Question

Windows has detected spyware infection

Asked by: Philonator

I have a red x in the righ hand corner by the clock. It is a red blick x that keeps saying windows has detected spyware infection.

I have tried a handfull of solutions with no luck.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2008-07-22 at 12:24:27ID23586269
Topic

Anti-Virus

Participating Experts
6
Points
500
Comments
17

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Spyware-infected PC
    Hi! My PC is infected by "spyware". Afterupgrading to last version of Norton antivirus, I get error-popups everywhere. Most infections seem to be in the file Hlp.dll. This file exists, but is probably hidden. I have full backup of Windows XP and Office. What can I...
  2. Spyware?
    My computer has several pieces of spyware, including but not limited to "Aurora - part of the ABI Network" I tried to remove Aurora by booting into savemode runing nailfix.exe and scanning with ewido but it still came back. here are the results from my HiJackThis Lo...
  3. PC infected with  spyware / malware
    Hi Experts! My computer is again infected with spyware. I use Win XP Pro SP2. A month ago, I reformatted the HDD because I was not able to remove all of these spyware. Now they are back and I don't want to reformat the HDD again. My anti-virus software is Panda and it stopp...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: PhilonatorPosted on 2008-07-22 at 12:37:14ID: 22062844

I can't get hijack this to run either...in safe mode or reg.  tried renaming files for as well

 

by: rank1sttechPosted on 2008-07-22 at 12:44:25ID: 22062924

 

by: PhilonatorPosted on 2008-07-22 at 12:46:19ID: 22062942

Got it to Hj to run by renaming the install file and renaming the exe to h.com and running it fromt the non-default directory.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:43:27 PM, on 7/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\StacSV.exe
C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\TEMP\WD7F1E.EXE
C:\Program Files\Trend Micro\OfficeScan Client\PCCNTMON.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Dell\E-Center\EULALauncher.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Trend Micro\h.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0080612
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0080612
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O1 - Hosts: 192.135.176.8 Commerce.health.state.ny.us commerce
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Acrobat Speed Launch] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Acrobat Synchronizer] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe"
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKUS\S-1-5-18\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = yatescounty.local
O17 - HKLM\Software\..\Telephony: DomainName = yatescounty.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = yatescounty.local
O20 - AppInit_DLLs: cru629.dat
O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: OracleOra9iClientCache - Unknown owner - c:\Oracle\Ora9i\BIN\ONRSD.EXE
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: NTRU TSS v1.2.1.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: WaveEnrollmentService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9481 bytes

 

by: IndiGenusPosted on 2008-07-22 at 12:46:36ID: 22062947

Probably Bagle. Try combofix, but rename the combofix file BEFORE downloading it. This link explains how to use combofix. Just make sure to rename the file as you are downloading it.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

by: blindsp0tPosted on 2008-07-22 at 12:49:03ID: 22062963

I would try Combofix in safemode.  It generally works very well.  Keep in mind that with all utilities that manipulate or delete files, you might want to consider a backup.  Combofix will automatically create a restore point though.

It's a good start to most of the fake-antivirus variants out there.  Follow up with Malwarebytes and you might be set.

Combofix : http://www.bleepingcomputer.com/combofix/how-to-use-combofix#use
Malwarebytes : http://www.malwarebytes.org/mbam.php

 

by: PhilonatorPosted on 2008-07-22 at 12:52:53ID: 22062988

all failed solutions so far:
avg
trend mirco antivirus
spybot search and destroy
Smitfraudfix

Will try combofix next.  Thanks guys

 

by: PhilonatorPosted on 2008-07-22 at 13:23:13ID: 22063266

I think the source is coming from users clicking on UPS spoof emails.

I think combofix worked.  I can't get the red x to appear.  Is there anyway to know definitely for sure?

 

by: DartPCPosted on 2008-07-22 at 14:54:22ID: 22064064

could you run hijack this again and post the new log please?

 

by: IndiGenusPosted on 2008-07-22 at 16:54:16ID: 22064776

Also post the combofix log.

 

by: rpggamergirlPosted on 2008-07-22 at 18:57:00ID: 22065435

braviax usually patches beep.sys that's where SDFix is good for this infection as it replaces/restores if beep.sys is patched.
The combofix log as InDiGenus had asked should tell us if beep.sys is patched.
I had a combofix log yesterday where combofix didn't delete the C:\WINDOWS\system32\ntos.exe, so it's good to check the log to make sure.

 

by: moh10lyPosted on 2008-07-23 at 03:46:25ID: 22067720

I had this problem before on one of our office computers.... took me few days to remove as none of the mentioned tools worked for me either...!!!!

I was able to solve it after fixing one of Hijackthis entries.

The nasty entries you have as follow analyzed by the hijackthis.de website.
Note:

( You should create a restore point before fixing the items).

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O1 - Hosts: 192.135.176.8 Commerce.health.state.ny.us commerce.
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKUS\S-1-5-18\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe (User 'Default user')
O20 - AppInit_DLLs: cru629.dat

After you fix these entries, you must check if fixing the Entry ( - F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe, -) will remove the value of the userinit.exe in the winlogon key from your registry which might cause windows to fail to boot.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe,"

I suggest after fixing the items you use the tool (System file checker) to restore the good system files if the malware has replaced or infected any of them as rpggamergirl has referred to.

Goto Start
Click run
type sfc /scannow then enter   (You will be prompted for the original CD for Windows XP)
After the scan is done, you may try to restart and check if the red x is gone.!

If that didn't work I suggest that you try the free version of Threatfire antivirus...

 

by: PhilonatorPosted on 2008-07-23 at 07:21:04ID: 22069557

Combo fix log

ComboFix 08-07-21.2 - debm 2008-07-22 16:09:57.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.543 [GMT -4:00]
Running from: C:\Documents and Settings\DebM\Desktop\cominbbinationfizzer.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

[color=red]C:\WINDOWS\system32\dllcache\beep.sys[/color]
[color=red]C:\WINDOWS\system32\drivers\beep.sys[/color]
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\DelSelf.bat
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\winivstr.exe
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\system32\x64

.
(((((((((((((((((((((((((   Files Created from 2008-06-22 to 2008-07-22  )))))))))))))))))))))))))))))))
.

2008-07-22 15:48 . 2008-07-22 15:48      4,864      --a------      C:\WINDOWS\system32\tmp.reg
2008-07-22 15:24 . 2008-07-22 15:24      <DIR>      d---s----      C:\Documents and Settings\ycadmin\UserData
2008-07-22 14:45 . 2008-02-15 20:45      172,032      --a------      C:\WINDOWS\system32\igfxres.dll
2008-07-22 11:53 . 2008-02-15 21:11      1,843,784      --a------      C:\WINDOWS\system32\igklg400.dll
2008-07-22 11:53 . 2008-02-15 21:11      1,399,880      --a------      C:\WINDOWS\system32\igklg450.dll
2008-07-22 11:53 . 2008-02-15 21:21      147,456      --a------      C:\WINDOWS\system32\igfxCoIn_v4926.dll
2008-07-22 11:53 . 2008-02-15 21:11      104,636      --a------      C:\WINDOWS\system32\igmedcompkrn.dll
2008-07-22 11:52 . 2008-07-22 11:52      <DIR>      d--------      C:\Intel
2008-07-22 10:46 . 2008-07-22 15:33      9,216      --a------      C:\WINDOWS\system32\buritos.exe
2008-07-22 10:46 . 2008-07-22 15:33      6,144      --a------      C:\WINDOWS\system32\karina.dat
2008-07-22 10:46 . 2008-07-22 15:33      6,144      --a------      C:\WINDOWS\karina.dat
2008-07-22 10:45 . 2008-07-22 15:33      9,216      --a------      C:\WINDOWS\buritos.exe
2008-07-22 10:44 . 2004-08-04 06:00      4,224      --a------      C:\WINDOWS\system32\dllcache\beep.sys
2008-07-22 10:25 . 2008-07-22 10:25      <DIR>      d---s----      C:\Documents and Settings\DebM\UserData
2008-07-22 10:23 . 2008-07-22 10:23      <DIR>      d--------      C:\Program Files\Spybot - Search & Destroy
2008-07-22 10:23 . 2008-07-22 10:36      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-22 10:07 . 2008-07-22 10:07      118      --a------      C:\WINDOWS\system32\MRT.INI
2008-07-07 14:36 . 2008-07-07 14:36      23      --a------      C:\WINDOWS\bo9040cn.ini
2008-07-03 12:09 . 2008-07-03 12:09      <DIR>      d--------      C:\Program Files\AskSBar
2008-07-03 12:05 . 2008-07-22 10:24      <DIR>      d--------      C:\Program Files\AWS
2008-07-03 11:58 . 2001-08-17 13:48      12,160      --a------      C:\WINDOWS\system32\drivers\mouhid.sys
2008-07-03 11:58 . 2001-08-17 13:48      12,160      --a------      C:\WINDOWS\system32\dllcache\mouhid.sys
2008-07-03 11:57 . 2001-08-17 14:02      9,600      --a------      C:\WINDOWS\system32\drivers\hidusb.sys
2008-07-03 11:57 . 2001-08-17 14:02      9,600      --a------      C:\WINDOWS\system32\dllcache\hidusb.sys
2008-07-03 11:57 . 2008-07-03 11:57      4,128      --a------      C:\INFCACHE.1
2008-07-03 10:56 . 2008-07-03 10:56      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\Brother
2008-07-03 10:56 . 2008-07-07 14:36      426      --a------      C:\WINDOWS\BRWMARK.INI
2008-07-03 10:56 . 2008-07-03 10:56      26      --a------      C:\WINDOWS\BRPP2KA.INI
2008-07-03 10:27 . 2008-07-03 10:27      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\ESRI
2008-07-03 10:24 . 2008-07-03 10:24      <DIR>      d--------      C:\Program Files\Common Files\AnswerWorks 4.0
2008-07-03 10:23 . 2008-07-03 11:24      <DIR>      d--------      C:\Program Files\ArcGIS
2008-06-23 13:57 . 2005-03-30 09:14      1,867,776      --a------      C:\WINDOWS\system32\python24.dll
2008-06-23 13:39 . 2008-06-23 13:39      <DIR>      d--------      C:\Program Files\Leica Geosystems
2008-06-23 13:37 . 2008-06-23 13:57      <DIR>      d--------      C:\Python24
2008-06-23 12:16 . 2008-07-03 10:58      <DIR>      d--------      C:\Documents and Settings\DebM\Application Data\ESRI
2008-06-23 12:05 . 2008-06-23 12:08      <DIR>      d--------      C:\gis

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-22 19:43      ---------      d-----w      C:\Program Files\Trend Micro
2008-07-22 14:02      ---------      d-----w      C:\Program Files\Java
2008-07-09 15:44      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-03 14:37      ---------      d-----w      C:\Program Files\ESRI
2008-07-03 14:27      ---------      d-----w      C:\Program Files\Common Files\ESRI
2008-06-23 16:36      ---------      d-----w      C:\Documents and Settings\ycadmin\Application Data\ESRI
2008-06-20 10:45      360,320      ----a-w      C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44      138,368      ----a-w      C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52      225,920      ----a-w      C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 19:55      ---------      d-----w      C:\Program Files\MSXML 4.0
2008-06-19 18:28      ---------      d-----w      C:\Documents and Settings\DebM\Application Data\CyberLink
2008-06-19 18:24      ---------      d-----w      C:\Program Files\Centers for Disease Control and Prevention
2008-06-19 18:16      ---------      d--h--w      C:\Program Files\InstallShield Installation Information
2008-06-19 18:16      ---------      d-----w      C:\Program Files\3M Home Health Systems
2008-06-19 17:56      ---------      d-----w      C:\Program Files\Oracle
2008-06-19 17:42      ---------      d-----w      C:\Documents and Settings\ycadmin\Application Data\CyberLink
2008-06-19 16:58      ---------      d-----w      C:\Program Files\Microsoft SQL Server
2008-06-19 16:56      ---------      d-----w      C:\Program Files\Microsoft.NET
2008-06-19 16:52      ---------      d-----w      C:\Documents and Settings\DebM\Application Data\Dell
2008-06-19 13:48      ---------      d-----w      C:\Documents and Settings\ycadmin\Application Data\Dell
2008-06-19 13:47      ---------      d-----w      C:\Program Files\Google
2008-06-19 13:20      ---------      d-----w      C:\Documents and Settings\temp\Application Data\Dell
2008-06-13 13:10      272,128      ------w      C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 03:24      ---------      d-----w      C:\Program Files\Microsoft Small Business
2008-06-12 03:18      ---------      d-----w      C:\Program Files\Dell
2008-06-12 03:18      ---------      d-----w      C:\Program Files\Common Files\Adobe
2008-06-12 03:18      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-06-12 03:17      ---------      d-----w      C:\Program Files\Common Files\Macrovision Shared
2008-06-12 03:14      ---------      d-----w      C:\Program Files\Microsoft Works
2008-06-12 03:10      ---------      d-----w      C:\Program Files\CyberLink
2008-06-12 03:10      ---------      d-----w      C:\Program Files\Common Files\InstallShield
2008-06-12 03:08      ---------      d-----w      C:\Program Files\Sigmatel
2008-06-12 03:08      ---------      d-----w      C:\Program Files\CONEXANT
2008-06-12 03:04      ---------      d-----w      C:\Program Files\Wave Systems Corp
2008-06-12 03:04      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Wave Systems Corp
2008-06-12 03:03      ---------      d-----w      C:\Documents and Settings\ycadmin\Application Data\Wave Systems Corp
2008-06-12 03:03      ---------      d-----w      C:\Documents and Settings\temp\Application Data\Wave Systems Corp
2008-06-12 03:03      ---------      d-----w      C:\Documents and Settings\DebM\Application Data\Wave Systems Corp
2008-06-12 03:03      ---------      d-----w      C:\Documents and Settings\Administrator\Application Data\Wave Systems Corp
2008-06-12 03:00      ---------      d-----w      C:\Program Files\Fingerprint Sensor
2008-06-12 02:59      ---------      d-----w      C:\Program Files\Gemplus
2008-06-12 02:56      ---------      d-----w      C:\Program Files\NTRU Cryptosystems
2008-06-12 02:56      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\NTRU Cryptosystems
2008-06-12 02:52      ---------      d-----w      C:\Program Files\NetWaiting
2008-06-12 02:52      ---------      d-----w      C:\Program Files\Modem Diagnostic Tool
2008-06-12 02:52      ---------      d-----w      C:\Program Files\Digital Line Detect
2008-06-12 02:52      ---------      d-----w      C:\Program Files\Broadcom
2008-06-12 02:52      ---------      d-----w      C:\Documents and Settings\ycadmin\Application Data\InstallShield
2008-06-12 02:52      ---------      d-----w      C:\Documents and Settings\temp\Application Data\InstallShield
2008-06-12 02:52      ---------      d-----w      C:\Documents and Settings\DebM\Application Data\InstallShield
2008-06-12 02:52      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Dell
2008-06-12 02:52      ---------      d-----w      C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-06-12 02:50      ---------      d-----w      C:\Program Files\Common Files\Java
2008-06-12 02:34      ---------      d-----w      C:\Program Files\Apoint
2008-06-12 02:30      6,796      ----a-w      C:\WINDOWS\system32\drivers\1028_Dell_LAT_D630.mrk
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2007-01-25 03:34 159744]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2008-02-22 13:43 1245184]
"WavXMgr"="C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 10:55 92160]
"SecureUpgrade"="C:\Program Files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 11:53 218424]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-10-09 05:17 2183168]
"KADxMain"="C:\WINDOWS\system32\KADxMain.exe" [2006-11-02 15:05 282624]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 12:56 124200]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"Acrobat Speed Launch"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe" [2006-10-23 02:40 46200]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [2008-02-26 16:16 17920]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-05-08 01:43 702072]
"Acrobat Synchronizer"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe" [2007-05-11 01:29 738968]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-02-28 17:32 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-02-28 17:32 166424]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-02-28 17:32 137752]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-06-11 22:52:32 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 16:20 73728 C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages      REG_MULTI_SZ         msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-823518204-682003330-725345543-1230\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=\\yatescounty.local\SysVol\yatescounty.local\scripts\OFCSCAN.BAT

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-823518204-682003330-725345543-500\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=\\yatescounty.local\SysVol\yatescounty.local\scripts\OFCSCAN.BAT

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R0 PBADRV;PBADRV;C:\WINDOWS\system32\DRIVERS\PBADRV.sys [2007-09-07 10:57]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-12-19 15:21]
R2 TdmService;TdmService;C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe [2007-09-07 18:29]
R2 Wave UCSPlus;Wave UCSPlus;C:\WINDOWS\system32\dllhost.exe [2004-08-04 06:00]
R2 WavxDMgr;WavxDMgr;C:\WINDOWS\system32\DRIVERS\WavxDMgr.sys [2007-09-10 10:55]
R3 DXEC01;DXEC01;C:\WINDOWS\system32\drivers\dxec01.sys [2006-11-02 13:32]
R3 WaveFDE;Wave System Power Monitor Device Driver;C:\WINDOWS\system32\DRIVERS\WaveFDE.sys [2007-09-06 10:18]
S3 OracleClientCache80;OracleClientCache80;C:\orant\BIN\ONRSD80.EXE [2000-10-27 12:45]
S3 OracleOra9iClientCache;OracleOra9iClientCache;c:\Oracle\Ora9i\BIN\ONRSD.EXE [2002-04-26 19:34]
S3 SecureStorageService;SecureStorageService;C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe [2007-08-31 18:39]
S3 WaveEnrollmentService;WaveEnrollmentService;C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe [2007-09-13 15:31]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12      REG_MULTI_SZ         Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0080612
O8 -: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-22 16:13:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\WINDOWS\system32\stacsv.exe
C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\hidfind.exe
C:\Program Files\Apoint\ApntEx.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmListen.exe
C:\Program Files\Trend Micro\OfficeScan Client\NTRtScan.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\temp\RE9304.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wbem\wmiadap.exe
.
**************************************************************************
.
Completion time: 2008-07-22 16:16:46 - machine was rebooted [debm]
ComboFix-quarantined-files.txt  2008-07-22 20:16:43

Pre-Run: 62,886,752,256 bytes free
Post-Run: 63,663,267,840 bytes free

227      --- E O F ---      2008-07-22 14:07:18

 

by: PhilonatorPosted on 2008-07-23 at 07:22:31ID: 22069570

Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:53, on 7/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\StacSV.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Dell\E-Center\EULALauncher.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\h.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0080612
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0080612
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Acrobat Speed Launch] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Acrobat Synchronizer] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKUS\S-1-5-21-823518204-682003330-725345543-1230\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'debm')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = yatescounty.local
O17 - HKLM\Software\..\Telephony: DomainName = yatescounty.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = yatescounty.local
O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: OracleOra9iClientCache - Unknown owner - c:\Oracle\Ora9i\BIN\ONRSD.EXE
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: NTRU TSS v1.2.1.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: WaveEnrollmentService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9050 bytes

 

by: PhilonatorPosted on 2008-07-23 at 07:49:13ID: 22069898

I ran trend antivirus last night and it picked up and quarantineed 5 viruses...

-another improvement I can run hijack this from the start program menu.

I just ran combfix again from safe mode and here is the log:
ComboFix 08-07-21.2 - Administrator 2008-07-23 10:29:03.2 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\Administrator\Desktop\cominbbinationfizzer.exe
.

(((((((((((((((((((((((((   Files Created from 2008-06-23 to 2008-07-23  )))))))))))))))))))))))))))))))
.

2008-07-23 10:21 . 2008-07-23 10:21      <DIR>      d--h-----      C:\WINDOWS\PIF
2008-07-22 15:48 . 2008-07-22 15:48      4,864      --a------      C:\WINDOWS\system32\tmp.reg
2008-07-22 15:24 . 2008-07-22 15:24      <DIR>      d---s----      C:\Documents and Settings\ycadmin\UserData
2008-07-22 14:45 . 2008-02-15 20:45      172,032      --a------      C:\WINDOWS\system32\igfxres.dll
2008-07-22 11:53 . 2008-02-15 21:11      1,843,784      --a------      C:\WINDOWS\system32\igklg400.dll
2008-07-22 11:53 . 2008-02-15 21:11      1,399,880      --a------      C:\WINDOWS\system32\igklg450.dll
2008-07-22 11:53 . 2008-02-15 21:21      147,456      --a------      C:\WINDOWS\system32\igfxCoIn_v4926.dll
2008-07-22 11:53 . 2008-02-15 21:11      104,636      --a------      C:\WINDOWS\system32\igmedcompkrn.dll
2008-07-22 11:52 . 2008-07-22 11:52      <DIR>      d--------      C:\Intel
2008-07-22 10:46 . 2008-07-22 15:33      9,216      --a------      C:\WINDOWS\system32\buritos.exe
2008-07-22 10:45 . 2008-07-22 15:33      9,216      --a------      C:\WINDOWS\buritos.exe
2008-07-22 10:44 . 2004-08-04 06:00      4,224      --a------      C:\WINDOWS\system32\dllcache\beep.sys
2008-07-22 10:25 . 2008-07-22 10:25      <DIR>      d---s----      C:\Documents and Settings\DebM\UserData
2008-07-22 10:23 . 2008-07-22 10:23      <DIR>      d--------      C:\Program Files\Spybot - Search & Destroy
2008-07-22 10:23 . 2008-07-22 10:36      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-22 10:07 . 2008-07-22 10:07      118      --a------      C:\WINDOWS\system32\MRT.INI
2008-07-07 14:36 . 2008-07-07 14:36      23      --a------      C:\WINDOWS\bo9040cn.ini
2008-07-03 12:09 . 2008-07-03 12:09      <DIR>      d--------      C:\Program Files\AskSBar
2008-07-03 12:05 . 2008-07-22 10:24      <DIR>      d--------      C:\Program Files\AWS
2008-07-03 11:58 . 2001-08-17 13:48      12,160      --a------      C:\WINDOWS\system32\drivers\mouhid.sys
2008-07-03 11:58 . 2001-08-17 13:48      12,160      --a------      C:\WINDOWS\system32\dllcache\mouhid.sys
2008-07-03 11:57 . 2001-08-17 14:02      9,600      --a------      C:\WINDOWS\system32\drivers\hidusb.sys
2008-07-03 11:57 . 2001-08-17 14:02      9,600      --a------      C:\WINDOWS\system32\dllcache\hidusb.sys
2008-07-03 11:57 . 2008-07-03 11:57      4,128      --a------      C:\INFCACHE.1
2008-07-03 10:56 . 2008-07-03 10:56      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\Brother
2008-07-03 10:56 . 2008-07-07 14:36      426      --a------      C:\WINDOWS\BRWMARK.INI
2008-07-03 10:56 . 2008-07-03 10:56      26      --a------      C:\WINDOWS\BRPP2KA.INI
2008-07-03 10:27 . 2008-07-03 10:27      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\ESRI
2008-07-03 10:24 . 2008-07-03 10:24      <DIR>      d--------      C:\Program Files\Common Files\AnswerWorks 4.0
2008-07-03 10:23 . 2008-07-03 11:24      <DIR>      d--------      C:\Program Files\ArcGIS
2008-06-23 13:57 . 2005-03-30 09:14      1,867,776      --a------      C:\WINDOWS\system32\python24.dll
2008-06-23 13:39 . 2008-06-23 13:39      <DIR>      d--------      C:\Program Files\Leica Geosystems
2008-06-23 13:37 . 2008-06-23 13:57      <DIR>      d--------      C:\Python24
2008-06-23 12:16 . 2008-07-03 10:58      <DIR>      d--------      C:\Documents and Settings\DebM\Application Data\ESRI
2008-06-23 12:05 . 2008-06-23 12:08      <DIR>      d--------      C:\gis

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-23 14:21      ---------      d-----w      C:\Program Files\Trend Micro
2008-07-22 14:02      ---------      d-----w      C:\Program Files\Java
2008-07-09 15:44      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-03 14:37      ---------      d-----w      C:\Program Files\ESRI
2008-07-03 14:27      ---------      d-----w      C:\Program Files\Common Files\ESRI
2008-06-23 16:36      ---------      d-----w      C:\Documents and Settings\ycadmin\Application Data\ESRI
2008-06-20 10:45      360,320      ----a-w      C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44      138,368      ----a-w      C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52      225,920      ----a-w      C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 19:55      ---------      d-----w      C:\Program Files\MSXML 4.0
2008-06-19 18:28      ---------      d-----w      C:\Documents and Settings\DebM\Application Data\CyberLink
2008-06-19 18:24      ---------      d-----w      C:\Program Files\Centers for Disease Control and Prevention
2008-06-19 18:16      ---------      d--h--w      C:\Program Files\InstallShield Installation Information
2008-06-19 18:16      ---------      d-----w      C:\Program Files\3M Home Health Systems
2008-06-19 17:56      ---------      d-----w      C:\Program Files\Oracle
2008-06-19 17:42      ---------      d-----w      C:\Documents and Settings\ycadmin\Application Data\CyberLink
2008-06-19 16:58      ---------      d-----w      C:\Program Files\Microsoft SQL Server
2008-06-19 16:56      ---------      d-----w      C:\Program Files\Microsoft.NET
2008-06-19 16:52      ---------      d-----w      C:\Documents and Settings\DebM\Application Data\Dell
2008-06-19 13:48      ---------      d-----w      C:\Documents and Settings\ycadmin\Application Data\Dell
2008-06-19 13:47      ---------      d-----w      C:\Program Files\Google
2008-06-19 13:20      ---------      d-----w      C:\Documents and Settings\temp\Application Data\Dell
2008-06-13 13:10      272,128      ------w      C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 03:24      ---------      d-----w      C:\Program Files\Microsoft Small Business
2008-06-12 03:18      ---------      d-----w      C:\Program Files\Dell
2008-06-12 03:18      ---------      d-----w      C:\Program Files\Common Files\Adobe
2008-06-12 03:18      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-06-12 03:17      ---------      d-----w      C:\Program Files\Common Files\Macrovision Shared
2008-06-12 03:14      ---------      d-----w      C:\Program Files\Microsoft Works
2008-06-12 03:10      ---------      d-----w      C:\Program Files\CyberLink
2008-06-12 03:10      ---------      d-----w      C:\Program Files\Common Files\InstallShield
2008-06-12 03:08      ---------      d-----w      C:\Program Files\Sigmatel
2008-06-12 03:08      ---------      d-----w      C:\Program Files\CONEXANT
2008-06-12 03:04      ---------      d-----w      C:\Program Files\Wave Systems Corp
2008-06-12 03:04      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Wave Systems Corp
2008-06-12 03:03      ---------      d-----w      C:\Documents and Settings\ycadmin\Application Data\Wave Systems Corp
2008-06-12 03:03      ---------      d-----w      C:\Documents and Settings\temp\Application Data\Wave Systems Corp
2008-06-12 03:03      ---------      d-----w      C:\Documents and Settings\DebM\Application Data\Wave Systems Corp
2008-06-12 03:03      ---------      d-----w      C:\Documents and Settings\Administrator\Application Data\Wave Systems Corp
2008-06-12 03:00      ---------      d-----w      C:\Program Files\Fingerprint Sensor
2008-06-12 02:59      ---------      d-----w      C:\Program Files\Gemplus
2008-06-12 02:56      ---------      d-----w      C:\Program Files\NTRU Cryptosystems
2008-06-12 02:56      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\NTRU Cryptosystems
2008-06-12 02:52      ---------      d-----w      C:\Program Files\NetWaiting
2008-06-12 02:52      ---------      d-----w      C:\Program Files\Modem Diagnostic Tool
2008-06-12 02:52      ---------      d-----w      C:\Program Files\Digital Line Detect
2008-06-12 02:52      ---------      d-----w      C:\Program Files\Broadcom
2008-06-12 02:52      ---------      d-----w      C:\Documents and Settings\ycadmin\Application Data\InstallShield
2008-06-12 02:52      ---------      d-----w      C:\Documents and Settings\temp\Application Data\InstallShield
2008-06-12 02:52      ---------      d-----w      C:\Documents and Settings\DebM\Application Data\InstallShield
2008-06-12 02:52      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Dell
2008-06-12 02:52      ---------      d-----w      C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-06-12 02:50      ---------      d-----w      C:\Program Files\Common Files\Java
2008-06-12 02:34      ---------      d-----w      C:\Program Files\Apoint
2008-06-12 02:30      6,796      ----a-w      C:\WINDOWS\system32\drivers\1028_Dell_LAT_D630.mrk
.

(((((((((((((((((((((((((((((   snapshot@2008-07-22_16.16.33.08   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-22 19:37:41      65,446      ----a-w      C:\WINDOWS\system32\perfc009.dat
+ 2008-07-23 14:30:26      65,044      ----a-w      C:\WINDOWS\system32\perfc009.dat
- 2008-07-22 19:37:41      411,142      ----a-w      C:\WINDOWS\system32\perfh009.dat
+ 2008-07-23 14:30:26      410,574      ----a-w      C:\WINDOWS\system32\perfh009.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2007-01-25 03:34 159744]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2008-02-22 13:43 1245184]
"WavXMgr"="C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 10:55 92160]
"SecureUpgrade"="C:\Program Files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 11:53 218424]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-10-09 05:17 2183168]
"KADxMain"="C:\WINDOWS\system32\KADxMain.exe" [2006-11-02 15:05 282624]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 12:56 124200]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"Acrobat Speed Launch"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe" [2006-10-23 02:40 46200]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [2008-02-26 16:16 17920]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-05-08 01:43 702072]
"Acrobat Synchronizer"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe" [2007-05-11 01:29 738968]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-02-28 17:32 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-02-28 17:32 166424]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-02-28 17:32 137752]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-06-11 22:52:32 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 16:20 73728 C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages      REG_MULTI_SZ         msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-823518204-682003330-725345543-1230\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=\\yatescounty.local\SysVol\yatescounty.local\scripts\OFCSCAN.BAT

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-823518204-682003330-725345543-500\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=\\yatescounty.local\SysVol\yatescounty.local\scripts\OFCSCAN.BAT

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R0 PBADRV;PBADRV;C:\WINDOWS\system32\DRIVERS\PBADRV.sys [2007-09-07 10:57]
S2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-12-19 15:21]
S2 TdmService;TdmService;C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe [2007-09-07 18:29]
S2 Wave UCSPlus;Wave UCSPlus;C:\WINDOWS\system32\dllhost.exe [2004-08-04 06:00]
S2 WavxDMgr;WavxDMgr;C:\WINDOWS\system32\DRIVERS\WavxDMgr.sys [2007-09-10 10:55]
S3 DXEC01;DXEC01;C:\WINDOWS\system32\drivers\dxec01.sys [2006-11-02 13:32]
S3 OracleClientCache80;OracleClientCache80;C:\orant\BIN\ONRSD80.EXE [2000-10-27 12:45]
S3 OracleOra9iClientCache;OracleOra9iClientCache;c:\Oracle\Ora9i\BIN\ONRSD.EXE [2002-04-26 19:34]
S3 SecureStorageService;SecureStorageService;C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe [2007-08-31 18:39]
S3 WaveEnrollmentService;WaveEnrollmentService;C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe [2007-09-13 15:31]
S3 WaveFDE;Wave System Power Monitor Device Driver;C:\WINDOWS\system32\DRIVERS\WaveFDE.sys [2007-09-06 10:18]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12      REG_MULTI_SZ         Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0080612
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
O8 -: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-23 10:37:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

.
Completion time: 2008-07-23 10:40:58 - machine was rebooted
ComboFix-quarantined-files.txt  2008-07-23 14:40:54

Pre-Run: 63,754,121,216 bytes free
Post-Run: 63,746,818,048 bytes free

194      --- E O F ---      2008-07-22 14:07:18

 

by: moh10lyPosted on 2008-07-24 at 14:34:51ID: 22083756

Hi Philonator
Your hijackthis log looks very clean...!!!

Your combofix log shows the suspicious buritos.exe which is created by the malware/trojan backdoor.win32.Small.eug.
It's recommended that you process the file buritos.exe on your both directories Windows and windows/system32 to www.virustotal.com to check weather it's infected or not.
If they are infected, then you must delete those files ....

Here's an open thread for the same trojan that is still undone yet ...
http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Enterprise_Anti-Virus/Q_23587030.html

I suggest that you disable your System restore, Restart in safe mode after you fully update your installed antivirus and run a full scan .. You might want to include the Archives (zip, rar..etc) files within the scan and preferably to run a in-depth scan... which will take longer.

Some other files are unidentified and might be created by this trojan too, I'l list them below and you need to do the same thing you have done for the buritos.exe files

bo9040cn.ini

The trojan seems to play with your antivirus and windows registry...It has disabled your Trend micro Monitoring and the security warning in windows security center.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

You can fix this issue by your self by adjusting the value from 1 to 0... but remember to first export the reg to your desktop or to a safe place/ or just create a restore point after you have restarted from safe mode.

Hope this helps..

 

by: PhilonatorPosted on 2008-07-27 at 05:58:13ID: 22098378

Moh10ly, good call on the buritos.  I have 5 pcs running this virus now.  I have found it on others but not on this one.  This computer I thought was fixed but it looks it still has it.  I wrote a custom combofix script that works well for getting rid of burritos.  I will run it on this machine and repost my comobfix log.

 

by: PhilonatorPosted on 2008-08-19 at 05:15:07ID: 31479082

I am closing this a little prematurely but, I think you guys got me down the home stretch.  The user is functional again and with an upgrade in the antivirus software it seems to have got the remaining gremlins.  Thanks, to all.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...