Active by Admin Request: BSOD with STOP code 0x000000F7 (buffer overrun)

CUISTech · 2009/08/11

[Active] by Admin Request: BSOD with STOP code 0x000000F7 (buffer overrun)

DDS (Ver_09-07-30.01) - NTFSx86
Run by [CUISTech] at 14:54:30.11 on Tue 08/11/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.443 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
c:\program files\vsoft\automatic file transfer service\automaticfiletransferwindowsservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Silver Bullet Technology\Ranger\Tools\Log Service\Rangerlogservice.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Canon Electronics\Scan Panel\drpanel.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symitar\SFW\RemoteAdminServer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\[CUISTech]\Desktop\dds.scr

============== Pseudo HJT Report ===============

mDefault_Page_URL = hxxp://intranet
uInternet Settings,ProxyServer = 10.1.3.50:3128
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Scan Panel] "c:\program files\canon electronics\scan panel\drpanel.exe" /Stay
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe "
uExplorerRun: [1] regedit /c/s \\10.1.3.6\shared\BlueZoneFirewall.reg
uExplorerRun: [2] regedit /c/s \\10.1.3.6\shared\chm.reg
uExplorerRun: [3] regedit /c/s \\10.1.3.6\shared\helpfiles.reg
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\remote~1.lnk - c:\program files\symitar\sfw\RemoteAdminServer.exe
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1239718365265
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=29223
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {E7FDC948-4B01-4CB6-9EC4-2C5FB49280A8} = 10.1.3.6,10.1.3.8
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 AutomaticFileTransferService;AutomaticFileTransferService;c:\program files\vsoft\automatic file transfer service\AutomaticFileTransferWindowsService.exe [2006-8-30 20480]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-6-25 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-6-25 108392]
R2 Ranger Log;Ranger Log;c:\program files\silver bullet technology\ranger\tools\log service\Rangerlogservice.exe [2006-4-5 32768]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-6-25 2440632]
R2 VSoftECLServicePG;VSoftECLServicePG;c:\vsofteclservice\VSoftECLServicePG.exe [2009-5-7 110592]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090517.021\NAVENG.SYS [2009-5-17 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090517.021\NAVEX15.SYS [2009-5-17 876144]

=============== Created Last 30 ================

2009-07-29 07:56 17,408 -c------ c:\windows\system32\dllcache\corpol.dll
2009-07-15 04:52 119,808 -c------ c:\windows\system32\dllcache\t2embed.dll
2009-07-15 04:52 81,920 -c------ c:\windows\system32\dllcache\fontsub.dll
2009-07-14 17:23 0 a------- C:\t14o.1

==================== Find3M ====================

2009-06-29 11:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 11:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 11:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-25 17:54 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-25 17:54 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2009-06-25 17:54 10,563 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-06-25 17:54 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-06-25 12:52 319,920 a------- c:\windows\system32\drivers\srtspl.sys
2009-06-25 12:52 280,112 a------- c:\windows\system32\drivers\srtsp.sys
2009-06-25 12:52 107,848 a------- c:\windows\system32\SymVPN.dll
2009-06-25 12:52 49,480 a------- c:\windows\system32\FwsVpn.dll
2009-06-25 12:52 43,824 a------- c:\windows\system32\drivers\srtspx.sys
2009-06-25 12:52 7,372 a------- c:\windows\system32\drivers\srtspl.cat
2009-06-25 12:52 7,368 a------- c:\windows\system32\drivers\srtsp.cat
2009-06-25 12:52 7,359 a------- c:\windows\system32\drivers\srtspx.cat
2009-06-25 12:52 1,431 a------- c:\windows\system32\drivers\srtspl.inf
2009-06-25 12:52 1,422 a------- c:\windows\system32\drivers\srtspx.inf
2009-06-25 12:52 1,416 a------- c:\windows\system32\drivers\srtsp.inf
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-06 13:19 103,720 a------- c:\documents and settings\[CUISTech]\GoToAssistDownloadHelper.exe

============= FINISH: 14:54:59.89 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/13/2009 11:37:37 AM
System Uptime: 8/7/2009 10:30:32 AM (100 hours ago)

Motherboard: Dell Inc. | | 0M3918
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 37 GiB total, 24.538 GiB free.
D: is CDROM ()
G: is NetworkDisk (NTFS) - 410 GiB total, 258.737 GiB free.
H: is NetworkDisk (NTFS) - 410 GiB total, 258.737 GiB free.
I: is NetworkDisk (NTFS) - 410 GiB total, 393.902 GiB free.
J: is NetworkDisk (NTFS) - 410 GiB total, 258.737 GiB free.
K: is NetworkDisk (NTFS) - 410 GiB total, 258.737 GiB free.
L: is NetworkDisk (NTFS) - 410 GiB total, 258.737 GiB free.
P: is NetworkDisk (NTFS) - 410 GiB total, 258.737 GiB free.
Q: is NetworkDisk (NTFS) - 410 GiB total, 258.737 GiB free.
T: is NetworkDisk (NTFS) - 410 GiB total, 258.737 GiB free.
U: is NetworkDisk (NTFS) - 410 GiB total, 258.737 GiB free.
V: is NetworkDisk (NTFS) - 34 GiB total, 5.241 GiB free.
W: is NetworkDisk (NTFS) - 410 GiB total, 258.737 GiB free.
Y: is NetworkDisk (NTFS) - 410 GiB total, 258.737 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP85: 6/6/2009 12:07:03 AM - System Checkpoint
RP86: 6/7/2009 12:08:00 AM - System Checkpoint
RP87: 6/8/2009 12:08:31 AM - System Checkpoint
RP88: 6/9/2009 1:07:59 AM - System Checkpoint
RP89: 6/10/2009 2:07:58 AM - System Checkpoint
RP90: 6/10/2009 8:42:34 AM - Software Distribution Service 3.0
RP91: 6/11/2009 8:48:23 AM - System Checkpoint
RP92: 6/12/2009 9:21:52 AM - System Checkpoint
RP93: 6/13/2009 10:21:51 AM - System Checkpoint
RP94: 6/14/2009 11:21:49 AM - System Checkpoint
RP95: 6/15/2009 11:44:57 AM - System Checkpoint
RP96: 6/16/2009 12:21:49 PM - System Checkpoint
RP97: 6/17/2009 2:28:21 PM - System Checkpoint
RP98: 6/18/2009 3:30:26 PM - System Checkpoint
RP99: 6/19/2009 4:21:47 PM - System Checkpoint
RP100: 6/20/2009 5:21:46 PM - System Checkpoint
RP101: 6/21/2009 6:21:45 PM - System Checkpoint
RP102: 6/22/2009 6:22:50 PM - System Checkpoint
RP103: 6/23/2009 7:21:45 PM - System Checkpoint
RP104: 6/24/2009 4:00:19 PM - Software Distribution Service 3.0
RP105: 6/25/2009 4:53:10 PM - System Checkpoint
RP106: 6/26/2009 5:23:23 PM - System Checkpoint
RP107: 6/27/2009 6:21:45 PM - System Checkpoint
RP108: 6/28/2009 7:20:28 PM - System Checkpoint
RP109: 6/29/2009 7:21:45 PM - System Checkpoint
RP110: 6/30/2009 8:21:48 PM - System Checkpoint
RP111: 7/1/2009 9:21:43 PM - System Checkpoint
RP112: 7/2/2009 10:21:43 PM - System Checkpoint
RP113: 7/6/2009 8:58:57 AM - System Checkpoint
RP114: 7/7/2009 11:45:47 AM - System Checkpoint
RP115: 7/8/2009 11:57:36 AM - System Checkpoint
RP116: 7/9/2009 12:55:19 PM - System Checkpoint
RP117: 7/10/2009 1:43:15 PM - System Checkpoint
RP118: 7/11/2009 1:58:48 PM - System Checkpoint
RP119: 7/12/2009 2:58:48 PM - System Checkpoint
RP120: 7/13/2009 4:21:43 PM - System Checkpoint
RP121: 7/14/2009 4:23:01 PM - System Checkpoint
RP122: 7/15/2009 1:41:15 PM - Software Distribution Service 3.0
RP123: 7/16/2009 3:23:28 PM - System Checkpoint
RP124: 7/17/2009 4:21:07 PM - System Checkpoint
RP125: 7/18/2009 4:27:09 PM - System Checkpoint
RP126: 7/19/2009 5:27:09 PM - System Checkpoint
RP127: 7/20/2009 5:58:14 PM - System Checkpoint
RP128: 7/21/2009 6:27:13 PM - System Checkpoint
RP129: 7/23/2009 9:24:59 AM - System Checkpoint
RP130: 7/24/2009 9:29:15 AM - System Checkpoint
RP131: 7/25/2009 10:10:24 AM - System Checkpoint
RP132: 7/26/2009 11:10:23 AM - System Checkpoint
RP133: 7/27/2009 11:32:15 AM - System Checkpoint
RP134: 7/28/2009 12:10:22 PM - System Checkpoint
RP135: 7/29/2009 12:19:30 PM - System Checkpoint
RP136: 7/29/2009 4:00:17 PM - Software Distribution Service 3.0
RP137: 7/30/2009 4:02:38 PM - System Checkpoint
RP138: 7/31/2009 4:10:12 PM - System Checkpoint
RP139: 8/1/2009 5:10:13 PM - System Checkpoint
RP140: 8/2/2009 6:10:13 PM - System Checkpoint
RP141: 8/3/2009 7:10:13 PM - System Checkpoint
RP142: 8/4/2009 8:10:14 PM - System Checkpoint
RP143: 8/5/2009 9:10:11 PM - System Checkpoint
RP144: 8/7/2009 11:37:42 AM - Installed Debugging Tools for Windows (x86)
RP145: 8/7/2009 12:09:40 PM - Removed Debugging Tools for Windows (x86)
RP146: 8/7/2009 12:10:15 PM - Installed Debugging Tools for Windows (x86)
RP147: 8/7/2009 3:04:40 PM - Removed Debugging Tools for Windows (x86)
RP148: 8/7/2009 3:15:17 PM - Installed Debugging Tools for Windows (x86)
RP149: 8/8/2009 3:35:07 PM - System Checkpoint
RP150: 8/9/2009 4:35:05 PM - System Checkpoint
RP151: 8/10/2009 5:45:50 PM - System Checkpoint
RP152: 8/11/2009 2:53:10 PM - Removed Debugging Tools for Windows (x86)

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.1
ApplicationXtender Desktop 5.30 SP3
Automatic File Transfer Service
BlueZone
BVS Quick-Connect Gateway
Canon DR-3060/3080C driver
Canon DR-3080CII driver
CheckPlus 5.1
Critical Update for Windows Media Player 11 (KB959772)
eDesk - Branch Capture
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Initial Episys Installation
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Adapters and Drivers
IrfanView (remove only)
Java(TM) 6 Update 13
LiveUpdate 3.3 (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel Viewer 2003
Microsoft Office Standard Edition 2003
Microsoft Office Word Viewer 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
OpenSSL 0.9.7e
PostgreSQL 8.0
Ranger for CR-180 v2.2.42
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
SoundMAX
Symantec Endpoint Protection
SymForm
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VNC Free Edition 4.1.2
WebFldrs XP
Windows Imaging Component
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

8/7/2009 9:57:46 AM, error: System Error [1003] - Error code 000000f7, parameter1 00000000, parameter2 00009c69, parameter3 ffff6396, parameter4 00000000.
8/7/2009 9:56:59 AM, error: System Error [1003] - Error code 000000f7, parameter1 00000000, parameter2 00009f77, parameter3 ffff6088, parameter4 00000000.
8/7/2009 9:55:50 AM, error: System Error [1003] - Error code 000000f7, parameter1 00000000, parameter2 00009f53, parameter3 ffff60ac, parameter4 00000000.
8/7/2009 9:54:15 AM, error: System Error [1003] - Error code 000000f7, parameter1 00000000, parameter2 00009d6e, parameter3 ffff6291, parameter4 00000000.
8/7/2009 9:51:19 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'SrtETmp' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
8/7/2009 9:50:13 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SPBBCDrv SRTSP SRTSPX SYMTDI Tcpip
8/7/2009 9:50:13 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
8/7/2009 9:50:13 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/7/2009 9:50:13 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/7/2009 9:50:13 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
8/10/2009 3:27:55 AM, error: NETLOGON [5789] - Attempt to update DNS Host Name of the computer object in Active Directory failed. The updated value was '[computer].[domain].local'. The following error occurred: There are no more endpoints available from the endpoint mapper.
8/10/2009 3:27:55 AM, error: NETLOGON [5788] - Attempt to update HOST Service Principal Names (SPNs) of the computer object in Active Directory failed. The updated values were 'HOST/[computer name].[domain].local' and 'HOST/[computer name]'. The following error occurred: There are no more endpoints available from the endpoint mapper.

==== End Of File ===========================

mailman · 2009/08/11

Malware Analyst: Here is a link to CUISTech's other thread where Arie directed CUISTech to post DDS logs in this forum.

broni · 2009/08/12

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE. If Combofix asks you to install Recovery Console, please allow it.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
by clicking on Download HijackThis Installer
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator

CUISTech · 2009/08/12

Quick question: How long, on average, does ComboFix take to run? I'm doing all of this by remote access, and want to make sure I wait a safe amount of time before reconnecting my remote access tools.

CUISTech · 2009/08/12

(3 hours was long enough a wait for mine to finish)

ComboFix 09-08-10.06 - [CUISTech] 08/12/2009 9:25.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.561 [GMT -5:00]
Running from: c:\documents and settings\[CUISTech]\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://[domain][DNS Server]
.
((((((((((((((((((((((((( Files Created from 2009-07-12 to 2009-08-12 )))))))))))))))))))))))))))))))
.

2009-08-12 11:45 . 2009-06-12 12:31 80896 -c----w- c:\windows\system32\dllcache\tlntsess.exe
2009-08-12 11:45 . 2009-06-12 12:31 76288 -c----w- c:\windows\system32\dllcache\telnet.exe
2009-08-12 11:45 . 2009-06-10 06:14 132096 -c----w- c:\windows\system32\dllcache\wkssvc.dll
2009-08-12 11:45 . 2009-07-17 19:01 58880 -c----w- c:\windows\system32\dllcache\atl.dll
2009-08-12 11:44 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-12 10:50 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-12 09:52 . 2009-06-10 14:13 84992 -c----w- c:\windows\system32\dllcache\avifil32.dll
2009-08-12 09:51 . 2009-06-25 08:25 54272 -c----w- c:\windows\system32\dllcache\wdigest.dll
2009-08-12 09:51 . 2009-06-25 08:25 136192 -c----w- c:\windows\system32\dllcache\msv1_0.dll
2009-08-12 09:51 . 2009-06-24 11:18 92928 -c----w- c:\windows\system32\dllcache\ksecdd.sys
2009-08-12 09:51 . 2009-06-25 08:25 301568 -c----w- c:\windows\system32\dllcache\kerberos.dll
2009-07-29 12:56 . 2009-06-29 16:12 17408 -c----w- c:\windows\system32\dllcache\corpol.dll
2009-07-28 15:49 . 2009-07-28 15:49 45056 ----a-w- c:\documents and settings\smartinez\Application Data\Sun\Java\Deployment\cache\6.0\49\615348b1-3d20eb80-n\AfsNativeUtils.dll
2009-07-28 15:22 . 2009-07-28 15:23 -------- d-----w- c:\documents and settings\smartinez\Local Settings\Application Data\Adobe
2009-07-15 09:52 . 2009-06-16 14:36 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2009-07-15 09:52 . 2009-06-16 14:36 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-06 12:54 . 2009-04-13 19:19 -------- d-----w- c:\program files\Symantec
2009-06-29 16:12 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-25 22:58 . 2009-04-13 19:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-25 22:58 . 2009-04-13 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-25 22:54 . 2009-04-13 19:20 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-06-25 22:54 . 2009-04-13 19:20 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-06-25 22:54 . 2009-04-13 19:20 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-25 22:54 . 2009-04-13 19:20 10563 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-23 18:22 . 2009-04-13 19:43 20272 ----a-w- c:\documents and settings\[CUISTech]\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-19 17:38 . 2009-06-18 19:53 -------- d-----w- c:\documents and settings\cpetrucci\Application Data\ISIS Drivers
2009-06-18 20:05 . 2009-06-18 20:05 103720 ----a-w- c:\documents and settings\scan\GoToAssistDownloadHelper.exe
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 14:36 . 2009-06-15 14:36 20272 ----a-w- c:\documents and settings\cpetrucci\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-12 12:31 . 2004-08-04 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2009-04-13 16:30 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-28 16:54 . 2009-05-28 16:54 20272 ----a-w- c:\documents and settings\mlalowski\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Scan Panel "= "c:\program files\Canon Electronics\Scan Panel\drpanel.exe" [2008-05-29 196677]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-06-25 115560]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"1 "= "regedit" [X]
"2 "= "regedit" [X]
"3 "= "regedit" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Remote Admin Server.lnk - c:\program files\Symitar\SFW\RemoteAdminServer.exe [2009-4-13 265728]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange "= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-117609710-725345543-2153\Scripts\Logon\0\0]
"Script "=c:\postgress\lortpostgres.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-117609710-725345543-3307\Scripts\Logon\0\0]
"Script "=\\[domain].local\SysVol\[domain].local\scripts\logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-117609710-725345543-3307\Scripts\Logon\1\0]
"Script "=\\[domain].local\SysVol\[domain].local\scripts\logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-117609710-725345543-500\Scripts\Logon\0\0]
"Script "=\\[domain].local\SysVol\[domain].local\scripts\logon.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@= "Service "

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe "=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE "=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009

R2 AutomaticFileTransferService;AutomaticFileTransferService;c:\program files\VSoft\Automatic File Transfer Service\AutomaticFileTransferWindowsService.exe [8/30/2006 5:00 PM 20480]
R2 Ranger Log;Ranger Log;c:\program files\Silver Bullet Technology\Ranger\Tools\Log Service\Rangerlogservice.exe [4/5/2006 10:44 AM 32768]
R2 VSoftECLServicePG;VSoftECLServicePG;c:\vsofteclservice\VSoftECLServicePG.exe [5/7/2009 11:46 AM 110592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/17/2009 9:58 PM 101936]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-Symantec Antvirus

.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = 10.1.3.50:3128
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {E7FDC948-4B01-4CB6-9EC4-2C5FB49280A8} = 10.1.3.6,10.1.3.8
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-12 09:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@DACL=(02 0011)
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101 "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
@DACL=(02 0011)
"Enabled "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@DACL=(02 0011)
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@DACL=(02 0011)
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@DACL=(02 0011)
@Denied: (A 2) (Everyone)
@= "IFlashBroker3 "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@DACL=(02 0011)
@= "{00020424-0000-0000-C000-000000000046} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@DACL=(02 0011)
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
Completion time: 2009-08-12 9:32
ComboFix-quarantined-files.txt 2009-08-12 14:32

Pre-Run: 26,101,112,832 bytes free
Post-Run: 26,393,186,304 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

174 --- E O F --- 2009-08-12 14:10

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:58:01 PM, on 8/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\vsoft\automatic file transfer service\automaticfiletransferwindowsservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Silver Bullet Technology\Ranger\Tools\Log Service\Rangerlogservice.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Canon Electronics\Scan Panel\drpanel.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symitar\SFW\RemoteAdminServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.3.50:3128
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Scan Panel] "C:\Program Files\Canon Electronics\Scan Panel\drpanel.exe" /Stay
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Policies\Explorer\Run: [1] regedit /c/s \\10.1.3.6\shared\BlueZoneFirewall.reg
O4 - HKCU\..\Policies\Explorer\Run: [2] regedit /c/s \\10.1.3.6\shared\chm.reg
O4 - HKCU\..\Policies\Explorer\Run: [3] regedit /c/s \\10.1.3.6\shared\helpfiles.reg
O4 - HKUS\S-1-5-21-682003330-117609710-725345543-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-682003330-117609710-725345543-500\..\Policies\Explorer\Run: [1] regedit /c/s \\10.1.3.6\shared\BlueZoneFirewall.reg (User 'Administrator')
O4 - HKUS\S-1-5-21-682003330-117609710-725345543-500\..\Policies\Explorer\Run: [3] regedit /c/s \\10.1.3.6\shared\helpfiles.reg (User 'Administrator')
O4 - Global Startup: Remote Admin Server.lnk = C:\Program Files\Symitar\SFW\RemoteAdminServer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1239718365265
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=29223
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = [domain].local
O17 - HKLM\Software\..\Telephony: DomainName = [domain].local
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7FDC948-4B01-4CB6-9EC4-2C5FB49280A8}: NameServer = 10.1.3.2,10.1.3.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = [domain].local
O23 - Service: AutomaticFileTransferService - - c:\program files\vsoft\automatic file transfer service\automaticfiletransferwindowsservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PostgreSQL Database Server 8.0 (pgsql-8.0) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.0\bin\pg_ctl.exe
O23 - Service: Ranger Log - Silver Bullet Technologies, Inc. - C:\Program Files\Silver Bullet Technology\Ranger\Tools\Log Service\Rangerlogservice.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: VSoftECLServicePG - VSoft Corp. - C:\VSoftECLService\VSoftECLServicePG.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6404 bytes

broni · 2009/08/12

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::

Folder::

Driver::

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explor er\Run]
 "1 "=-
 "2 "=-
 "3 "=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er]
 "DisablePersonalDirChange "=-

RegLockDel::
3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

A new HijackThis log.

CUISTech · 2009/08/13

After running ComboFix, I had someone turn off the computer at the location where the machine is, and reboot it. I could no longer log into the machine remotely upon it reestablishing connection.

Now, I had them unjoin the domain and join a workgroup, then rejoin the domain (all with the requisite reboots), which worked yesterday, but it's not working today.

Using my network login I provided for them, brings up the desktop but none of the shared resources.

HELP!

CUISTech · 2009/08/13

UPDATE:
Trying to rejoin the domain (I'm at the computer now) gets me a note to see dcdiag.txt, which tells me I have an error 0x0000267c, followed by No DNS Servers configured for local system.

It took me two more tries to join the domain after that. The first attemp said the network path was not found. The second attempt was successful.

I have logged into the computer, onto the domain, using my network credentials. I do not have access to ANY network resources (ie drives mapped to my name), but I do have access to my outlook e-mail on the exchange server.

This computer can't be reached via any sort of remote access, either. It's like I'm on the network, but not...

broni · 2009/08/13

Unfortunately, I'm not very familiar with networking, and remote access, so I won't be much of a help here.
Your IT people, or whoever takes care of the network will have to work this issue out.
I don't see anything in Combofix script, which could cause this problem.

Actually, nothing was even changed because of me not paying attention to old BBS glitch, which causes a line break after certain numbers of characters.
You can see this line in my script:
[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explor er\Run]
There is an unnecessary break after "explor" part of "explorer ".
Same applies to to the other script line, so nothing was actually executed.

CUISTech · 2009/08/14

I found the line break. Seems that the firewall was turned on after ComboFix required a reboot to reconnect to the network - something we keep off by default. (Going to have to look into making group policy for that, I guess.)

. . .

ComboFix 09-08-10.06 - [CUISTech] 08/13/2009 9:47.2.2 - NTFSx86
Running from: c:\documents and settings\[CUISTech]\Desktop\ComboFix.exe
Command switches used :: h:\temp\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\sfcfiles.dll

.
((((((((((((((((((((((((( Files Created from 2009-07-13 to 2009-08-13 )))))))))))))))))))))))))))))))
.

2009-08-13 14:35 . 2009-08-13 14:36 -------- d-----w- C:\32788R22FWJFW
2009-08-12 19:57 . 2009-08-12 19:57 -------- d-----w- c:\program files\Trend Micro
2009-08-12 19:37 . 2009-08-12 19:37 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symitar
2009-08-12 19:37 . 2009-08-12 19:37 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-08-12 11:45 . 2009-06-12 12:31 80896 -c----w- c:\windows\system32\dllcache\tlntsess.exe
2009-08-12 11:45 . 2009-06-12 12:31 76288 -c----w- c:\windows\system32\dllcache\telnet.exe
2009-08-12 11:45 . 2009-06-10 06:14 132096 -c----w- c:\windows\system32\dllcache\wkssvc.dll
2009-08-12 11:45 . 2009-07-17 19:01 58880 -c----w- c:\windows\system32\dllcache\atl.dll
2009-08-12 11:44 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-12 10:50 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-12 09:52 . 2009-06-10 14:13 84992 -c----w- c:\windows\system32\dllcache\avifil32.dll
2009-08-12 09:51 . 2009-06-25 08:25 54272 -c----w- c:\windows\system32\dllcache\wdigest.dll
2009-08-12 09:51 . 2009-06-25 08:25 136192 -c----w- c:\windows\system32\dllcache\msv1_0.dll
2009-08-12 09:51 . 2009-06-24 11:18 92928 -c----w- c:\windows\system32\dllcache\ksecdd.sys
2009-08-12 09:51 . 2009-06-25 08:25 301568 -c----w- c:\windows\system32\dllcache\kerberos.dll
2009-07-29 12:56 . 2009-06-29 16:12 17408 -c----w- c:\windows\system32\dllcache\corpol.dll
2009-07-28 15:49 . 2009-07-28 15:49 45056 ----a-w- c:\documents and settings\smartinez\Application Data\Sun\Java\Deployment\cache\6.0\49\615348b1-3d20eb80-n\AfsNativeUtils.dll
2009-07-28 15:22 . 2009-07-28 15:23 -------- d-----w- c:\documents and settings\smartinez\Local Settings\Application Data\Adobe
2009-07-15 09:52 . 2009-06-16 14:36 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2009-07-15 09:52 . 2009-06-16 14:36 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-06 12:54 . 2009-04-13 19:19 -------- d-----w- c:\program files\Symantec
2009-06-29 16:12 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-25 22:58 . 2009-04-13 19:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-25 22:58 . 2009-04-13 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-25 22:54 . 2009-04-13 19:20 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-06-25 22:54 . 2009-04-13 19:20 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-06-25 22:54 . 2009-04-13 19:20 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-25 22:54 . 2009-04-13 19:20 10563 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-23 18:22 . 2009-04-13 19:43 20272 ----a-w- c:\documents and settings\[CUISTech]\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-19 17:38 . 2009-06-18 19:53 -------- d-----w- c:\documents and settings\cpetrucci\Application Data\ISIS Drivers
2009-06-18 20:05 . 2009-06-18 20:05 103720 ----a-w- c:\documents and settings\scan\GoToAssistDownloadHelper.exe
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 14:36 . 2009-06-15 14:36 20272 ----a-w- c:\documents and settings\cpetrucci\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-12 12:31 . 2004-08-04 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2009-04-13 16:30 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-28 16:54 . 2009-05-28 16:54 20272 ----a-w- c:\documents and settings\mlalowski\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

[-] 2004-08-04 12:00 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\$NtServicePackUninstall$\svchost.exe
[-] 2008-04-14 10:42 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 10:42 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\svchost.exe
[-] 2008-04-14 10:42 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\dllcache\cache\svchost.exe

[-] 2004-08-04 12:00 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2008-04-14 10:42 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\ServicePackFiles\i386\user32.dll
[-] 2008-04-14 10:42 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\user32.dll
[-] 2008-04-14 10:42 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\dllcache\cache\user32.dll

[-] 2004-08-04 12:00 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[-] 2008-04-14 10:42 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\ServicePackFiles\i386\ws2_32.dll
[-] 2008-04-14 10:42 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\system32\ws2_32.dll
[-] 2008-04-14 10:42 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\system32\dllcache\cache\ws2_32.dll

[-] 2008-12-20 23:56 827904 044E0A4E9FE97C0FB9AFE9C89E2A82E6 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[-] 2009-03-03 00:17 828416 C8667854873938CA13C986F16B0CD183 c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\wininet.dll
[-] 2009-04-29 04:49 828928 62CCA075F44015147B8971DAFFBCFF76 c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\wininet.dll
[-] 2009-06-29 16:23 828928 4C6B4138165A4C53FE8A5B1D809526C3 c:\windows\$hf_mig$\KB972260-IE7\SP3QFE\wininet.dll
[-] 2004-08-04 12:00 656384 C0823FC5469663BA63E7DB88F9919D70 c:\windows\ie7\wininet.dll
[-] 2007-08-13 23:54 818688 A4A0FC92358F39538A6494C42EF99FE9 c:\windows\ie7updates\KB961260-IE7\wininet.dll
[-] 2008-12-20 23:15 826368 A82935D32D0672E8FF4E91AE398E901C c:\windows\ie7updates\KB963027-IE7\wininet.dll
[-] 2009-03-03 00:18 826368 28775945CCD53DEE280EF58DEA1A94C4 c:\windows\ie7updates\KB969897-IE7\wininet.dll
[-] 2009-04-29 04:56 827392 8E2D471157B0DF329D8D0EA5D83B0DDB c:\windows\ie7updates\KB972260-IE7\wininet.dll
[-] 2008-04-14 10:42 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\ServicePackFiles\i386\wininet.dll
[-] 2009-06-29 16:12 827392 A39B7BA7AB9B1CC2A0009F59772DB83C c:\windows\system32\wininet.dll
[-] 2009-06-29 16:12 827392 A39B7BA7AB9B1CC2A0009F59772DB83C c:\windows\system32\dllcache\wininet.dll
[-] 2009-06-29 16:12 827392 A39B7BA7AB9B1CC2A0009F59772DB83C c:\windows\system32\dllcache\cache\wininet.dll

[-] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[-] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2008-04-14 05:50 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2004-08-04 12:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2008-04-14 05:50 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\cache\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\drivers\tcpip.sys

[-] 2004-08-04 12:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe
[-] 2008-04-14 10:42 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 10:42 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\winlogon.exe
[-] 2008-04-14 10:42 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\dllcache\cache\winlogon.exe

[-] 2004-08-04 12:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[-] 2008-04-14 05:50 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2008-04-14 05:50 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\dllcache\cache\ndis.sys
[-] 2008-04-14 05:50 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\drivers\ndis.sys

[-] 2004-08-04 12:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys
[-] 2008-04-14 05:23 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\ServicePackFiles\i386\ip6fw.sys
[-] 2008-04-14 05:23 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\dllcache\cache\ip6fw.sys
[-] 2008-04-14 05:23 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\drivers\ip6fw.sys

[-] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[-] 2008-08-14 09:18 2062976 63EC865DFF6CCFC7BEF94B5C50297CAD c:\windows\$hf_mig$\KB956841\SP2QFE\ntkrnlpa.exe
[-] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe
[-] 2008-08-14 20:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2008-08-14 09:22 2015744 DC097A896A03B8277457D228FD12D4E6 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[-] 2008-08-14 09:33 2023936 8206B5F94A6A9450E934029420C1693F c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[-] 2008-04-14 05:01 2023936 7F653A89F6E89E3AE0D49830EECE35D4 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[-] 2004-08-04 12:00 2015232 FB142B7007CA2EEA76966C6C5CC12150 c:\windows\$NtUninstallKB956841_0$\ntkrnlpa.exe
[-] 2009-02-08 00:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2008-04-14 05:01 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[-] 2009-02-06 10:32 2023936 65D4220799E6FC2CB079070A6393CC0E c:\windows\system32\ntkrnlpa.exe
[-] 2009-02-08 00:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\system32\dllcache\ntkrnlpa.exe
[-] 2009-02-06 10:32 2023936 65D4220799E6FC2CB079070A6393CC0E c:\windows\system32\dllcache\cache\ntkrnlpa.exe

[-] 2009-02-08 00:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[-] 2008-08-14 09:57 2185984 CE69DBD54221F2D40E49FF6DB77C6507 c:\windows\$hf_mig$\KB956841\SP2QFE\ntoskrnl.exe
[-] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\$hf_mig$\KB956841\SP3GDR\ntoskrnl.exe
[-] 2008-08-14 21:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2008-08-14 09:58 2136064 DD31AB4B91C2605601A3C108AF57A0C9 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[-] 2008-08-14 10:09 2145280 F6F8245B3A2E9CA834DD318E7AE0C6D0 c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[-] 2008-04-14 05:54 2145280 40F8880122A030A7E9E1FEDEA833B33D c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[-] 2004-08-04 12:00 2148352 626309040459C3915997EF98EC1C8D40 c:\windows\$NtUninstallKB956841_0$\ntoskrnl.exe
[-] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2008-04-14 05:57 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[-] 2009-02-06 11:06 2145280 0CBA44D0938D57F334C0862424148B70 c:\windows\system32\ntoskrnl.exe
[-] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\system32\dllcache\ntoskrnl.exe
[-] 2009-02-06 11:06 2145280 0CBA44D0938D57F334C0862424148B70 c:\windows\system32\dllcache\cache\ntoskrnl.exe

[-] 2008-04-14 10:42 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\explorer.exe
[-] 2004-08-04 12:00 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2008-04-14 10:42 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2008-04-14 10:42 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\system32\dllcache\cache\explorer.exe

[-] 2009-02-06 11:06 110592 020CEAAEDC8EB655B6506B8C70D53BB6 c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[-] 2004-08-04 12:00 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\$NtServicePackUninstall$\services.exe
[-] 2008-04-14 10:42 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\$NtUninstallKB956572$\services.exe
[-] 2008-04-14 10:42 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\ServicePackFiles\i386\services.exe
[-] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\system32\services.exe
[-] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\system32\dllcache\services.exe
[-] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\system32\dllcache\cache\services.exe

[-] 2004-08-04 12:00 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\$NtServicePackUninstall$\lsass.exe
[-] 2008-04-14 10:42 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\ServicePackFiles\i386\lsass.exe
[-] 2008-04-14 10:42 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\system32\lsass.exe
[-] 2008-04-14 10:42 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\system32\dllcache\cache\lsass.exe

[-] 2004-08-04 12:00 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[-] 2008-04-14 10:42 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 10:42 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\ctfmon.exe
[-] 2008-04-14 10:42 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\dllcache\cache\ctfmon.exe

[-] 2004-08-04 12:00 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2008-04-14 10:42 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 10:42 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\system32\spoolsv.exe
[-] 2008-04-14 10:42 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\system32\dllcache\cache\spoolsv.exe

[-] 2004-08-04 12:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\$NtServicePackUninstall$\userinit.exe
[-] 2008-04-14 10:42 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 10:42 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\userinit.exe
[-] 2008-04-14 10:42 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\dllcache\cache\userinit.exe

[-] 2004-08-04 12:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtServicePackUninstall$\termsrv.dll
[-] 2008-04-14 10:42 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-04-14 10:42 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\system32\termsrv.dll
[-] 2008-04-14 10:42 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\system32\dllcache\cache\termsrv.dll

[-] 2009-03-22 00:29 991744 DA11D9D6ECBDF0F93436A4B7C13F7BEC c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2004-08-04 12:00 983552 888190E31455FAD793312F8D087146EB c:\windows\$NtServicePackUninstall$\kernel32.dll
[-] 2008-04-14 10:41 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\$NtUninstallKB959426$\kernel32.dll
[-] 2008-04-14 10:41 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\ServicePackFiles\i386\kernel32.dll
[-] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\system32\kernel32.dll
[-] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\system32\dllcache\kernel32.dll
[-] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\system32\dllcache\cache\kernel32.dll

[-] 2004-08-04 12:00 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\$NtServicePackUninstall$\powrprof.dll
[-] 2008-04-14 10:42 17408 50A166237A0FA771261275A405646CC0 c:\windows\ServicePackFiles\i386\powrprof.dll
[-] 2008-04-14 10:42 17408 50A166237A0FA771261275A405646CC0 c:\windows\system32\powrprof.dll
[-] 2008-04-14 10:42 17408 50A166237A0FA771261275A405646CC0 c:\windows\system32\dllcache\cache\powrprof.dll

[-] 2004-08-04 12:00 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\$NtServicePackUninstall$\imm32.dll
[-] 2008-04-14 10:41 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\ServicePackFiles\i386\imm32.dll
[-] 2008-04-14 10:41 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\system32\imm32.dll
[-] 2008-04-14 10:41 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\system32\dllcache\cache\imm32.dll

[-] 2004-08-04 12:00 167936 9C3C12975C97119412802B181FBEEFFE c:\windows\$NtServicePackUninstall$\appmgmts.dll
[-] 2008-04-14 10:41 167936 D8849F77C0B66226335A59D26CB4EDC6 c:\windows\ServicePackFiles\i386\appmgmts.dll
[-] 2008-04-14 10:41 167936 D8849F77C0B66226335A59D26CB4EDC6 c:\windows\system32\appmgmts.dll
[-] 2008-04-14 10:41 167936 D8849F77C0B66226335A59D26CB4EDC6 c:\windows\system32\dllcache\cache\appmgmts.dll

[-] 2009-01-16 16:24 3596288 CC9D001B7370B292C35B366CA05B12B4 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\mshtml.dll
[-] 2009-02-21 18:09 3596800 1BB754AB47B327DE8DBF2FA18C36357C c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\mshtml.dll
[-] 2009-04-29 14:19 3598336 C6FD770D518FB024245A0EE217D72BC1 c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\mshtml.dll
[-] 2009-07-19 13:31 3600384 F6098CC1B1C3858D53F20F3CB5774F3B c:\windows\$hf_mig$\KB972260-IE7\SP3QFE\mshtml.dll
[-] 2004-08-04 12:00 3003392 376E0843B2356CA91CEC8D9837A56FF7 c:\windows\ie7\mshtml.dll
[-] 2007-08-13 23:54 3578368 C6EC2493346ED8888A549F59210A8ED3 c:\windows\ie7updates\KB961260-IE7\mshtml.dll
[-] 2009-01-17 02:35 3594752 3B413267DA8AE71C20E5EF3E54F74728 c:\windows\ie7updates\KB963027-IE7\mshtml.dll
[-] 2009-02-20 18:09 3595264 C7C3E41CC2F6EB4A629FE2184136C098 c:\windows\ie7updates\KB969897-IE7\mshtml.dll
[-] 2009-04-29 04:56 3596288 2B4315EC9E3124408A2A5074C4B97700 c:\windows\ie7updates\KB972260-IE7\mshtml.dll
[-] 2008-04-14 10:42 3066880 A706E122B398FE1AB85CB9B75D044223 c:\windows\ServicePackFiles\i386\mshtml.dll
[-] 2009-07-20 00:03 3597824 758C8BEDAB7CE5F9070C85E2E57CBD80 c:\windows\system32\mshtml.dll
[-] 2009-07-20 00:03 3597824 758C8BEDAB7CE5F9070C85E2E57CBD80 c:\windows\system32\dllcache\mshtml.dll
[-] 2009-07-20 00:03 3597824 758C8BEDAB7CE5F9070C85E2E57CBD80 c:\windows\system32\dllcache\cache\mshtml.dll

[-] 2004-08-04 12:00 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\$NtServicePackUninstall$\kbdclass.sys
[-] 2008-04-14 05:09 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\ServicePackFiles\i386\kbdclass.sys
[-] 2008-04-14 05:09 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\system32\dllcache\cache\kbdclass.sys
[-] 2008-04-14 05:09 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\system32\drivers\kbdclass.sys

[-] 2004-08-04 12:00 792064 6728270CB7DBB776ED086F5AC4C82310 c:\windows\$NtServicePackUninstall$\comres.dll
[-] 2008-04-14 10:41 792064 1280A158C722FA95A80FB7AEBE78FA7D c:\windows\ServicePackFiles\i386\comres.dll
[-] 2008-04-14 10:41 792064 1280A158C722FA95A80FB7AEBE78FA7D c:\windows\system32\comres.dll
[-] 2008-04-14 10:41 792064 1280A158C722FA95A80FB7AEBE78FA7D c:\windows\system32\dllcache\cache\comres.dll

[-] 2004-08-04 12:00 22016 74D66B3DE265E8789153414E75175F26 c:\windows\$NtServicePackUninstall$\lpk.dll
[-] 2008-04-14 10:41 22016 012DF358CEBAA23ACB26D82077820817 c:\windows\ServicePackFiles\i386\lpk.dll
[-] 2008-04-14 10:41 22016 012DF358CEBAA23ACB26D82077820817 c:\windows\system32\lpk.dll
[-] 2008-04-14 10:41 22016 012DF358CEBAA23ACB26D82077820817 c:\windows\system32\dllcache\cache\lpk.dll

[-] 2004-08-04 12:00 4224 DA1F27D85E0D1525F6621372E7B685E9 c:\windows\system32\dllcache\beep.sys
[-] 2004-08-04 12:00 4224 DA1F27D85E0D1525F6621372E7B685E9 c:\windows\system32\dllcache\cache\beep.sys
[-] 2004-08-04 12:00 4224 DA1F27D85E0D1525F6621372E7B685E9 c:\windows\system32\drivers\beep.sys

[-] 2004-08-04 12:00 2944 73C1E1F395918BC2C6DD67AF7591A3AD c:\windows\system32\dllcache\null.sys
[-] 2004-08-04 12:00 2944 73C1E1F395918BC2C6DD67AF7591A3AD c:\windows\system32\dllcache\cache\null.sys
[-] 2004-08-04 12:00 2944 73C1E1F395918BC2C6DD67AF7591A3AD c:\windows\system32\drivers\null.sys

[-] 2004-08-04 03:39 142464 841F385C6CFAF66B58FBD898722BB4F0 c:\windows\$NtServicePackUninstall$\aec.sys
[-] 2008-04-14 03:09 142592 8BED39E3C35D6A489438B8141717A557 c:\windows\ServicePackFiles\i386\aec.sys
[-] 2008-04-14 03:09 142592 8BED39E3C35D6A489438B8141717A557 c:\windows\system32\dllcache\cache\aec.sys
[-] 2008-04-14 03:09 142592 8BED39E3C35D6A489438B8141717A557 c:\windows\system32\drivers\aec.sys

[-] 2004-08-04 12:00 924432 DDF8D47ACF8FC3FE5F7F2B95C4D4D136 c:\windows\$NtServicePackUninstall$\mfc40u.dll
[-] 2008-04-14 10:41 927504 CDDD4416B2B4C7295FE3FDB6DDE57E4E c:\windows\ServicePackFiles\i386\mfc40u.dll
[-] 2008-04-14 10:41 927504 CDDD4416B2B4C7295FE3FDB6DDE57E4E c:\windows\system32\mfc40u.dll
[-] 2008-04-14 10:41 927504 CDDD4416B2B4C7295FE3FDB6DDE57E4E c:\windows\system32\dllcache\cache\mfc40u.dll

[-] 2009-02-09 10:56 401408 9222562D44021B988B9F9F62207FB6F2 c:\windows\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[-] 2004-08-04 12:00 395776 5C83A4408604F737717AB96371201680 c:\windows\$NtServicePackUninstall$\rpcss.dll
[-] 2008-04-14 10:42 399360 2589FE6015A316C0F5D5112B4DA7B509 c:\windows\$NtUninstallKB956572$\rpcss.dll
[-] 2008-04-14 10:42 399360 2589FE6015A316C0F5D5112B4DA7B509 c:\windows\ServicePackFiles\i386\rpcss.dll
[-] 2009-02-09 12:10 401408 6B27A5C03DFB94B4245739065431322C c:\windows\system32\rpcss.dll
[-] 2009-02-09 12:10 401408 6B27A5C03DFB94B4245739065431322C c:\windows\system32\dllcache\rpcss.dll
[-] 2009-02-09 12:10 401408 6B27A5C03DFB94B4245739065431322C c:\windows\system32\dllcache\cache\rpcss.dll

[-] 2004-08-04 12:00 33792 95FD808E4AC22ABA025A7B3EAC0375D2 c:\windows\$NtServicePackUninstall$\msgsvc.dll
[-] 2008-04-14 10:42 33792 986B1FF5814366D71E0AC5755C88F2D3 c:\windows\ServicePackFiles\i386\msgsvc.dll
[-] 2008-04-14 10:42 33792 986B1FF5814366D71E0AC5755C88F2D3 c:\windows\system32\msgsvc.dll
[-] 2008-04-14 10:42 33792 986B1FF5814366D71E0AC5755C88F2D3 c:\windows\system32\dllcache\cache\msgsvc.dll

[-] 2004-08-04 12:00 611328 A77DFB85FAEE49D66C74DA6024EBC69B c:\windows\$NtServicePackUninstall$\comctl32.dll
[-] 2008-04-14 10:41 617472 06F247492BC786CE5C24A23E178C711A c:\windows\ServicePackFiles\i386\comctl32.dll
[-] 2008-04-14 10:41 617472 06F247492BC786CE5C24A23E178C711A c:\windows\system32\comctl32.dll
[-] 2008-04-14 10:41 617472 06F247492BC786CE5C24A23E178C711A c:\windows\system32\dllcache\cache\comctl32.dll
[-] 2004-08-04 12:00 921088 AEF3D788DBF40C7C4D204EA45EB0C505 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
[-] 2004-08-04 12:00 1050624 5AF68A5E44734A082442668E9C787743 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
[-] 2008-04-14 10:42 1054208 BD38D1EBE24A46BD3EDA059560AFBA12 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

[-] 2004-08-04 12:00 11648 9859C0F6936E723E4892D7141B1327D5 c:\windows\system32\dllcache\cache\acpiec.sys
[-] 2004-08-04 12:00 11648 9859C0F6936E723E4892D7141B1327D5 c:\windows\system32\drivers\acpiec.sys

[-] 2004-08-04 12:00 5120 E8A12A12EA9088B4327D49EDCA3ADD3E c:\windows\$NtServicePackUninstall$\sfc.dll
[-] 2008-04-14 10:42 5120 96E1C926F22EE1BFBAE82901A35F6BF3 c:\windows\ServicePackFiles\i386\sfc.dll
[-] 2008-04-14 10:42 5120 96E1C926F22EE1BFBAE82901A35F6BF3 c:\windows\system32\sfc.dll
[-] 2008-04-14 10:42 5120 96E1C926F22EE1BFBAE82901A35F6BF3 c:\windows\system32\dllcache\cache\sfc.dll

[-] 2004-08-04 12:00 407040 96353FCECBA774BB8DA74A1C6507015A c:\windows\$NtServicePackUninstall$\netlogon.dll
[-] 2008-04-14 10:42 407040 1B7F071C51B77C272875C3A23E1E4550 c:\windows\ServicePackFiles\i386\netlogon.dll
[-] 2009-02-06 18:46 408064 6C476D33D82F1054849790181E8F7772 c:\windows\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\SP2QFE\netlogon.dll
[-] 2008-04-14 10:42 407040 1B7F071C51B77C272875C3A23E1E4550 c:\windows\system32\netlogon.dll
[-] 2008-04-14 10:42 407040 1B7F071C51B77C272875C3A23E1E4550 c:\windows\system32\dllcache\cache\netlogon.dll

[-] 2004-08-04 12:00 382464 2C69EC7E5A311334D10DD95F338FCCEA c:\windows\$NtServicePackUninstall$\qmgr.dll
[-] 2008-04-14 10:42 409088 574738F61FCA2935F5265DC4E5691314 c:\windows\ServicePackFiles\i386\qmgr.dll
[-] 2008-04-14 10:42 409088 574738F61FCA2935F5265DC4E5691314 c:\windows\system32\qmgr.dll
[-] 2008-04-14 10:42 409088 574738F61FCA2935F5265DC4E5691314 c:\windows\system32\bits\qmgr.dll
[-] 2008-04-14 10:42 409088 574738F61FCA2935F5265DC4E5691314 c:\windows\system32\dllcache\cache\qmgr.dll

[-] 2004-08-04 12:00 180224 0F78E27F563F2AAF74B91A49E2ABF19A c:\windows\$NtServicePackUninstall$\scecli.dll
[-] 2008-04-14 10:42 181248 A86BB5E61BF3E39B62AB4C7E7085A084 c:\windows\ServicePackFiles\i386\scecli.dll
[-] 2008-04-14 10:42 181248 A86BB5E61BF3E39B62AB4C7E7085A084 c:\windows\system32\scecli.dll
[-] 2008-04-14 10:42 181248 A86BB5E61BF3E39B62AB4C7E7085A084 c:\windows\system32\dllcache\cache\scecli.dll

[-] 2004-08-04 12:00 14336 02000ABF34AF4C218C35D257024807D6 c:\windows\$NtServicePackUninstall$\asyncmac.sys
[-] 2008-04-14 05:27 14336 B153AFFAC761E7F5FCFA822B9C4E97BC c:\windows\ServicePackFiles\i386\asyncmac.sys
[-] 2008-04-14 05:27 14336 B153AFFAC761E7F5FCFA822B9C4E97BC c:\windows\system32\dllcache\cache\asyncmac.sys
[-] 2008-04-14 05:27 14336 B153AFFAC761E7F5FCFA822B9C4E97BC c:\windows\system32\drivers\asyncmac.sys

[-] 2004-08-04 12:00 574592 B78BE402C3F63DD55521F73876951CDD c:\windows\$NtServicePackUninstall$\ntfs.sys
[-] 2008-04-14 05:45 574976 78A08DD6A8D65E697C18E1DB01C5CDCA c:\windows\ServicePackFiles\i386\ntfs.sys
[-] 2008-04-14 05:45 574976 78A08DD6A8D65E697C18E1DB01C5CDCA c:\windows\system32\dllcache\cache\ntfs.sys
[-] 2008-04-14 05:45 574976 78A08DD6A8D65E697C18E1DB01C5CDCA c:\windows\system32\drivers\ntfs.sys

[-] 2004-08-04 12:00 170496 92BDF74F12D6CBEC43C94D4B7F804838 c:\windows\$NtServicePackUninstall$\srsvc.dll
[-] 2008-04-14 10:42 171008 3805DF0AC4296A34BA4BF93B346CC378 c:\windows\ServicePackFiles\i386\srsvc.dll
[-] 2008-04-14 10:42 171008 3805DF0AC4296A34BA4BF93B346CC378 c:\windows\system32\srsvc.dll
[-] 2008-04-14 10:42 171008 3805DF0AC4296A34BA4BF93B346CC378 c:\windows\system32\dllcache\cache\srsvc.dll

[-] 2004-08-04 12:00 13824 49911DD39E023BB6C45E4E436CFBD297 c:\windows\$NtServicePackUninstall$\wscntfy.exe
[-] 2008-04-14 10:42 13824 F92E1076C42FCD6DB3D72D8CFE9816D5 c:\windows\ServicePackFiles\i386\wscntfy.exe
[-] 2008-04-14 10:42 13824 F92E1076C42FCD6DB3D72D8CFE9816D5 c:\windows\system32\wscntfy.exe
[-] 2008-04-14 10:42 13824 F92E1076C42FCD6DB3D72D8CFE9816D5 c:\windows\system32\dllcache\cache\wscntfy.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-08-12_14.30.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-13 14:55 . 2009-08-13 14:55 16384 c:\windows\Temp\Perflib_Perfdata_9c.dat
+ 2004-08-04 12:00 . 2008-04-14 10:42 1614848 c:\windows\system32\dllcache\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Scan Panel "= "c:\program files\Canon Electronics\Scan Panel\drpanel.exe" [2008-05-29 196677]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-06-25 115560]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"1 "= "regedit" [X]
"2 "= "regedit" [X]
"3 "= "regedit" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Remote Admin Server.lnk - c:\program files\Symitar\SFW\RemoteAdminServer.exe [2009-4-13 265728]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange "= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-117609710-725345543-2153\Scripts\Logon\0\0]
"Script "=c:\postgress\lortpostgres.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-117609710-725345543-3307\Scripts\Logon\0\0]
"Script "=\\[domain].local\SysVol\[domain].local\scripts\logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-117609710-725345543-3307\Scripts\Logon\1\0]
"Script "=\\[domain].local\SysVol\[domain].local\scripts\logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-117609710-725345543-500\Scripts\Logon\0\0]
"Script "=\\[domain].local\SysVol\[domain].local\scripts\logon.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@= "Service "

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe "=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE "=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "= %windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019
"%windir%\\Network Diagnostic\\xpnetdiag.exe "= %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe "= c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe:*:Enabled:SMC Service
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE "= c:\program files\Symantec\Symantec Endpoint Protection\SNAC.EXE:*:Enabled:SNAC Service
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe "= c:\program files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:Symantec Email
"c:\\Program Files\\Symitar\\SFW\\RemoteAdminServer.exe "= c:\program files\Symitar\SFW\RemoteAdminServer.exe:*:Enabled:Ras

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCP:*:Enabledxpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "= %windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe "= c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe:*:Enabled:SMC Service
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE "= c:\program files\Symantec\Symantec Endpoint Protection\SNAC.EXE:*:Enabled:SNAC Service
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe "= c:\program files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:Symantec Email
"%windir%\\Network Diagnostic\\xpnetdiag.exe "= %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCP:*:Enabledxpsp2res.dll,-22009

R2 AutomaticFileTransferService;AutomaticFileTransferService;c:\program files\VSoft\Automatic File Transfer Service\AutomaticFileTransferWindowsService.exe [8/30/2006 5:00 PM 20480]
R2 Ranger Log;Ranger Log;c:\program files\Silver Bullet Technology\Ranger\Tools\Log Service\Rangerlogservice.exe [4/5/2006 10:44 AM 32768]
R2 VSoftECLServicePG;VSoftECLServicePG;c:\vsofteclservice\VSoftECLServicePG.exe [5/7/2009 11:46 AM 110592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/17/2009 9:58 PM 101936]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
Alerter
LmHosts

.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = 10.1.3.50:3128
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {E7FDC948-4B01-4CB6-9EC4-2C5FB49280A8} = 10.1.3.2,10.1.3.8
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-13 10:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@DACL=(02 0011)
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101 "

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
@DACL=(02 0011)
"Enabled "=dword:00000001

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@DACL=(02 0011)
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe "

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@DACL=(02 0011)
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{8D8763AB-E93B-4812-964E-F04E0008FD50}\Version]
@Denied: (A) (Everyone)
@= "{8D8763AB-E93B-4812-964E-F04E0008FD50} "

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@DACL=(02 0011)
@Denied: (A 2) (Everyone)
@= "Shockwave Flash Object "

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control]
@DACL=(02 0011)

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage]
@DACL=(02 0011)

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories]
@DACL=(02 0011)

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@DACL=(02 0011)
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10c.ocx "
"ThreadingModel "= "Apartment "

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@DACL=(02 0011)
@= "0 "

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@DACL=(02 0011)
@= "ShockwaveFlash.ShockwaveFlash.10 "

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable]
@DACL=(02 0011)

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@DACL=(02 0011)
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10c.ocx, 1 "

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@DACL=(02 0011)
@= "{D27CDB6B-AE6D-11cf-96B8-444553540000} "

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@DACL=(02 0011)
@= "1.0 "

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@DACL=(02 0011)
@= "ShockwaveFlash.ShockwaveFlash "

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@DACL=(02 0011)
@Denied: (A 2) (Everyone)
@= "Macromedia Flash Factory Object "

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control]
@DACL=(02 0011)

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@DACL=(02 0011)
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10c.ocx "
"ThreadingModel "= "Apartment "

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@DACL=(02 0011)
@= "FlashFactory.FlashFactory.1 "

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable]
@DACL=(02 0011)

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@DACL=(02 0011)
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10c.ocx, 1 "

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@DACL=(02 0011)
@= "{D27CDB6B-AE6D-11cf-96B8-444553540000} "

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@DACL=(02 0011)
@= "1.0 "

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@DACL=(02 0011)
@= "FlashFactory.FlashFactory "

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@DACL=(02 0011)
@Denied: (A 2) (Everyone)
@= "IFlashBroker3 "

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@DACL=(02 0011)
@= "{00020424-0000-0000-C000-000000000046} "

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@DACL=(02 0011)
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@DACL=(02 0011)
@Denied: (A 2) (Everyone)

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@DACL=(02 0011)
@= "Shockwave Flash "

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@DACL=(02 0011)
@Denied: (A 2) (Everyone)
@=" "

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@DACL=(02 0011)
@= "FlashBroker "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2432)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\PostgreSQL\8.0\bin\pg_ctl.exe
c:\program files\PostgreSQL\8.0\bin\postmaster.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\PostgreSQL\8.0\bin\postgres.exe
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\program files\PostgreSQL\8.0\bin\postgres.exe
c:\program files\PostgreSQL\8.0\bin\postgres.exe
c:\program files\PostgreSQL\8.0\bin\postgres.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
.
**************************************************************************
.
Completion time: 2009-08-13 10:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-13 15:06
ComboFix2.txt 2009-08-12 14:32

Pre-Run: 26,306,048,000 bytes free
Post-Run: 26,294,628,352 bytes free

514 --- E O F --- 2009-08-12 14:10

. . .

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24:03 AM, on 8/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\spoolsv.exe
c:\program files\vsoft\automatic file transfer service\automaticfiletransferwindowsservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Silver Bullet Technology\Ranger\Tools\Log Service\Rangerlogservice.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Canon Electronics\Scan Panel\drpanel.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symitar\SFW\RemoteAdminServer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.3.50:3128
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Scan Panel] "C:\Program Files\Canon Electronics\Scan Panel\drpanel.exe" /Stay
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Policies\Explorer\Run: [1] regedit /c/s \\10.1.3.6\shared\BlueZoneFirewall.reg
O4 - HKCU\..\Policies\Explorer\Run: [2] regedit /c/s \\10.1.3.6\shared\chm.reg
O4 - HKCU\..\Policies\Explorer\Run: [3] regedit /c/s \\10.1.3.6\shared\helpfiles.reg
O4 - HKUS\S-1-5-21-682003330-117609710-725345543-2153\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SCAN')
O4 - HKUS\S-1-5-21-682003330-117609710-725345543-2153\..\Policies\Explorer\Run: [1] regedit /c/s \\10.1.3.6\shared\chm.reg (User 'SCAN')
O4 - HKUS\S-1-5-21-682003330-117609710-725345543-2153\..\Policies\Explorer\Run: [3] regedit /c/s \\10.1.3.6\shared\intranet.reg (User 'SCAN')
O4 - HKUS\S-1-5-21-682003330-117609710-725345543-2153\..\Policies\Explorer\Run: [4] regedit /c/s \\10.1.3.6\shared\otgsource.reg (User 'SCAN')
O4 - HKUS\S-1-5-21-682003330-117609710-725345543-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-682003330-117609710-725345543-500\..\Policies\Explorer\Run: [1] regedit /c/s \\10.1.3.6\shared\BlueZoneFirewall.reg (User 'Administrator')
O4 - Global Startup: Remote Admin Server.lnk = C:\Program Files\Symitar\SFW\RemoteAdminServer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1239718365265
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=29223
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = [domain].local
O17 - HKLM\Software\..\Telephony: DomainName = [domain].local
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7FDC948-4B01-4CB6-9EC4-2C5FB49280A8}: NameServer = 10.1.3.6,10.1.3.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = [domain].local
O23 - Service: AutomaticFileTransferService - - c:\program files\vsoft\automatic file transfer service\automaticfiletransferwindowsservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PostgreSQL Database Server 8.0 (pgsql-8.0) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.0\bin\pg_ctl.exe
O23 - Service: Ranger Log - Silver Bullet Technologies, Inc. - C:\Program Files\Silver Bullet Technology\Ranger\Tools\Log Service\Rangerlogservice.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: VSoftECLServicePG - VSoft Corp. - C:\VSoftECLService\VSoftECLServicePG.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6751 bytes

broni · 2009/08/14

Does it mean, you don't use any firewall whatsoever?

We need to re-run Combofix with correct script...

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::

Folder::

Driver::

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
 "1 "=-
 "2 "=-
 "3 "=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
 "DisablePersonalDirChange "=-

RegLockDel::
3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

A new HijackThis log.

Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
by clicking on Download HijackThis Installer
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator

CUISTech · 2009/08/17

Firewalls are taken care of on the network level.

I'll go re-run ComboFix again.

CUISTech · 2009/08/17

ComboFix 09-08-10.06 - [CUISTech] 08/17/2009 9:57.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.491 [GMT -5:00]
Running from: c:\documents and settings\[CUISTech]\Desktop\ComboFix.exe
Command switches used :: h:\temp\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((( Files Created from 2009-07-17 to 2009-08-17 )))))))))))))))))))))))))))))))
.

2009-08-13 20:12 . 2009-08-13 20:34 -------- d-----w- c:\documents and settings\phouse
2009-08-12 19:57 . 2009-08-12 19:57 -------- d-----w- c:\program files\Trend Micro
2009-08-12 19:37 . 2009-08-12 19:37 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symitar
2009-08-12 19:37 . 2009-08-12 19:37 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-08-12 11:45 . 2009-06-12 12:31 80896 -c----w- c:\windows\system32\dllcache\tlntsess.exe
2009-08-12 11:45 . 2009-06-12 12:31 76288 -c----w- c:\windows\system32\dllcache\telnet.exe
2009-08-12 11:45 . 2009-06-10 06:14 132096 -c----w- c:\windows\system32\dllcache\wkssvc.dll
2009-08-12 11:45 . 2009-07-17 19:01 58880 -c----w- c:\windows\system32\dllcache\atl.dll
2009-08-12 11:44 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-12 10:50 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-12 09:52 . 2009-06-10 14:13 84992 -c----w- c:\windows\system32\dllcache\avifil32.dll
2009-08-12 09:51 . 2009-06-25 08:25 54272 -c----w- c:\windows\system32\dllcache\wdigest.dll
2009-08-12 09:51 . 2009-06-25 08:25 136192 -c----w- c:\windows\system32\dllcache\msv1_0.dll
2009-08-12 09:51 . 2009-06-24 11:18 92928 -c----w- c:\windows\system32\dllcache\ksecdd.sys
2009-08-12 09:51 . 2009-06-25 08:25 301568 -c----w- c:\windows\system32\dllcache\kerberos.dll
2009-07-29 12:56 . 2009-06-29 16:12 17408 -c----w- c:\windows\system32\dllcache\corpol.dll
2009-07-28 15:49 . 2009-07-28 15:49 45056 ----a-w- c:\documents and settings\smartinez\Application Data\Sun\Java\Deployment\cache\6.0\49\615348b1-3d20eb80-n\AfsNativeUtils.dll
2009-07-28 15:22 . 2009-07-28 15:23 -------- d-----w- c:\documents and settings\smartinez\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-06 12:54 . 2009-04-13 19:19 -------- d-----w- c:\program files\Symantec
2009-06-29 16:12 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-25 22:58 . 2009-04-13 19:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-25 22:58 . 2009-04-13 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-25 22:54 . 2009-04-13 19:20 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-06-25 22:54 . 2009-04-13 19:20 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-06-25 22:54 . 2009-04-13 19:20 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-25 22:54 . 2009-04-13 19:20 10563 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-23 18:22 . 2009-04-13 19:43 20272 ----a-w- c:\documents and settings\[CUISTech]\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-19 17:38 . 2009-06-18 19:53 -------- d-----w- c:\documents and settings\cpetrucci\Application Data\ISIS Drivers
2009-06-18 20:05 . 2009-06-18 20:05 103720 ----a-w- c:\documents and settings\scan\GoToAssistDownloadHelper.exe
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 14:36 . 2009-06-15 14:36 20272 ----a-w- c:\documents and settings\cpetrucci\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-12 12:31 . 2004-08-04 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2009-04-13 16:30 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-28 16:54 . 2009-05-28 16:54 20272 ----a-w- c:\documents and settings\mlalowski\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-08-12_14.30.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-13 22:01 . 2009-08-13 22:01 16384 c:\windows\Temp\Perflib_Perfdata_d0.dat
+ 2009-08-13 20:13 . 2001-08-18 03:36 29696 c:\windows\system32\spool\drivers\w32x86\3\XXPSRU1.DLL
+ 2009-08-13 20:13 . 2001-08-18 03:36 809984 c:\windows\system32\spool\drivers\w32x86\3\XXUI1.DLL
+ 2009-08-13 20:13 . 2008-04-14 10:42 543232 c:\windows\system32\spool\drivers\w32x86\3\PSCRIPT5.DLL
+ 2009-08-13 20:13 . 2008-04-14 10:42 728576 c:\windows\system32\spool\drivers\w32x86\3\PS5UI.DLL
+ 2004-08-04 12:00 . 2008-04-14 10:42 1614848 c:\windows\system32\dllcache\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Scan Panel "= "c:\program files\Canon Electronics\Scan Panel\drpanel.exe" [2008-05-29 196677]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-06-25 115560]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"1 "= "regedit" [X]
"2 "= "regedit" [X]
"3 "= "regedit" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Remote Admin Server.lnk - c:\program files\Symitar\SFW\RemoteAdminServer.exe [2009-4-13 265728]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange "= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-117609710-725345543-1138\Scripts\Logon\0\0]
"Script "=\\[domain].local\SysVol\[domain].local\scripts\logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-117609710-725345543-1138\Scripts\Logon\1\0]
"Script "=\\[domain].local\SysVol\[domain].local\scripts\logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-117609710-725345543-2153\Scripts\Logon\0\0]
"Script "=c:\postgress\lortpostgres.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-117609710-725345543-3307\Scripts\Logon\0\0]
"Script "=\\[domain].local\SysVol\[domain].local\scripts\logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-117609710-725345543-3307\Scripts\Logon\1\0]
"Script "=\\[domain].local\SysVol\[domain].local\scripts\logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-117609710-725345543-500\Scripts\Logon\0\0]
"Script "=\\[domain].local\SysVol\[domain].local\scripts\logon.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@= "Service "

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe "=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE "=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009

R2 AutomaticFileTransferService;AutomaticFileTransferService;c:\program files\VSoft\Automatic File Transfer Service\AutomaticFileTransferWindowsService.exe [8/30/2006 5:00 PM 20480]
R2 Ranger Log;Ranger Log;c:\program files\Silver Bullet Technology\Ranger\Tools\Log Service\Rangerlogservice.exe [4/5/2006 10:44 AM 32768]
R2 VSoftECLServicePG;VSoftECLServicePG;c:\vsofteclservice\VSoftECLServicePG.exe [5/7/2009 11:46 AM 110592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/17/2009 9:58 PM 101936]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = 10.1.3.50:3128
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {E7FDC948-4B01-4CB6-9EC4-2C5FB49280A8} = 10.1.3.6,10.1.3.2
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-17 10:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@DACL=(02 0011)
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101 "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
@DACL=(02 0011)
"Enabled "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@DACL=(02 0011)
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@DACL=(02 0011)
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@DACL=(02 0011)
@Denied: (A 2) (Everyone)
@= "IFlashBroker3 "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@DACL=(02 0011)
@= "{00020424-0000-0000-C000-000000000046} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@DACL=(02 0011)
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL

- - - - - - - > 'explorer.exe'(2688)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-17 10:03
ComboFix-quarantined-files.txt 2009-08-17 15:03
ComboFix2.txt 2009-08-13 15:06
ComboFix3.txt 2009-08-12 14:32

Pre-Run: 28,159,102,976 bytes free
Post-Run: 28,139,929,600 bytes free

186 --- E O F --- 2009-08-12 14:10

. . .

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:30 AM, on 8/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\spoolsv.exe
c:\program files\vsoft\automatic file transfer service\automaticfiletransferwindowsservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Silver Bullet Technology\Ranger\Tools\Log Service\Rangerlogservice.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Canon Electronics\Scan Panel\drpanel.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symitar\SFW\RemoteAdminServer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.3.50:3128
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Scan Panel] "C:\Program Files\Canon Electronics\Scan Panel\drpanel.exe" /Stay
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKCU\..\Policies\Explorer\Run: [1] regedit /c/s \\10.1.3.6\shared\BlueZoneFirewall.reg
O4 - HKCU\..\Policies\Explorer\Run: [2] regedit /c/s \\10.1.3.6\shared\chm.reg
O4 - HKCU\..\Policies\Explorer\Run: [3] regedit /c/s \\10.1.3.6\shared\helpfiles.reg
O4 - HKUS\S-1-5-21-682003330-117609710-725345543-2153\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SCAN')
O4 - HKUS\S-1-5-21-682003330-117609710-725345543-2153\..\Policies\Explorer\Run: [1] regedit /c/s \\10.1.3.6\shared\chm.reg (User 'SCAN')
O4 - HKUS\S-1-5-21-682003330-117609710-725345543-2153\..\Policies\Explorer\Run: [3] regedit /c/s \\10.1.3.6\shared\intranet.reg (User 'SCAN')
O4 - HKUS\S-1-5-21-682003330-117609710-725345543-2153\..\Policies\Explorer\Run: [4] regedit /c/s \\10.1.3.6\shared\otgsource.reg (User 'SCAN')
O4 - HKUS\S-1-5-21-682003330-117609710-725345543-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-682003330-117609710-725345543-500\..\Policies\Explorer\Run: [1] regedit /c/s \\10.1.3.6\shared\BlueZoneFirewall.reg (User 'Administrator')
O4 - Global Startup: Remote Admin Server.lnk = C:\Program Files\Symitar\SFW\RemoteAdminServer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1239718365265
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=29223
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = [domain].local
O17 - HKLM\Software\..\Telephony: DomainName = [domain].local
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7FDC948-4B01-4CB6-9EC4-2C5FB49280A8}: NameServer = 10.1.3.6,10.1.3.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = [domain].local
O23 - Service: AutomaticFileTransferService - - c:\program files\vsoft\automatic file transfer service\automaticfiletransferwindowsservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PostgreSQL Database Server 8.0 (pgsql-8.0) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.0\bin\pg_ctl.exe
O23 - Service: Ranger Log - Silver Bullet Technologies, Inc. - C:\Program Files\Silver Bullet Technology\Ranger\Tools\Log Service\Rangerlogservice.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: VSoftECLServicePG - VSoft Corp. - C:\VSoftECLService\VSoftECLServicePG.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6654 bytes

broni · 2009/08/17

Uninstall Combofix:
Go Start > Run
Type in:
combofix /u
Note the space between the "combofix" and the "/u "
Restart computer.

=================================================================

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

STEP 1. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes ". If not, update the definitions before scanning by selecting "Check for Updates ". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

PHYSICALLY DISCONNECT FROM THE INTERNET

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Click Scan your Computer... button.
* Click Scanning Preferences/Control Center... button.
* Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* On the left, make sure you check C:\Fixed Drive.
* On the right, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

RECONNECT TO THE INTERNET

RESTART COMPUTER!

STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 3.
Post fresh HijackThis log.
Do NOT attempt to "fix" anything!

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

CUISTech · 2009/08/18

I'll get to this soon as I can... But can I ask what you're seeing that's prompting you to want these further programs run?

broni · 2009/08/18

This is rather standard procedure to run couple of scans, and make sure the computer is clean.

Log in or Sign up

Active by Admin Request: BSOD with STOP code 0x000000F7 (buffer overrun)

CUISTech Inactive Thread Starter

mailman Geek Member

broni Moderator Malware Analyst

CUISTech Inactive Thread Starter

CUISTech Inactive Thread Starter

broni Moderator Malware Analyst

CUISTech Inactive Thread Starter

CUISTech Inactive Thread Starter

broni Moderator Malware Analyst

CUISTech Inactive Thread Starter

broni Moderator Malware Analyst

CUISTech Inactive Thread Starter

CUISTech Inactive Thread Starter

broni Moderator Malware Analyst

CUISTech Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Active by Admin Request: BSOD with STOP code 0x000000F7 (buffer overrun)

CUISTech Inactive Thread Starter

mailman Geek Member

broni Moderator Malware Analyst

CUISTech Inactive Thread Starter

CUISTech Inactive Thread Starter

broni Moderator Malware Analyst

CUISTech Inactive Thread Starter

CUISTech Inactive Thread Starter

broni Moderator Malware Analyst

CUISTech Inactive Thread Starter

broni Moderator Malware Analyst

CUISTech Inactive Thread Starter

CUISTech Inactive Thread Starter

broni Moderator Malware Analyst

CUISTech Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches