ComboFix 10-03-14.06 - tstone10 03/16/2010 11:45:32.1.

2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.819 [GMT -4:00
]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B
-2C60-4016-A4AB-E868DEABF7F0}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))
)))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloade
r\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloade
r\qmgr1.dat
c:\documents and settings\fkaram1\Local Settings\Application Data\MSASCui.exe
c:\documents and settings\fkaram1\Local Settings\Temporary Internet Files\16Bn20
55.jpg
c:\documents and settings\fkaram1\Local Settings\Temporary Internet Files\Nymyxy
.jpg
c:\documents and settings\fkaram1\Local Settings\Temporary Internet Files\p1xx74
48a.jpg
c:\documents and settings\fkaram1\Local Settings\Temporary Internet Files\x06Xab
ab.jpg
c:\recycler\S-1-5-21-1225653103-1588792406-1262151818-500
c:\recycler\S-1-5-21-1482476501-436374069-1343024091-500
c:\windows\setup.exe
----- BITS: Possible infected sites -----
hxxp://PDC00004.na1.ford.com:29626
.
((((((((((((((((((((((((( Files Created from 2010-02-16 to 2010-03-16 )))))))
))))))))))))))))))))))))
.
2010-03-16 13:27 . 2010-03-16 13:27 -------- d-----w- c:\docum
ents and settings\$deggenbe\Local Settings\Application Data\Microsoft
2010-03-12 19:20 . 2010-03-12 19:20 -------- d-----w- c:\windo
ws\147BCE03C0F14C9F81576A89B6D2D973.TMP
2010-03-12 19:14 . 2010-03-12 19:14 -------- d-----w- C:\Quara
ntine
2010-03-04 13:56 . 2010-03-04 15:32 -------- d-----w- C:\temp
2010-02-19 18:33 . 2009-09-01 01:07 91672 ----a-w- c:\windows\syste
m32\drivers\mfeavfk.sys
2010-02-19 18:33 . 2009-09-01 01:07 75704 ----a-w- c:\windows\syste
m32\drivers\mfeapfk.sys
2010-02-19 18:33 . 2009-09-01 01:07 65448 ----a-w- c:\windows\syste
m32\drivers\mferkdet.sys
2010-02-19 18:33 . 2009-09-01 01:07 63728 ----a-w- c:\windows\syste
m32\drivers\mfetdik.sys
2010-02-19 18:33 . 2009-09-01 01:07 43288 ----a-w- c:\windows\syste
m32\drivers\mfebopk.sys
2010-02-19 18:33 . 2009-09-01 01:07 343664 ----a-w- c:\windows\syste
m32\drivers\mfehidk.sys
2010-02-19 18:33 . 2009-09-01 01:07 70728 ----a-w- c:\windows\syste
m32\mfevtps.exe
2010-02-19 18:33 . 2010-02-19 18:33 -------- d-----w- c:\progr
am files\Common Files\McAfee
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))
)))))))))))))))))))))))))))))))
.
2010-03-16 13:33 . 2010-03-16 13:33 -------- d-----w- c:\docum
ents and settings\$deggenbe\Application Data\Malwarebytes
2010-03-16 13:33 . 2010-03-16 13:33 -------- d-----w- c:\docum
ents and settings\All Users\Application Data\Malwarebytes
2010-03-10 12:24 . 2007-09-25 16:41 -------- d-----w- c:\docum
ents and settings\All Users\Application Data\pdf995
2010-03-01 15:39 . 2009-04-08 19:54 73448 ----a-w- c:\documents and
settings\fkaram1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-19 19:39 . 2007-09-25 17:27 -------- d-----w- c:\progr
am files\Ford
2010-02-19 18:33 . 2009-05-04 15:41 -------- d-----w- c:\docum
ents and settings\All Users\Application Data\McAfee
2010-02-19 18:33 . 2007-09-25 18:55 -------- d-----w- c:\progr
am files\Mcafee
2010-02-19 18:33 . 2007-09-25 16:59 -------- d-----w- c:\progr
am files\Network Associates
2010-02-19 18:33 . 2007-09-25 16:59 -------- d-----w- c:\docum
ents and settings\All Users\Application Data\Network Associates
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))
)))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CommunicatorInit"="c:\program files\Ford\MS Communicator\utl\setcmusr.vbs" [200
8-11-07 10779]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.1\Reader\Reader_s
l.exe" [2007-05-11 40048]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 118784]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-06 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-06 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-06 114688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14
04928]
"Map"="c:\sys\utl\map.vbs" [2008-05-14 5488]
"NPDMU"="c:\sys\utl\NPDMU.vbs" [2009-04-08 3761]
"SgeEcView"="c:\program files\Utimaco\SafeGuard Easy\Ecview.exe" [2006-04-12 245
76]
"EdWizard"="c:\program files\Utimaco\SafeGuard Easy\EdWizard.exe" [2006-04-12 24
5760]
"EnChk"="c:\program files\Utimaco\SafeGuard Easy\EnChk.vbs" [2006-08-28 3426]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2009-
01-06 136512]
"ptmsgfrm.exe"="c:\program files\WebEx\Productivity Tools\ptmsgfrm.exe" [2008-09
-26 42312]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-09-0
1 124240]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CommunicatorInit"="c:\program files\Ford\MS Communicator\utl\setcmusr.vbs" [200
8-11-07 10779]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FordIECleanup"="c:\program files\Internet Explorer\Ford\postins.exe" [2004-11-1
0 57344]
"MacromediaShockwave851"="msiexec.exe" [2005-05-04 78848]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Btn_Media"= 2 (0x2)
"SpecifyDefaultButtons"= 1 (0x1)
"Btn_Fullscreen"= 1 (0x1)
"Btn_Tools"= 2 (0x2)
"Btn_MailNews"= 2 (0x2)
"Btn_Edit"= 2 (0x2)
"Btn_Discussions"= 2 (0x2)
"NoAutoUpdate"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer
]
"Btn_Media"= 2 (0x2)
"SpecifyDefaultButtons"= 1 (0x1)
"Btn_Fullscreen"= 1 (0x1)
"Btn_Tools"= 2 (0x2)
"Btn_MailNews"= 2 (0x2)
"Btn_Edit"= 2 (0x2)
"Btn_Discussions"= 2 (0x2)
"NoSetActiveDesktop"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
\NotLog]
2002-01-22 19:28 110592 ----a-w- c:\windows\system32\SGLogEx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
\SGLogNotification]
2005-03-31 15:27 69632 ----a-w- c:\windows\system32\SGLogNotific
ation.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
\WSL_RLCE]
2007-09-24 15:51 4190 ----a-w- c:\windows\system32\wsl_rlce.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngi
neService]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Authoriz
edApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R0 a320raid;a320raid;c:\windows\system32\drivers\a320raid.sys [2/4/2008 11:41 AM
251578]
R0 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\aac.sys
[2/4/2008 11:41 AM 33808]
R0 aarich;aarich;c:\windows\system32\drivers\aarich.sys [2/4/2008 11:41 AM 24181
5]
R0 AES-256;AES-256;c:\windows\system32\drivers\AES256.sys [4/12/2006 4:32 PM 184
64]
R0 fttxr5_O;fttxr5_O;c:\windows\system32\drivers\fttxr5_O.sys [2/4/2008 11:41 AM
176640]
R0 megasas;megasas;c:\windows\system32\drivers\megasas.sys [2/4/2008 11:41 AM 17
024]
R0 SgeFlt;SgeFlt;c:\windows\system32\drivers\SGEFLT.sys [4/12/2006 4:34 PM 61466
]
S1 ehost_;ehost_;c:\windows\system32\ehost_.sys [9/28/2007 3:43 PM 25472]
S2 ehost;ehost;c:\windows\system32\ehost.exe -s -l 2289 --> c:\windows\system32\
ehost.exe -s -l 2289 [?]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\Mcafee\VirusScan E
nterprise\engineserver.exe [8/31/2009 9:07 PM 21256]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps
.exe [2/19/2010 2:33 PM 70728]
S2 pcscoax;3270 Coax Driver;c:\windows\system32\drivers\pcscoax.sys [9/25/2007 1
:24 PM 30720]
S2 TSCensus Collection Client;TSCensus Collection Client;c:\program files\Tally
Systems Corp\TSCensus\Bin\CClientSvc.exe [9/25/2007 2:53 PM 49152]
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ct
lsb16.sys [5/22/2007 9:17 AM 96256]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2/19/
2010 2:33 PM 65448]
S3 s3legacy;s3legacy;c:\windows\system32\drivers\s3legacy.sys [5/22/2007 9:17 AM
65664]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{439113
CE-2797-47E8-BA3D-03F300777207}]
2007-04-29 07:24 99960 ----a-w- c:\program files\Hummingbird\Con
nectivity\13.00\Accessories\HumSettings.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9C
A6-567B-41cd-B5F6-EF2C7FEF37B5}]
2004-08-04 12:00 99840 ----a-w- c:\windows\system32\advpack.dll
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.ford.com
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
DPF: {12545791-AC9A-44B2-8964-0DA216C4A4E5} - hxxp://www.partserver.de/partserve
r/viewer/cnsweb3d/cnsweb3d.cab
DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124}
DPF: {AAD68411-5B98-11D3-9B52-00001C0007B3} - hxxp://download.eonreality.com/eon
x/4_0_1/eonx.cab
.
- - - - ORPHANS REMOVED - - - -
ShellIconOverlayIdentifiers-{ba930330-a721-11d3-a7b9-00500464ee16} - Sgedrse.Dll
ShellIconOverlayIdentifiers-{2030D939-54A7-4fea-9B06-49EA77EFC87F} - Sgedrse.Dll
AddRemove-WZCLINE - c:\program files\WinZip\winzip32

**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http:/
/www.gmer.net
Rootkit scan 2010-03-16 11:50
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(604)
c:\windows\SYSTEM32\fordgina.dll
c:\windows\SYSTEM32\SGLogEx.dll
c:\windows\SYSTEM32\SGLogNotification.dll
c:\windows\system32\GetUserSid.dll
c:\windows\system32\wsl_rlce.dll
.
Completion time: 2010-03-16 11:51:56
ComboFix-quarantined-files.txt 2010-03-16 15:51
Pre-Run: 24,544,628,736 bytes free
Post-Run: 25,107,726,336 bytes free
- - End Of File - - 9C18819524E5B8D4F5EE367AA3358957