-04-13 13:45 10,624 --a------ C:\WINDOWS\system32\dllcache\gameenum.sys
2008-05-08 14:12 . 2008-04-13 13:39 206,976 --a------ C:\WINDOWS\system32\dllcache\dot4.sys
2008-05-08 14:12 . 2008-04-13 19:12 20,992 --a------ C:\WINDOWS\system32\dllcache\dshowext.ax
2008-05-08 14:12 . 2008-04-13 13:40 8,320 --a------ C:\WINDOWS\system32\dllcache\dlttape.sys
2008-05-08 14:10 . 2008-04-13 19:11 249,856 --a------ C:\WINDOWS\system32\dllcache\ctmasetp.dll
2008-05-08 14:10 . 2008-04-13 19:11 121,856 --a------ C:\WINDOWS\system32\dllcache\camext30.dll
2008-05-08 14:10 . 2008-04-13 13:46 17,024 --a------ C:\WINDOWS\system32\dllcache\ccdecode.sys
2008-05-08 14:10 . 2008-04-13 13:36 13,952 --a------ C:\WINDOWS\system32\dllcache\cmbatt.sys
2008-05-08 14:10 . 2008-04-13 13:36 10,240 --a------ C:\WINDOWS\system32\dllcache\compbatt.sys
2008-05-08 14:10 . 2008-04-13 13:40 8,192 --a------ C:\WINDOWS\system32\dllcache\changer.sys
2008-05-08 14:09 . 2008-04-13 13:46 38,912 --a------ C:\WINDOWS\system32\dllcache\avc.sys
2008-05-08 14:09 . 2008-04-13 19:12 18,432 --a------ C:\WINDOWS\system32\dllcache\bdaplgin.ax
2008-05-08 14:09 . 2008-04-13 13:36 14,208 --a------ C:\WINDOWS\system32\dllcache\battc.sys
2008-05-08 14:09 . 2008-04-13 13:46 13,696 --a------ C:\WINDOWS\system32\dllcache\avcstrm.sys
2008-05-08 14:09 . 2008-04-13 13:46 11,776 --a------ C:\WINDOWS\system32\dllcache\bdasup.sys
2008-05-08 14:08 . 2008-04-13 14:27 2,188,928 --a------ C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-05-08 14:08 . 2008-04-13 13:46 53,376 --a------ C:\WINDOWS\system32\dllcache\1394bus.sys
2008-05-08 14:08 . 2008-04-13 13:46 48,128 --a------ C:\WINDOWS\system32\dllcache\61883.sys
2008-05-08 14:08 . 2008-04-13 13:40 12,288 --a------ C:\WINDOWS\system32\dllcache\4mmdat.sys
2008-05-08 13:59 . 2007-09-27 15:49 101,528 --a------ C:\WINDOWS\system32\drivers\RCFOX.SYS
2008-05-08 13:58 . 2008-05-08 13:58 <DIR> d-------- C:\Program Files\Common Files\Deterministic Networks
2008-05-08 13:58 . 2008-05-08 13:58 <DIR> d-------- C:\Documents and Settings\cvassil\Application Data\InstallShield
2008-05-08 13:58 . 2007-09-27 12:10 95,504 --a------ C:\WINDOWS\system32\RCIPHlp.dll
2008-05-08 13:58 . 2005-11-08 09:58 24,876 --a------ C:\WINDOWS\system32\drivers\rcvpn.sys
2008-05-08 12:16 . 2008-05-08 12:16 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-08 12:16 . 2008-05-08 12:16 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-08 12:16 . 2008-05-08 12:16 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-08 12:16 . 2008-05-08 12:16 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-08 11:57 . 2004-08-03 22:29 701,440 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-05-08 10:43 . 2008-05-08 12:14 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-08 10:13 . 2001-08-17 22:37 27,648 --a------ C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-05-08 10:13 . 2001-08-17 22:36 23,040 --a------ C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-05-08 10:11 . 2001-08-17 13:28 765,884 --a------ C:\WINDOWS\system32\dllcache\usrti.sys
2008-05-08 10:10 . 2001-08-17 13:28 794,654 --a------ C:\WINDOWS\system32\dllcache\usr1801.sys
2008-05-08 10:09 . 2008-04-13 19:11 571,392 --a------ C:\WINDOWS\system32\dllcache\tintlgnt.ime
2008-05-08 10:08 . 2001-08-17 12:18 285,760 --a------ C:\WINDOWS\system32\dllcache\stlnata.sys
2008-05-08 10:07 . 2001-08-17 14:56 147,200 --a------ C:\WINDOWS\system32\dllcache\smidispb.dll
2008-05-08 10:06 . 2001-08-17 14:56 252,032 --a------ C:\WINDOWS\system32\dllcache\sis300iv.dll
2008-05-08 10:05 . 2001-08-17 22:36 495,616 --a------ C:\WINDOWS\system32\dllcache\sblfx.dll
2008-05-08 10:04 . 2001-08-17 14:56 210,496 --a------ C:\WINDOWS\system32\dllcache\s3mvirge.dll
2008-05-08 10:03 . 2001-08-17 13:28 899,146 --a------ C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-05-08 05:40 . 2008-05-09 05:43 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-07 18:20 . 2008-05-08 23:46 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-07 18:20 . 2008-05-07 18:20 <DIR> d-------- C:\Program Files\AVG
2008-05-07 18:20 . 2008-05-07 18:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-07 18:20 . 2008-05-07 18:20 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-07 18:20 . 2008-05-07 18:20 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-07 18:19 . 2008-05-07 18:20 8,192 --a------ C:\Documents and Settings\Mark
2008-05-07 18:19 . 2008-05-07 18:20 8,192 --a------ C:\Documents and Settings\LSCHUL~1
2008-05-07 18:15 . 2004-08-04 05:00 131,584 --a------ C:\WINDOWS\system32\dllcache\pmxviceo.dll
2008-05-07 18:15 . 2004-08-04 05:00 83,748 --a------ C:\WINDOWS\system32\dllcache\prcp.nls
2008-05-07 18:15 . 2004-08-04 05:00 83,748 --a------ C:\WINDOWS\system32\dllcache\prc.nls
2008-05-07 18:15 . 2008-04-13 19:10 67,584 --a------ C:\WINDOWS\system32\dllcache\pmigrate.dll
2008-05-07 18:15 . 2001-08-17 13:53 17,792 --a------ C:\WINDOWS\system32\dllcache\ppa.sys
2008-05-07 18:15 . 2001-08-17 13:51 16,128 --a------ C:\WINDOWS\system32\dllcache\pscr.sys
2008-05-07 18:15 . 2004-08-04 05:00 11,264 --a------ C:\WINDOWS\system32\dllcache\pmxmcro.dll
2008-05-07 18:15 . 2001-08-17 13:53 7,168 --a------ C:\WINDOWS\system32\dllcache\pnrmc.sys
2008-05-07 18:15 . 2004-08-04 05:00 6,144 --a------ C:\WINDOWS\system32\dllcache\pmxgl.dll
2008-05-07 18:14 . 2008-04-13 19:11 482,304 --a------ C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-05-07 18:14 . 2008-04-13 19:10 175,104 --a------ C:\WINDOWS\system32\dllcache\pintlcsa.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-08 18:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-08 10:40 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-05-07 22:54 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-07 18:55 --------- d-----w C:\Program Files\Google
2008-05-07 14:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-07 02:43 --------- d-----w C:\Program Files\Java
2008-05-06 14:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-06 14:39 --------- d-----w C:\Program Files\Dell
2008-05-06 14:37 --------- d--h--w C:\Documents and Settings\cvassil\Application Data\Gtek
2008-05-06 14:37 --------- d--h--w C:\Documents and Settings\Administrator\Application Data\GTek
2008-05-06 14:37 --------- d--h--w C:\Documents and Settings\administrator.SUSANDAVIS\Application Data\Gtek
2008-05-06 14:35 --------- d-----w C:\Program Files\Common Files\Nullsoft
2008-04-14 10:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-14 10:42 985,088 ----a-w C:\WINDOWS\system32\dllcache\setupapi.dll
2008-04-14 10:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-04-14 10:42 11,264 ----a-w C:\WINDOWS\system32\dllcache\spnpinst.exe
2008-04-14 10:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-14 10:41 423,936 ----a-w C:\WINDOWS\system32\dllcache\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\dllcache\netsetup.exe
2008-04-14 00:12 990,208 ----a-w C:\WINDOWS\system32\syssetup.dll
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\dllcache\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\dllcache\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\dllcache\msafd.dll
2008-04-14 00:10 15,872 ----a-w C:\WINDOWS\system32\dllcache\padrs404.dll
2008-04-14 00:10 15,360 ----a-w C:\WINDOWS\system32\dllcache\padrs804.dll
2008-04-14 00:10 10,240 ----a-w C:\WINDOWS\system32\dllcache\tmigrate.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\dllcache\rdbss.sys
2008-04-13 19:24 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 19:24 2,145,280 ----a-w C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\dllcache\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\dllcache\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\dllcache\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\dllcache\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\dllcache\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\dllcache\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\dllcache\portcls.sys
2008-04-13 19:19 146,048 ------w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\dllcache\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\dllcache\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\dllcache\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\dllcache\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\dllcache\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\dllcache\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\dllcache\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\dllcache\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\dllcache\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\dllcache\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\dllcache\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\dllcache\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\dllcache\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\dllcache\tdi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\dllcache\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\dllcache\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\dllcache\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\dllcache\nmnt.sys
2008-04-13 18:53 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 18:53 36,608 ----a-w C:\WINDOWS\system32\dllcache\ip6fw.sys
2008-04-13 18:53 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2005-03-13 11:45 8,432 --sha-w C:\WINDOWS\system32\drivers\lass.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 19:12 1695232]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-07-21 16:48 98304]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-07-21 16:50 86016]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 10:20 282624 C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 07:15 151552]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2008-02-28 15:31 63048]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20 122940]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12 94208]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-07 18:20 1177368]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2008-04-30 18:08 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-30043500-4002488749-863938596-1268\Scripts\Logon\0\0]
"Script"=mapdrive.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-30043500-4002488749-863938596-1268\Scripts\Logon\0\1]
"Script"=map2printers.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-30043500-4002488749-863938596-1268\Scripts\Logon\0\2]
"Script"=Rdrive.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-30043500-4002488749-863938596-1344\Scripts\Logon\0\0]
"Script"=mapdrive.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-30043500-4002488749-863938596-1344\Scripts\Logon\0\1]
"Script"=map2printers.vbs

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^wbdh.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wbdh.lnk
backup=C:\WINDOWS\pss\wbdh.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\apisvc]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrStsWnd]
C:\Program Files\Brownie\BrstsWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2006-07-21 16:47 81920 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-01-18 08:37 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-07 18:20]
R1 RCFOX;SonicWALL IPsec Driver;C:\WINDOWS\system32\Drivers\RCFOX.sys [2007-09-27 15:49]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-07 18:20]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2008-02-28 15:31]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2008-03-07 13:39]
R2 TSScheduleBackup;TimeslipsBackup;C:\WINDOWS\system32\TSSchBkpService.exe [2006-06-15 18:17]
R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys [2005-11-08 09:58]
S2 WinRAR Archiver;WinRAR Archiver;C:\Program Files\WinRAR\WinRARSyS.exe [2008-05-05 15:32]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 03:39]
S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2005-08-16 12:02]
S4 ccwiz;ccwiz;C:\WINDOWS\system32\ccproxy.exe []
S4 Jack Jones;Jack Jones installed;C:\WINDOWS\system\1sass.exe []
S4 Microsoft Windows help;ms help;C:\Program Files\Common Files\Microsoft Shared\MSINFO\Upseyup.exe [2008-05-03 11:59]
S4 Portable Media Serial;pms;C:\WINDOWS\UPsutup.exe []
S4 RCPP;RCPP;C:\Program Files\Messenger\MessengerSys [2008-05-05 09:26]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-08 19:21:31 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 10:20:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\RCPP]
"ImagePath"="C:\Program Files\Messenger\MessengerSys"
.
Completion time: 2008-05-09 10:20:49
ComboFix-quarantined-files.txt 2008-05-09 15:20:46

Pre-Run: 223,293,870,080 bytes free
Post-Run: 223,290,163,200 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

357 --- E O F --- 2008-05-09 08:04:15
techfem is offline   Reply With Quote