Jump to content

TCPIP Registry Permissions Removed after reboot


turk

Recommended Posts

I had malware on my system. One was a dns redirector. I ran malwarebytes, superantispyware, avg anitvirus, and Combofix and now I seem to be running ok, except every time I reboot the permissions for the sub folders are removed for the registry key HCLM\System\CurrentControlSet\Services\TCPIP. I am unable to set a static IP and every time I try it ask me to reboot. If I set administrator and system to full control on all sub keys, everything works fine until I reboot. I have tried CMD /C NETSH int ip reset c:\resetlog.txt and the winsock reset one. Microsoft's fix it for me option ran the winsock fix. It screwed up a few programs, reinstalled them and now they are fine, but still have the issue after a reboot. I have removed all my temp files and cannot find anything in the startup or a service that looks suspicious. Nothing in hijack this that looks bad to me. Combofix did report a rootkit and issues with pci.sys being infected. It replaced the file.

Thanks for any help.

Logfile of HijackThis v1.99.0

Scan saved at 1:26:25 PM, on 09/23/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IreIKE.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\AVG\AVG9\avgfws9.exe

C:\Program Files\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe

C:\Program Files\AVG\AVG9\avgam.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\Rockwell Software\RSCommon\RSOBSERV.EXE

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\WINDOWS\Intellution\iLicenseSvc.exe

C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IPSecMon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe

C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE

C:\Program Files\Common Files\Rockwell\RsvcHost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft ActiveSync\Wcescomm.exe

C:\PROGRA~1\MICROS~3\rapimgr.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\WINDOWS\regedit.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\card\bspades\BSPADES.EXE

C:\Program Files\Google\Chrome\Application\chrome.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6092

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [usbCipHelper] C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.6.0_11) -

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CustomControlMfr.local

O17 - HKLM\Software\..\Telephony: DomainName = CustomControlMfr.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CustomControlMfr.local

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CustomControlMfr.local

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = CustomControlMfr.local

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AVG WatchDog - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: AVG Firewall - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe

O23 - Service: dnWhoDisp - Rockwell Automation, Inc. - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe

O23 - Service: FactoryTalk Activation Helper - Rockwell Automation Inc. - C:\Program Files\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe

O23 - Service: Google Update Service (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Harmony - Rockwell Automation, Inc. - C:\Program Files\Rockwell Software\RSCommon\RSOBSERV.EXE

O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE

O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE

O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: M1 Licensing Helper - GE Fanuc Automation Americas, Inc. - C:\WINDOWS\Intellution\iLicenseSvc.exe

O23 - Service: SafeNet Monitor Service - SafeNet - C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IPSecMon.exe

O23 - Service: SafeNet IKE Service - SafeNet - C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IreIKE.exe

O23 - Service: Java Quick Starter - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NTron OPC Server - N-Tron - C:\Program Files\N-Tron\NViewOPC\NTron OPC Server.exe

O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: FactoryTalk Diagnostics Local Reader - Rockwell Automation Inc. - C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe

O23 - Service: FactoryTalk Diagnostics CE Receiver - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\RNADiagReceiver.exe

O23 - Service: RSLinx Classic - Rockwell Automation, Inc. - C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE

O23 - Service: Rockwell Application Services - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\RsvcHost.exe

O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

O23 - Service: VNC Server Version 4 - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\winvnc4.exe

I attached the combofix log

ComboFix.txt

Link to post
Share on other sites

Hi,

Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert". It is NOT for unsupervised use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

First delete your copy of ComboFix.exe from the desktop.

Then download the latest version of ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:
    Click me
    If you can't disable them then just continue on.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Link to post
Share on other sites

Thanks for the reply,

deleted old version, downloaded new to desktop, disable antivirus. You did not specify safe mode or normal mode, so I disabled avg per instructions, ran it in normal mode.

rebooted, set registry keys, rebooted.

same issue.

I thought maybe a group policy, but could not find anything. No scheduled task setup.

ComboFix.txt

Link to post
Share on other sites

Hi,

Please do not attach your logs as it is harder for me to read them that way. Post them instead:

ComboFix 10-09-26.04 - Adam Strough 09/27/2010 10:59:26.5.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1431 [GMT -5:00]

Running from: c:\documents and settings\Adam Strough.CUSTOMCONTROL\Desktop\CF.exe

.

((((((((((((((((((((((((( Files Created from 2010-08-27 to 2010-09-27 )))))))))))))))))))))))))))))))

.

2010-09-23 05:56 . 2010-09-23 05:56 4093792 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe

2010-09-23 05:56 . 2010-09-23 05:56 3586912 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe

2010-09-23 05:56 . 2010-09-23 05:56 620896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe

2010-09-23 05:56 . 2010-09-23 05:56 1619296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll

2010-09-23 05:56 . 2010-09-23 05:56 1377632 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll

2010-09-23 05:56 . 2010-09-23 05:56 942432 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll

2010-09-23 05:56 . 2010-09-23 05:56 598368 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll

2010-09-23 05:56 . 2010-09-23 05:56 2331032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfws9.exe

2010-09-23 05:56 . 2010-09-23 05:56 4371296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll

2010-09-23 05:56 . 2010-09-23 05:56 300896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll

2010-09-23 05:55 . 2010-09-23 05:55 1690952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

2010-09-23 05:13 . 2010-09-23 05:13 12536 ----a-w- c:\windows\system32\avgrsstx.dll

2010-09-23 05:13 . 2010-09-23 05:13 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-09-23 05:13 . 2010-09-27 13:39 -------- d-----w- c:\windows\system32\drivers\Avg

2010-09-23 05:12 . 2010-09-23 05:12 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys

2010-09-23 05:12 . 2010-09-23 05:12 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-09-23 05:12 . 2010-09-23 05:12 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-09-23 05:12 . 2010-09-23 05:12 50968 ----a-w- c:\windows\system32\avgfwdx.dll

2010-09-23 05:12 . 2010-09-23 05:12 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys

2010-09-23 02:53 . 2010-09-23 02:53 -------- d-----w- c:\program files\Broadcom

2010-09-21 22:14 . 2010-09-23 05:12 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-09-21 15:56 . 2008-04-14 05:06 68224 -c--a-w- c:\windows\system32\dllcache\pci.sys

2010-09-21 15:56 . 2008-04-14 05:06 68224 ----a-w- c:\windows\system32\drivers\pci.sys

2010-09-21 15:47 . 2010-09-21 15:49 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2010-09-16 15:46 . 2010-09-16 15:47 -------- d-----w- c:\program files\ControlFLASH

2010-09-14 18:39 . 2010-09-14 18:39 45056 ----a-w- c:\documents and settings\All Users\Application Data\Rockwell Automation\RSLogix 5000\root\752098ec\379a2c37\pusnzymm.dll

2010-09-14 18:39 . 2010-09-14 18:39 45056 ----a-w- c:\documents and settings\All Users\Application Data\Rockwell Automation\RSLogix 5000\root\752098ec\379a2c37\7n2tmplw.dll

2010-09-14 18:39 . 2010-09-14 18:39 -------- d-----w- c:\documents and settings\Adam Strough.CUSTOMCONTROL\Local Settings\Application Data\assembly

2010-09-14 18:25 . 2010-09-14 18:25 49152 ----a-w- c:\documents and settings\All Users\Application Data\Rockwell Automation\RSLogix 5000\root\67203832\3fda182b\App_Web_ch5yr4wc.dll

2010-09-14 18:25 . 2010-09-14 18:25 45056 ----a-w- c:\documents and settings\All Users\Application Data\Rockwell Automation\RSLogix 5000\root\67203832\3fda182b\App_Web_hepn0iwb.dll

2010-09-14 18:25 . 2010-09-14 18:25 45056 ----a-w- c:\documents and settings\All Users\Application Data\Rockwell Automation\RSLogix 5000\root\c42821f4\afb6e0d8\assembly\dl3\5f451c84\00e115f1_79ecc801\Logix5000.Reports.Generator.DLL

2010-09-14 16:24 . 2010-09-14 16:24 318 ----a-r- c:\documents and settings\Adam Strough.CUSTOMCONTROL\Application Data\Microsoft\Installer\{7BCFC80E-8D88-4B7C-AF62-A629521B3274}\_4ae13d6c.exe

2010-09-14 16:24 . 2010-09-14 16:24 1078 ----a-r- c:\documents and settings\Adam Strough.CUSTOMCONTROL\Application Data\Microsoft\Installer\{7BCFC80E-8D88-4B7C-AF62-A629521B3274}\_2cd672ae.exe

2010-09-14 15:43 . 2010-09-14 16:24 -------- d-----w- c:\program files\Rockwell Automation

2010-09-14 15:30 . 2010-09-14 15:30 -------- d-----w- c:\program files\Common Files\OMRON

2010-09-13 12:56 . 2010-09-20 14:10 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp

2010-09-08 21:17 . 2008-04-14 05:10 36352 -c--a-w- c:\windows\system32\dllcache\disk.sys

2010-09-08 21:17 . 2008-04-14 05:10 36352 ----a-w- c:\windows\system32\drivers\disk.sys

2010-09-08 20:42 . 2010-09-08 20:42 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google

2010-09-04 01:28 . 2010-09-04 01:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-09-03 13:42 . 2008-08-14 10:04 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys

2010-09-03 13:42 . 2008-08-14 10:04 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2010-08-30 16:22 . 2010-08-30 16:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2010-08-30 16:17 . 2010-09-23 06:38 -------- d-----w- c:\documents and settings\Adam Strough.CUSTOMCONTROL\Local Settings\Application Data\Temp

2010-08-30 16:17 . 2010-08-30 16:17 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2010-08-30 16:17 . 2010-08-31 14:44 -------- d-----w- c:\documents and settings\Adam Strough.CUSTOMCONTROL\Local Settings\Application Data\Google

2010-08-30 16:17 . 2010-08-30 16:24 -------- d-----w- c:\program files\Google

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-27 15:48 . 2007-11-26 16:42 12 ----a-w- c:\windows\bthservsdp.dat

2010-09-27 15:39 . 2010-04-02 19:16 -------- d-----w- c:\documents and settings\Adam Strough.CUSTOMCONTROL\Application Data\RssPopper

2010-09-23 14:40 . 2009-09-03 16:39 117760 ----a-w- c:\documents and settings\Adam Strough.CUSTOMCONTROL\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-09-23 05:03 . 2006-11-07 15:37 -------- d-----w- c:\program files\Microsoft ActiveSync

2010-09-23 04:40 . 2008-06-10 20:33 162680 ---ha-w- c:\documents and settings\Adam Strough.CUSTOMCONTROL\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll

2010-09-21 22:14 . 2008-09-02 15:15 -------- d-----w- c:\program files\AVG

2010-09-20 14:04 . 2008-12-11 17:32 -------- d-----w- c:\program files\uTorrent

2010-09-17 20:04 . 2008-08-23 21:34 -------- d-----w- c:\documents and settings\Adam Strough.CUSTOMCONTROL\Application Data\uTorrent

2010-09-16 15:46 . 2006-11-07 20:53 -------- d-----w- c:\program files\Common Files\Rockwell

2010-09-14 18:34 . 2006-11-07 20:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Rockwell

2010-09-14 16:24 . 2006-11-07 20:53 -------- d-----w- c:\program files\Rockwell Software

2010-09-14 16:21 . 2009-05-19 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Rockwell Automation

2010-09-13 20:46 . 2008-12-11 21:08 -------- d-----w- c:\documents and settings\Adam Strough.CUSTOMCONTROL\Application Data\Tunebite

2010-09-03 17:02 . 2010-08-13 20:45 120 ----a-w- c:\windows\Ytejigenoguqut.dat

2010-09-03 17:02 . 2010-08-13 20:45 0 ----a-w- c:\windows\Vnoyef.bin

2010-08-27 14:55 . 2010-08-27 14:55 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM

2010-08-27 13:40 . 2008-09-19 14:40 -------- d-----w- c:\program files\PDF to Word

2010-08-25 21:24 . 2010-08-25 21:24 -------- d-----w- c:\documents and settings\Adam Strough.CUSTOMCONTROL\Application Data\Malwarebytes

2010-08-25 21:21 . 2010-08-25 21:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-25 21:21 . 2010-08-25 21:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-06-09 16:39 . 2007-12-24 06:16 98 --sh--w- c:\windows\SA6236347.tmp

.

((((((((((((((((((((((((((((( SnapShot@2010-09-27_15.39.12 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-09-27 15:50 . 2010-09-27 15:50 16384 c:\windows\Temp\Perflib_Perfdata_5f8.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-18 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UsbCipHelper"="c:\program files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe" [2008-05-27 434176]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-09-23 2065760]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]

Source= c:\documents and settings\Adam Strough.CUSTOMCONTROL\My Documents\HTMLPage4.htm

FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]

Source= c:\documents and settings\Adam Strough.CUSTOMCONTROL\My Documents\HTMLPage3.htm

FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2010-01-18 21:06 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-09-23 05:13 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]

2007-04-27 17:10 18744 ----a-w- c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2240935835-3098836070-2861634907-1319\Scripts\Logon\0\0]

"Script"=\\Ccmserver\Profiles\CCM\CCM Logon Script.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]

2008-04-14 10:42 110592 ----a-w- c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]

2007-04-17 12:59 2887680 ----a-w- c:\program files\Electronic Arts\EA Link\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]

2006-11-13 18:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]

2005-12-13 07:45 118784 -c--a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LantronixRedirector]

2003-09-15 17:07 289182 ----a-w- c:\program files\Lantronix\Redirector\red32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2001-07-09 17:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2006-09-01 21:57 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]

2006-03-24 21:30 282624 -c--a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

2006-03-30 22:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"UsbConnect"=2 (0x2)

"NA_Service"=2 (0x2)

"TrapiServer"=2 (0x2)

"FxControlRuntime"=2 (0x2)

"WMPNetworkSvc"=3 (0x3)

"VC5SecS"=2 (0x2)

"SQLWriter"=3 (0x3)

"SQLSERVERAGENT"=3 (0x3)

"SimModuleService"=3 (0x3)

"RsvcHost"=3 (0x3)

"RSLinx"=3 (0x3)

"Rockwell Tag Server"=3 (0x3)

"Rockwell HMI Diagnostics"=3 (0x3)

"Rockwell HMI Activity Logger"=3 (0x3)

"RNADirMultiplexor"=3 (0x3)

"RNADirectory"=3 (0x3)

"Proficy Driver Runtime"=3 (0x3)

"ose"=3 (0x3)

"OSCM Utility Service"=2 (0x2)

"OpcEnum"=2 (0x2)

"MSSQLSERVER"=3 (0x3)

"msftesql"=3 (0x3)

"Harmony"=3 (0x3)

"EventServer"=3 (0x3)

"EventClientMultiplexer"=3 (0x3)

"dnWhoDisp"=3 (0x3)

"DASView"=3 (0x3)

"DASMBTCP"=3 (0x3)

"CCFLIC0"=2 (0x2)

"awhost32"=3 (0x3)

"1784-PCIDS DeviceNet"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Duke Nukem - Manhattan Project\\prism3d.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\WINDOWS\\system32\\OpcEnum.exe"=

"c:\\WINDOWS\\system32\\dllhost.exe"=

"c:\\Concept\\Ethcfg.exe"=

"c:\\Program Files\\ProSoft Technology Inc\\PCB\\PCB.exe"=

"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\MERuntime.exe"=

"c:\\Program Files\\Rockwell Software\\RSView Enterprise\\TagSrv.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Microsoft SQL Server\\MSSQL.1\\MSSQL\\Binn\\sqlservr.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\PdaNet for Windows Mobile\\PdaNetPC.exe"=

"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Rockwell Software\\RSView\\MonitorRemoteProcesses.exe"=

"c:\\Program Files\\Common Files\\Rockwell\\RSViewLogServer.exe"=

"c:\\Program Files\\Common Files\\Rockwell\\RSVWHist.exe"=

"c:\\Program Files\\Common Files\\Rockwell\\RSRadMgr.exe"=

"c:\\Program Files\\Rockwell Software\\RSView\\sptddssv32.exe"=

"c:\\Program Files\\Rockwell Software\\RSView\\SptFTServer.exe"=

"c:\\Program Files\\Rockwell Software\\RSView\\sptddeex32.exe"=

"c:\\Program Files\\Rockwell Software\\RDM\\Cmeopc32.exe"=

"c:\\Program Files\\Rockwell Software\\RSLINX\\RSLINX.EXE"=

"c:\\Program Files\\Rockwell Software\\OPCTools\\OPCTest\\opctest.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"445:TCP"= 445:TCP:@xpsp2res.dll,-22005

"102:TCP"= 102:TCP:DAS SI 102

"135:TCP"= 135:TCP:DCOM 135

"502:TCP"= 502:TCP:Modicon 502

"1434:UDP"= 1434:UDP:SQL Server Browser 1434

"1433:TCP"= 1433:TCP:SQL TCP 1433

"2221:TCP"= 2221:TCP:DAS ABTCP 2221

"2222:TCP"= 2222:TCP:DAS ABTCP 2222

"2223:TCP"= 2223:TCP:DAS ABTCP 2223

"5413:TCP"= 5413:TCP:Port 5413

"9001:TCP"= 9001:TCP:vista 9001

"9002:TCP"= 9002:TCP:EnvMngr 9002

"9003:TCP"= 9003:TCP:MsgMngr 9003

"9004:TCP"= 9004:TCP:SecMngr 9004

"9006:TCP"= 9006:TCP:RedMngr 9006

"9007:TCP"= 9007:TCP:UnilinkMngr 9007

"9008:TCP"= 9008:TCP:BatchMngr 9008

"9011:TCP"= 9011:TCP:LogMngr 9011

"9012:TCP"= 9012:TCP:InfoMngr 9012

"9013:UDP"= 9013:UDP:RedMngrX 9013

"9014:UDP"= 9014:UDP:RedMngrX2 9014

"9015:TCP"= 9015:TCP:HistQMngrvista 9015

"9016:TCP"= 9016:TCP:HistQReader 9016

"44818:TCP"= 44818:TCP:Logix 44818

"443:TCP"= 443:TCP:SuiteVoyager 443

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [09/23/2010 12:12 AM 52872]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [09/23/2010 12:12 AM 216400]

R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [09/23/2010 12:12 AM 243024]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [01/15/2009 5:17 PM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [01/15/2009 5:17 PM 74480]

R1 vbev5mp;vbev5mp;c:\windows\system32\drivers\VBEV5MP.sys [05/07/2003 11:46 AM 57008]

R1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\drivers\VirtualBackplane.sys [11/07/2006 4:13 PM 63508]

R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [09/23/2010 12:12 AM 308136]

R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [09/23/2010 12:13 AM 2331544]

R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [08/25/2009 10:54 AM 467002]

R2 FTActivationBoost;FactoryTalk Activation Helper;c:\program files\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe [09/29/2008 3:49 PM 66848]

R2 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [08/25/2009 10:54 AM 118840]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 1:19 PM 50704]

R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [09/23/2010 12:12 AM 30104]

R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [08/25/2009 10:53 AM 36188]

R3 duntlw;UNTLW device;c:\windows\system32\drivers\DuntlwNT.sys [03/17/2010 7:03 PM 53568]

R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [02/04/2009 4:54 PM 9472]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [01/15/2009 5:17 PM 7408]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [08/30/2010 11:17 AM 136176]

S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]

S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [09/23/2010 12:12 AM 30104]

S3 EST_BusEnum;Network USB Device Bus;c:\windows\system32\DRIVERS\GenBus.sys --> c:\windows\system32\DRIVERS\GenBus.sys [?]

S3 EST_Server;Network USB Device;c:\windows\system32\drivers\GenHC.sys [01/08/2010 11:07 PM 168192]

S3 NTron OPC Server;NTron OPC Server;c:\program files\N-Tron\NViewOPC\NTron OPC Server.exe [09/30/2009 2:24 PM 303104]

S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [09/14/2006 4:45 PM 99200]

S3 RsiKtControl;RsiKtControl;c:\windows\system32\RSIKT.SYS [01/18/2006 10:33 AM 39067]

S3 RSSERIAL;RSLinx Classic Serial Driver;c:\windows\system32\rsserial.sys [09/29/2004 12:20 PM 155440]

S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\windows\system32\drivers\xbreader.sys [05/01/2009 6:58 PM 19677]

S4 1784-PCIDS DeviceNet;1784-PCIDS DeviceNet;c:\program files\Rockwell Software\RSLogix Emulate 5000\PcidsService.exe [11/07/2006 4:13 PM 102400]

S4 EventServer;Rockwell Event Server;c:\program files\Common Files\Rockwell\EventServer.exe [06/23/2005 6:29 PM 172032]

S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [09/23/2005 7:01 AM 2799808]

S4 NA_Service;NetAccess Service;c:\windows\system32\NA_Service.exe [03/17/2010 7:03 PM 49152]

S4 Proficy Driver Runtime;Proficy Driver Runtime; [x]

S4 SimModuleService;1789-SIM Simulator Module;c:\program files\Rockwell Software\RSLogix Emulate 5000\SimModuleService.exe [11/07/2006 4:13 PM 98304]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/10/2007 10:36 PM 685816]

S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [02/27/2008 11:03 PM 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]

2007-09-19 16:32 7680 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = http=127.0.0.1:6092

uInternet Settings,ProxyOverride = <local>

FF - ProfilePath - c:\documents and settings\Adam Strough.CUSTOMCONTROL\Application Data\Mozilla\Firefox\Profiles\w0ht401n.default\

FF - prefs.js: browser.startup.homepage - www.google.com

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-27 11:07

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

UsbCipHelper = c:\program files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe???????????Nj?w??????@???D????????|P?E????|???????????????|????P?E?????????8???????????????????>?@?????T???<???+??|?????????????$???? ???D??????>@????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]

"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1388)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\windows\system32\PCANotify.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

- - - - - - - > 'explorer.exe'(2872)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-09-27 11:11:11

ComboFix-quarantined-files.txt 2010-09-27 16:11

ComboFix2.txt 2010-09-27 15:42

ComboFix3.txt 2010-09-21 16:40

ComboFix4.txt 2010-09-08 21:51

ComboFix5.txt 2010-09-27 15:58

Pre-Run: 12,547,100,672 bytes free

Post-Run: 12,525,449,216 bytes free

- - End Of File - - 71851AED5CFB84B3FDB784C38B780E33

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.