ComboFix 11-11-28.02 - Padmesh 11/29/2011 0:46.1.

2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.646 [GMT 5.5:3
0]
Running from: d:\padmesh\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99
752CCA7095}
AV: Trend Micro OfficeScan Antivirus *Disabled/Outdated* {4D805953-A4C0-4F87-BD5
5-91D2AE636ACE}
FW: Trend Micro Personal Firewall *Disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3E
B6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))
)))))))))))))))))))))))))))))
.
.
c:\documents and settings\Padmesh\cnsload_1310943576250.tmp
c:\documents and settings\Padmesh\g2mdlhlpx.exe
c:\program files\cnsload_1313848626437.tmp
c:\program files\cnsload_1319771944875.tmp
c:\windows\$NtUninstallKB17236$
c:\windows\$NtUninstallKB17236$\1948661618\@
c:\windows\$NtUninstallKB17236$\1948661618\bckfg.tmp
c:\windows\$NtUninstallKB17236$\1948661618\cfg.ini
c:\windows\$NtUninstallKB17236$\1948661618\Desktop.ini
c:\windows\$NtUninstallKB17236$\1948661618\keywords
c:\windows\$NtUninstallKB17236$\1948661618\kwrd.dll
c:\windows\$NtUninstallKB17236$\1948661618\L\oioiuwka
c:\windows\$NtUninstallKB17236$\1948661618\U\00000001.@
c:\windows\$NtUninstallKB17236$\1948661618\U\00000002.@
c:\windows\$NtUninstallKB17236$\1948661618\U\00000004.@
c:\windows\$NtUninstallKB17236$\1948661618\U\80000000.@
c:\windows\$NtUninstallKB17236$\1948661618\U\80000004.@
c:\windows\$NtUninstallKB17236$\1948661618\U\80000032.@
c:\windows\$NtUninstallKB17236$\458904655
D:\AUTORUN.INF
.
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - c:\windows\system32\dllcache\cdrom.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))
))))))))))))))))))))))))))))))
.
.
-------\Legacy_MRXCLS
-------\Legacy_MRXNET
-------\Legacy_SVCLOCKS
-------\Service_MRxCls
-------\Service_MRxNet
.
.
((((((((((((((((((((((((( Files Created from 2011-10-28 to 2011-11-28 )))))))
))))))))))))))))))))))))
.
.
2011-11-28 19:30 . 2011-11-28 19:30
56200 ----a-wc:\documents and
settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition
Updates\{0AE22D2C-C564-437A-85AD-BF44036CF020}\offreg.dll

2011-11-28 12:19 . 2011-10-07 03:48

6668624 ----a-wc:\documents and
settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition
Updates\{0AE22D2C-C564-437A-85AD-BF44036CF020}\mpengine.dll
2011-11-25 22:29 . 2011-11-25 22:29
-------d-sh--wc:\docum
ents and settings\NetworkService\PrivacIE
2011-11-25 18:40 . 2011-11-25 18:40
-------d-sh--wc:\docum
ents and settings\NetworkService\IETldCache
2011-11-25 18:24 . 2011-11-25 18:24
-------d-----wc:\progr
am files\Common Files\Java
2011-11-25 18:24 . 2011-10-02 23:36
476904 ----a-wc:\program files
\Mozilla Firefox\plugins\npdeployJava1.dll
2011-11-25 18:24 . 2011-10-02 23:36
472808 ----a-wc:\windows\syste
m32\deployJava1.dll
2011-11-25 08:23 . 2011-11-25 08:23
-------d-----wc:\docum
ents and settings\Padmesh\Application Data\InstallShield
2011-11-21 12:24 . 2011-11-21 12:24
-------d-----wc:\progr
am files\Cisco
2011-10-31 11:18 . 2011-10-31 11:18
-------d-----wc:\docum
ents and settings\extsupport\Local Settings\Application Data\Apple
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))
)))))))))))))))))))))))))))))))
.
2011-11-16 12:51 . 2011-06-30 11:59
414368 ----a-wc:\windows\syste
m32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2009-10-15 14:29
692736 ----a-wc:\windows\syste
m32\inetcomm.dll
2011-10-07 03:48 . 2011-04-12 13:56
6668624 ----a-wc:\documents and
settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition
Updates\Backup\mpengine.dll
2011-10-02 21:07 . 2009-12-09 13:45
73728 ----a-wc:\windows\syste
m32\javacpl.cpl
2011-09-28 07:06 . 2008-04-14 12:00
599040 ----a-wc:\windows\syste
m32\crypt32.dll
2011-09-26 06:11 . 2008-07-29 14:29
611328 ----a-wc:\windows\syste
m32\uiautomationcore.dll
2011-09-26 06:11 . 2008-04-14 12:00
220160 ----a-wc:\windows\syste
m32\oleacc.dll
2011-09-26 06:11 . 2008-04-14 12:00
20480 ----a-wc:\windows\syste
m32\oleaccrc.dll
2011-09-22 18:44 . 2011-09-22 18:44
10680 ----a-wc:\windows\syste
m32\vpncategories.dll
2011-09-22 18:44 . 2011-09-22 18:44
30648 ----a-wc:\windows\syste
m32\vpnevents.dll
2011-09-22 18:29 . 2011-09-22 18:29
19192 ----a-wc:\windows\syste
m32\drivers\vpnva.sys
2011-09-22 07:14 . 2009-12-17 09:47
132536 ----a-wc:\windows\syste
m32\vpnweb.ocx
2011-09-06 13:20 . 2008-04-14 12:00
1858944 ----a-wc:\windows\syste
m32\win32k.sys
2011-11-10 12:14 . 2011-10-05 11:16
134104 ----a-wc:\program files
\mozilla firefox\components\browsercomps.dll
2009-10-16 18:34 . 2009-10-16 18:34
122880 ----a-wc:\program files
\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))
)))))))))))))))))))))))))))))))

.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
[2009-10-16 39408]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe"
[2006-09-10 218032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 37
39648]
"WordWeb"="c:\program files\WordWeb\wweb32.exe" [2009-11-08 65216]
"SigmatelSysTrayApp"="stsystra.exe" [2007-05-06 405504]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-30 137752]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-30 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-30 166424]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-10-26 1392
640]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.
exe" [2009-04-15 746792]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-03
435096]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [N/A]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^St
artup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth M
anager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^St
artup^humyo.com SmartDrive.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\humyo.com S
martDrive.lnk
backup=c:\windows\pss\humyo.com SmartDrive.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^St
artup^WordWeb.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WordWeb.lnk
backup=c:\windows\pss\WordWeb.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Padmesh^Start Menu^Programs^Star
tup^IPMSG for Win32.lnk]
path=c:\documents and settings\Padmesh\Start Menu\Programs\Startup\IPMSG for Win
32.lnk
backup=c:\windows\pss\IPMSG for Win32.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Padmesh^Start Menu^Programs^Star
tup^Locate32 Autorun.lnk]
path=c:\documents and settings\Padmesh\Start Menu\Programs\Startup\Locate32 Auto

run.lnk
backup=c:\windows\pss\Locate32 Autorun.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe AR
M]
2011-06-06 07:25
937920 ----a-wc:\program files\Common Files\Ad
obe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBer
ryAutoUpdate]
2009-07-01 17:42
623960 ----a-wc:\program files\Common Files\Re
search In Motion\Auto Update\RIMAutoUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Communic
ator]
2011-07-21 07:41
12023568
----a-wc:\program files\Microso
ft Lync\communicator.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google D
esktop Search]
2009-10-16 18:34
30192 ----a-wc:\program files\Google\Google D
esktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google U
pdate]
2011-06-04 15:31
136176 ----atwc:\documents and settings\Padmes
h\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2011-06-15 09:46
997920 ----a-wc:\program files\Microsoft Secur
ity Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeSc
anNT Monitor]
2009-04-15 22:41
746792 ----a-wc:\program files\Trend Micro\Off
iceScan Client\PccNTMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTim
e Task]
2009-05-26 11:48
413696 ----a-wc:\program files\QuickTime\QTTas
k.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaU
pdateSched]
2011-06-09 07:36
254696 ----a-wc:\program files\Common Files\Ja
va\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus
]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Authoriz
edApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Documents and Settings\\Padmesh\\Local Settings\\Application Data\\Google\\

Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\NetSarang\\Xshell 4\\Xshell.exe"=
"c:\\Program Files\\NetSarang\\Xshell 4\\Xagent.exe"=
"c:\\Program Files\\Microsoft Lync\\communicator.exe"=
"c:\\Program Files\\Microsoft Lync\\UcMapi.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Globally
OpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"48325:TCP"= 48325:TCP:Trend Micro OfficeScan Listener
.
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [10/5/2010 5:05 PM
51792]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tm
xpflt.sys [5/22/2009 1:02 AM 262416]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Cli
ent\tmpreflt.sys [5/22/2009 1:00 AM 36624]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect V
PN Client\vpnagent.exe [9/23/2011 12:13 AM 645048]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.
sys [10/13/2009 7:59 PM 338960]
S0 cerc6;cerc6; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\Google
Update.exe [10/17/2009 12:06 AM 133104]
S3 GoogleDesktopManager-060409-093314;Google Desktop Manager 5.9.906.4286;c:\pro
gram files\Google\Google Desktop Search\GoogleDesktop.exe [10/17/2009 12:04 AM 3
0192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\Goog
leUpdate.exe [10/17/2009 12:06 AM 133104]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [2/9/
2010 2:02 AM 47360]
S3 TmPfw;OfficeScan NT Firewall;c:\program files\Trend Micro\OfficeScan Client\T
mPfw.exe [10/13/2009 7:59 PM 488768]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan C
lient\TmProxy.exe [10/13/2009 7:59 PM 652552]
UnknownUnknown dsload;dsload; [x]
.
--- Other Services/Drivers In Memory --.
*Deregistered* - dsgrab_01caa5cdbb0681c8
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ
getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-1
0-16 11:24]
.
2011-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-16 18:36]
.
2011-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-16 18:36]
.
2011-11-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1417001333-1

177238915-1004Core.job
- c:\documents and settings\Padmesh\Local Settings\Application Data\Google\Updat
e\GoogleUpdate.exe [2011-06-30 15:31]
.
2011-11-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1417001333-1
177238915-1004UA.job
- c:\documents and settings\Padmesh\Local Settings\Application Data\Google\Updat
e\GoogleUpdate.exe [2011-06-30 15:31]
.
2011-11-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-2
7 10:09]
.
.
------- Supplementary Scan ------.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download all with Free Download Manager - file://c:\program files\Free Downl
oad Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free
Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Dow
nload Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download
Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\Google
ToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: myhcl.com\wf20
TCP: DhcpNameServer = 10.110.4.27 10.110.4.50 10.110.4.51 8.8.8.8
DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - hxxps://strtc.oracle.com/imtapp/re
s/jar/cnsload.cab
DPF: {1EEDA174-3132-4AFC-9EEC-55BE29C87476} - hxxps://chat.tcs.com/sametime/java
connect/STAutoAwayLoader.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://nyvpn.directbrands.com/CAC
HE/stc/1/binaries/vpnweb.cab
DPF: {CC679CB8-DC4B-458B-B817-D447B3B6AC31} - hxxps://nyvpn.directbrands.com/CAC
HE/stc/1/binaries/vpnweb.cab
DPF: {D4B5D9AB-D565-4DAF-BF5C-4D07F1CAA6EE} - hxxps://chat.tcs.com/sametime/java
connect/STUrlConLoader.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/d
evicesoftware/AxLoader.cab
FF - ProfilePath - c:\documents and settings\Padmesh\Application Data\Mozilla\Fi
refox\Profiles\xo1ym55i.default\
.
- - - - ORPHANS REMOVED - - - .
HKCU-Run-emoze - c:\progra~1\Emoze\PC-CON~1\emoze.exe
HKLM-Run-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\
Reader_sl.exe
MSConfigStartUp-Aim - c:\program files\AIM\aim.exe
MSConfigStartUp-dvd43 - c:\program files\dvd43\dvd43_tray.exe
MSConfigStartUp-Google Quick Search Box - c:\program files\Google\Quick Search B
ox\GoogleQuickSearchBox.exe
MSConfigStartUp-PWRISOVM - c:\program files\PowerISO\PWRISOVM.EXE
MSConfigStartUp-SAMAccessManager - c:\program files\TATA\SAM\SAM.exe
.
.

.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http:/
/www.gmer.net
Rootkit scan 2011-11-29 01:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS --------------------.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,12,eb,a6,f2,15,ad,76,42,83,0d,6d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,12,eb,a6,f2,15,ad,76,42,83,0d,6d,\
.
--------------------- DLLs Loaded Under Running Processes --------------------.
- - - - - - - > 'explorer.exe'(2676)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes -----------------------.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\StacSV.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2011-11-29 01:04:58 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-28 19:34
.
Pre-Run: 862,031,872 bytes free
Post-Run: 1,196,945,408 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional"
/noexecute=optin /fastdetect
.
- - End Of File - - 9AFF2796761C7E930DE3751800C135D9