New Member Checking Host for Problems

I just joined, so I am unfamiliar with the preferred method of posting Hijack and SDFix logs. So here they are. Please advice if there is a different thread for this sort of thing. I will have more in the future since I support many computers and servers. I am not reporting a particular problem, but I would like to know how I should proceed. Maybe there is a problem with this host of which I am unaware. This host is WinXP SP2, P4 2.6 Ghz, 1 Gb RAM, HP D530 CMT. Host exists in an Altiris Deployment Solution managed environment.

I just found this thread. Sorry about the post in the WinXP forum. I should browse more in the future.

Report.txt SDFix >>>

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\TFTP1356 - Deleted



ADS Check:




Final Check:

Remaining Services:
------------------


Rootkit huy32 maybe active, Use a Rootkit scanner!
Rootkit PE386 maybe active, Use a Rootkit scanner!
Rootkit lzx32 maybe active, Use a Rootkit scanner!
Rootkit msguard maybe active, Use a Rootkit scanner!

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE "= "C:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE:*:Enabled:AClntUsr - AClient Interactive User Service "


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE "= "C:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE:*:Enabled:AClntUsr - AClient Interactive User Service "
"C:\\Program Files\\Hewlett-Packard\\PNM\\server\\bin\\TMServer.exe "= "C:\\Program Files\\Hewlett-Packard\\PNM\\server\\bin\\TMServer.exe:*:Enabled:Traffic Monitor Server "
"C:\\Program Files\\Hewlett-Packard\\PNM\\server\\bin\\Trafficd.exe "= "C:\\Program Files\\Hewlett-Packard\\PNM\\server\\bin\\Trafficd.exe:*:Enabled:Traffic Data Collector "
"C:\\WINDOWS\\system32\\javaw.exe "= "C:\\WINDOWS\\system32\\javaw.exe:*:Enabled:javaw "
"\\\\9529-win2k-a04\\eXpress\\eXpress.exe "= "\\\\9529-win2k-a04\\eXpress\\eXpress.exe:*:Enabled:Altiris eXpress Management Console "
"C:\\Program Files\\Faronics\\Faronics Anti-Executable Enterprise\\AE Install Programs\\AEConsole.exe "= "C:\\Program Files\\Faronics\\Faronics Anti-Executable Enterprise\\AE Install Programs\\AEConsole.exe:*:Enabled:Faronics Anti-Executable Server Console "
"C:\\apache\\mysql\\bin\\mysqld.exe "= "C:\\apache\\mysql\\bin\\mysqld.exe:*:Enabled:mysqld "
"C:\\apache\\apache\\bin\\Apache.exe "= "C:\\apache\\apache\\bin\\Apache.exe:*:Enabled:Apache HTTP Server "
"C:\\Program Files\\Hewlett-Packard\\PNM\\jre\\bin\\javaw.exe "= "C:\\Program Files\\Hewlett-Packard\\PNM\\jre\\bin\\javaw.exe:*:Enabled:javaw "
"C:\\WINDOWS\\system32\\dpvsetup.exe "= "C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test "
"C:\\WINDOWS\\system32\\rundll32.exe "= "C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App "
"\\\\0362-win2k-a01\\eXpress\\express.exe "= "\\\\0362-win2k-a01\\eXpress\\express.exe:*:Enabled:Altiris eXpress Management Console "
"C:\\Program Files\\Windows Media Player\\wmplayer.exe "= "C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player "
"C:\\Program Files\\Internet Explorer\\iexplore.exe "= "C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer "
"\\\\0362-win2k-a01\\express\\Deployment Server\\eXpress.exe "= "\\\\0362-win2k-a01\\express\\Deployment Server\\eXpress.exe:*:Enabled:Altiris eXpress Management Console "
"C:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe "= "C:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe:*:Enabledreamweaver MX 2004 "
"C:\\Program Files\\Bonjour\\mDNSResponder.exe "= "C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour "
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe "= "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare "
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "= "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook "


Remaining Files:
---------------



Checking For Files with Hidden Attributes :

C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp
C:\RECYCLER\S-1-5-21-2959193006-2821849970-3303503316-500\Dc53.tmp

Add/Remove Programs List:

Academy Server
Adobe Acrobat 7.0 Professional
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe InDesign 2.0.2
Adobe Photoshop 7.0.1
Adobe SVG Viewer 3.0
Altiris eXpress Deployment Console
Certification Preparation
MetaFrame Presentation Server Web Client for Win32
Intel A/V Codecs V2.0
DebugMode Wink
Microsoft Windows XP Video Decoder Checkup Utility
Enhanced A+ Computer-Based Training
hp cp1160
Microsoft Internationalized Domain Names Mitigation APIs
Imation Disk Manager II Service
QuickTime
Broadcom Driver Installer
Bonjour
Microsoft Data Access Components KB870669
LiveUpdate 2.6 (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Mozilla Firefox (2.0.0.1)
Mozilla Firefox (2.0.0.2)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft National Language Support Downlevel APIs
NoAd HOSTS file (remove only)
NVIDIA Windows 2000/XP Display Drivers
NVIDIA Display Driver
PrimoPDF
Microsoft Office Professional Plus 2007 (Beta)
RealPlayer
Shockwave
Macromedia Flash Player 8
SkillsBank4
USB Storage Adapter FX (SM1)
SmartUndelete
All-Purpose Letters
All-Purpose Resumes
All-Purpose Resumes (C:\\Program Files\\All-Purpose Resumes\\)
TRS Student Management System
Tweak UI
Windows XP Service Pack 2
WinPcap 3.0
WinVNC 3.3.3
WinZip
Microsoft User-Mode Driver Framework Feature Pack 1.0
Yahoo! Toolbar
Notifier
hex(2):53,00,63,00,61,00,6e,00,53,00,6f,00,66,00,74,00,20,00,52,\
Macromedia Dreamweaver MX 2004
ShowBiz
ESSSONIC
OmniPage Pro 12.0
Windows Installer Clean Up
Nature Theme 2 Nature
PIXELA ImageMixer
ESSPCD
HLPPDOCK
Microsoft Producer for Microsoft Office PowerPoint 2003
Image Resizer Powertoy for Windows XP
essvatgt
Cypress USB Mass Storage Driver Installation
Microsoft RAW Image Thumbnailer and Viewer for Windows XP Version 1.0 (Build 50)
Magnifier Powertoy for Windows XP
Microsoft Office Professional Plus 2007 (Beta)
Microsoft Office Access MUI (English) 2007 (Beta)
Microsoft Office Excel MUI (English) 2007 (Beta)
Microsoft Office PowerPoint MUI (English) 2007 (Beta)
Microsoft Office Publisher MUI (English) 2007 (Beta)
Microsoft Office Outlook MUI (English) 2007 (Beta)
Microsoft Office Word MUI (English) 2007 (Beta)
Microsoft Office Proof (English) 2007 (Beta)
Microsoft Office Proof (French) 2007 (Beta)
Microsoft Office Proof (Spanish) 2007 (Beta)
Microsoft Office InfoPath MUI (English) 2007 (Beta)
Microsoft Office Shared MUI (English) 2007 (Beta)
J2SE Runtime Environment 5.0 Update 6
Microsoft XML Parser and SDK
QuickTime
TechNet Library - English (October 2005)
Macromedia Flash MX
OTtBPSDK
Microsoft Windows Journal Viewer
HTML Slideshow Powertoy for Windows XP
CorelDRAW Graphics Suite 12
ShareIns
FirstClassr Client
Windows Server 2003 Administration Tools Pack
MyDVD
SHASTA
Advanced System Optimizer 2
ESSBrwr
CmdHere Powertoy For Windows XP
Microsoft .NET Framework 2.0
MSXML 4.0 SP2 Parser and SDK
Scan Manager 5.1
ESShelp
PrimoPDF Redistribution Package
staticcr
CDBurnerXP Pro 3
ESSTOOLS
Intel(R) Extreme Graphics Driver
Macromedia FreeHand MX
ECHO is off.
ESSini
Microsoft Office FrontPage 2003
Microsoft Office XP Media Content
Microsoft Visio Professional 2002 [English]
ESSgui
Macromedia Fireworks MX
Roxio Burn Engine
InterVideo WinDVD
VPRINTOL
ESScore
Technical Information: February 2004
Symantec AntiVirus
Macromedia Extension Manager
Macromedia Captivate
DRAWingsr Embroidery Effect
Roxio Easy Media Creator 7
TechNet Library - English (November 2005)
Adobe Acrobat 7.0.1 and Reader 7.0.1 Update
Adobe Acrobat 7.0.2 and Reader 7.0.2 Update
Adobe Acrobat 7.0.3 and Reader 7.0.3 Update
Adobe Acrobat 7.0 Professional
Adobe Reader 7.0.8
ESSCDBK
WordPerfect Office 12
Historical Monuments
OfotoXMI
CCScore
Network Probe 0.5
KSU
Napster
B57Inst
ClearType Tuning Control Panel Applet
Microsoft .NET Framework 1.1
Hummingbird HostExplorer V8.0
Microsoft Color Control Panel Applet for Windows XP
essvcpt
Kodak EasyShare software
SFR
Bonjour
Microsoft Plus! for Windows XP
kgcbase
SKINXSDK
OTtBP
WIRELESS
ESSPDock
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
SKIN0001

Finished


HijackThis.log >>>

Logfile of HijackThis v1.99.1
Scan saved at 10:17:13 AM, on 3/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\8.00\Inetd\inetd32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\boylet\Desktop\Desktop\Utilities\NortonUpdater\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://168.254.184.52/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: mapP.cmd
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\boylet\Application Data\Mozilla\Firefox\Profiles\z3er3182.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\boylet\Application Data\Mozilla\Firefox\Profiles\z3er3182.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O15 - Trusted Zone: *.sdhc.k12.fl.us
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/live/code/IE_1070/DownloadManager.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....com/abarth/us/win/QuickTimeFullInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137604565858
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147196073420
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://liveca06.custhelp.com/6011-b355h/rnl/java/RntX.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mysdhc.net
O17 - HKLM\Software\..\Telephony: DomainName = mysdhc.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mysdhc.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mysdhc.net
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wincnw32 - wincnw32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: CodeBase DataBase Server (AcadDBServ) - Unknown owner - m:\\server\S4service_654.exe (file missing)
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\8.00\Inetd\inetd32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Academy Timer Server (TimerSvr) - Unknown owner - m:\\server\TimerSvr.exe (file missing)
O23 - Service: Tinyweb - Unknown owner - C:\Program Files\Discourse\Tinyweb\srvany.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

 

Hi and welcome!

You are in the correct forum.

Your SDFix log shows possible rootkit activity. I never did see all 4 rootkits it flags in a log before!

If all 4 of these are indeed present, this is one seriously comprimised system.
Do you notice a horrific ammount of internet/network activity? Email virus scanners going crazy? (Norton constantly scanning outgoing email?)

Before I jump the gun tho...lets look further please.

Download ComboScan to your Desktop.:

http://www.techsupportforum.com/sectools/Deckard/comboscan.exe

Close all applications and windows.
Double-click on comboscan.exe to run it, and follow the prompts.
When the scan is complete, a text file will open - ComboScan.txt
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt here.
A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.
Please copy/paste Supplementry.txt here.

Next:

Download Gmer from here:

http://www.gmer.net/gmer.zip

Unzip it.
Disconnect from internet & shut down Antivirus to prevent conflicts.
Shut down also any other unneeded apps including any open browser windows.
The less stuff we got running the less chance of false positives in log.
Double click gmer.exe to run it.
Allow driver to install if asked (gmer.sys)
You may warning at program start that there is possible rootkit activity and do you want to run scan.

Say OK to run scan.
If no warning just press "scan "
Let the scan finish.
Once done press "copy"
Open notepad> press "ctrl+v" to paste log.
Save log.

Re-enable your antivirus, re-connect to internet & post that log here

Thanks

Tammy

 

Might be something else

Ok, I know that the D530 model has a huge problem with blowing capacitors on the motherboard. I have seen the computer do many weird things when this happens, it might be a good idea just to pop that cover off and check all the capacitors on the board to make sure non of them are popped up.
-Lance

 

TampaTeacher:

I'm thinking those detections may be false positives. I do find it hard to believe all 4 of these malwares would be present on one PC and you not having serious crashing issues or similar instability. These particular rootkits that are flagged are notoriously unstable and you would *know* there was something very wrong.

When you ran SDFix do you remember blocking one or more services from being installed? (lzx32, pe386, huy32, msguard)

For the comboscan while it is running please don't block any services it tries to install. This will only be temporary. They will be removed once the tool has run.

Thanks

 

Thanks for that feedback. I am downloading and keeping all of the utilities you mentioned. I also got a copy of Process Explorer. That is very informative. I will say this... while I was waiting for some interpretation of the Hijack logs and other information I posted, I decided that the machine probably was too goobered up to pursue fixing. I took the more drastic step of removing and replacing the partition and reinstalling everything from the ground up. Now with the additional utilities and advice, I am better prepared to prevent a repeat. Sometimes we try to hard to avoid the one guaranteed solution: "When in doubt, reinstall. "

Thank you, again. This site is very good for users because of feedback like yours.

 

Re-Post of Scans

Before I jump the gun tho...lets look further please.

Did those scans. TXT results are shown below:

ComboScan v20070306.20 run by boylet on 2007-03-09 at 15:30:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as boylet.exe) ----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:30:22 PM, on 3/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Hummingbird\Connectivity\8.00\Inetd\inetd32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Documents and Settings\boylet\Desktop\comboscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\boylet\Desktop\Desktop\UTILIT~1\NORTON~1\boylet.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://168.254.184.52/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: mapP.cmd
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\boylet\Application Data\Mozilla\Firefox\Profiles\z3er3182.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\boylet\Application Data\Mozilla\Firefox\Profiles\z3er3182.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O15 - Trusted Zone: *.sdhc.k12.fl.us
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/live/code/IE_1070/DownloadManager.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....com/abarth/us/win/QuickTimeFullInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137604565858
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147196073420
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://liveca06.custhelp.com/6011-b355h/rnl/java/RntX.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mysdhc.net
O17 - HKLM\Software\..\Telephony: DomainName = mysdhc.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mysdhc.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mysdhc.net
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wincnw32 - wincnw32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: CodeBase DataBase Server (AcadDBServ) - Unknown owner - m:\\server\S4service_654.exe (file missing)
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\8.00\Inetd\inetd32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Academy Timer Server (TimerSvr) - Unknown owner - m:\\server\TimerSvr.exe (file missing)
O23 - Service: Tinyweb - Unknown owner - C:\Program Files\Discourse\Tinyweb\srvany.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe


-- Files created between 2007-02-09 and 2007-03-09 -----------------------------

2007-03-09 14:24:21 80 --a------ C:\WINDOWS\gmer_uninstall.cmd<GMER_U~1.CMD>
2007-03-09 14:20:42 0 d------c- Z:\ComboScan<COMBOS~1>
2007-03-01 09:33:01 331 -------c- Z:\clean.reg
2007-02-22 13:53:50 0 d------c- Z:\Roxio


-- Find3M Report ---------------------------------------------------------------

2007-03-09 14:58:00 0 d-------- C:\Program Files\Symantec AntiVirus<SYMANT~2>
2007-03-02 13:40:16 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-03-01 14:55:37 0 d-------- C:\Program Files\Certification Preparation<CERTIF~1>
2007-03-01 14:51:15 0 d-------- C:\Program Files\CDBurnerXP Pro 3<CDBURN~1>
2007-03-01 14:39:30 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-02-15 13:09:58 0 d-------- C:\Program Files\FirstClass<FIRSTC~1>
2007-01-30 08:46:20 0 d-------- C:\Documents and Settings\boylet\Application Data\AdobeUM
2007-01-29 03:58:06 60416 -----n--- C:\WINDOWS\system32\tzchange.exe
2007-01-26 15:12:53 0 d-------- C:\Program Files\Kodak
2007-01-26 15:11:35 0 d-------- C:\Program Files\Common Files\Kodak
2007-01-09 10:43:57 2044 -------c- Z:\WSUS2update.reg<WSUS2U~1.REG>
2006-12-19 16:52:18 134656 --a------ C:\WINDOWS\system32\shsvcs.dll
2006-12-19 13:16:47 333824 --a------ C:\WINDOWS\system32\wiaservc.dll
2006-12-14 08:45:53 981760 --a------ C:\WINDOWS\system32\mfc42u.dll


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe "= "C:\\WINDOWS\\system32\\ctfmon.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray "= "C:\\WINDOWS\\System32\\igfxtray.exe "
"HotKeysCmds "= "C:\\WINDOWS\\System32\\hkcmd.exe "
"HPDJ Taskbar Utility "= "C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe "
"NvCplDaemon "= "RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup "
"Synchronization Manager "=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,\
73,74,65,6d,33,32,5c,6d,6f,62,73,79,6e,63,2e,65,78,65,20,2f,6c,6f,67,6f,6e,\
00
"nwiz "= "nwiz.exe /install "
"AClntUsr "= "C:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE "
"ISUSPM Startup "= "C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup "
"ISUSScheduler "= "\ "C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start "
"LexStart "= "lexstart.exe "
"SM1BG "= "C:\\WINDOWS\\SM1BG.EXE "
"ccApp "= "\ "C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\" "
"vptray "= "C:\\PROGRA~1\\SYMANT~2\\VPTray.exe "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"TSClientMSIUninstaller "= "cmd.exe /C \ "cscript %systemroot%\\Installer\\TSClientMsiTrans\\tscuinst.vbs\" "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"TSClientMSIUninstaller "= "cmd.exe /C \ "cscript %systemroot%\\Installer\\TSClientMsiTrans\\tscuinst.vbs\" "


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj "= "{AAA288BA-9A4C-45B0-95D7-94D524869DB5} "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts "=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceActiveDesktopOn "=dword:00000001

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wincnw32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ERASERUTILDRVI1
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_SPBBCSVC


-- End of ComboScan: finished at 2007-03-09 at 15:30:50 ------------------------

GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-03-09 15:26:02
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT 84A82EF0 ZwAlertResumeThread
SSDT 853D9740 ZwAlertThread
SSDT 84DC0AC0 ZwAllocateVirtualMemory
SSDT 85E88F98 ZwConnectPort
SSDT 85544FC0 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwDeleteValueKey
SSDT 85440198 ZwFreeVirtualMemory
SSDT 86015F00 ZwImpersonateAnonymousToken
SSDT 85647F88 ZwImpersonateThread
SSDT 856F17A0 ZwMapViewOfSection
SSDT 860298A0 ZwOpenProcessToken
SSDT 85D50B40 ZwOpenThreadToken
SSDT 85779160 ZwQueryValueKey
SSDT 85AA7848 ZwResumeThread
SSDT 85597BC0 ZwSetContextThread
SSDT 85A41720 ZwSetInformationProcess
SSDT 84B3F378 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwSetValueKey
SSDT 85547AE0 ZwSuspendProcess
SSDT 84D53058 ZwSuspendThread
SSDT 85F2E780 ZwTerminateProcess
SSDT 8573F2A0 ZwTerminateThread
SSDT 857CD850 ZwUnmapViewOfSection
SSDT 85A46C30 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!ZwYieldExecution + 33C 804EBB76 2 Bytes [ 77, 85 ]
---- Processes - GMER 1.0.12 ----

Library C:\Program (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1140] 0x16080000

---- Registry - GMER 1.0.12 ----

Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0

---- EOF - GMER 1.0.12 ----

Thanks: Tom

 

Hi,

Sorry to hear you had to rebuild. Sometimes that is the best way though.
Especially if there is sensitive info stored on the machine.
Unfortunately though many people dont have the resorces to do it.

These latest logs were produced before you rebuilt?