• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 903
  • Last Modified:

Hijacked only when using a celluar modem card

The system seems to be hijacked "windows open automaticly even the command line" only happens when using the celluar modem.  Here is the hijackthis log.  Thaks for any assistance

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:50:07 AM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\PWIUtilityService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\TEMP\GUA306.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\logon.scr
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\msnoble\Local Settings\Temporary Internet Files\Content.IE5\4P0N0PCN\HiJackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [HP Mobile Printing] C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {1C203F13-95AD-11D0-A84B-00A0247B735B} (Infragistics ActiveTreeView Control) - http://symposium.senture.com/Common/controls/ssTree.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {58A968A5-E3CE-4743-9CE4-A27357009527} (ComponentOne Chart 8.0 2D Control) - http://symposium.senture.com/Common/Controls/olch2x8dd11.cab
O16 - DPF: {977DBE03-F527-11D3-8F03-00C04FA3EB91} (RtdControl Class) - http://symposium.senture.com/Common/Controls/RtdCtrl.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} (NetCamPlayerWeb11gv2 Control) - http://172.18.1.35/NetCamPlayerWeb11gv2.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Senture.int
O17 - HKLM\Software\..\Telephony: DomainName = Senture.int
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DFD7EE2-A283-4D7E-95E1-7920EFC3F815}: NameServer = 172.16.1.34
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Senture.int
O20 - Winlogon Notify: DPWLN   - C:\WINDOWS\system32\DPWLEvHd.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Pantech Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\PWIUtilityService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 9453 bytes
0
Senture
Asked:
Senture
1 Solution
 
rindiCommented:
There is apparently no firewall running. Is that the way you want it?

Check this out:

C:\WINDOWS\TEMP\GUA306.EXE

If you don't know what it is, reboot to safe mode and move that file off or delete it.

If you don't need these, use hijackthis to remove them:

O16 - DPF: {1C203F13-95AD-11D0-A84B-00A0247B735B} (Infragistics ActiveTreeView Control) - http://symposium.senture.com/Common/controls/ssTree.cab
O16 - DPF: {58A968A5-E3CE-4743-9CE4-A27357009527} (ComponentOne Chart 8.0 2D Control) - http://symposium.senture.com/Common/Controls/olch2x8dd11.cab
O16 - DPF: {977DBE03-F527-11D3-8F03-00C04FA3EB91} (RtdControl Class) - http://symposium.senture.com/Common/Controls/RtdCtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Senture.int
O17 - HKLM\Software\..\Telephony: DomainName = Senture.int
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DFD7EE2-A283-4D7E-95E1-7920EFC3F815}: NameServer = 172.16.1.34
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Senture.int

0
 
rpggamergirlCommented:
I don't see anything suspicious there.

The below entry belongs to TrendMicro.
C:\WINDOWS\TEMP\GUA306.EXE


Run this tool and we'll see what it finds.
Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
0
 
JstncaseCommented:
Have you checked your dialup connection properties to see if anythign has beeb changed that forces it to a certain IP, url or other information?

I would suggest:
Check dialup properties for modem
Clean all Temp Directories
- C:\temp
- %TEMP%
- Internet Temp Files
Download all updates if you havent already of all your Antivirus and Antispyware programs
- I personally prefer Spybot and HijackThis.
After you have done latest update, reboot your computer into safe mode, without networking.
Scan your computer with Antivirus. If it finds something, clean it remove it, reboot if necessary then back into safe mode
Run Spybot, and clean what it finds. Run Hijaack and clean what it finds
Reboot as necessary. On your last reboot, go back to safe mode, but do it WITH networking. Now goto this url:
http://housecall.trendmicro.com
Perform a free full system scan and clean of Antivirus and Spyware. Clean/remove and note if it says your computer has any vulnerabilities.
Reboot into normal windows. Hopefully all is well and/or better
0
 
SentureAuthor Commented:
Here is the combofix log, thanks for the help.


ComboFix 07-08-03.4 - "msnoble" 2007-08-03  7:46:44.1 [GMT -4:00] - NTFS
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.True
 * Created a new restore point


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\a.exe


(((((((((((((((((((((((((   Files Created from 2007-07-03 to 2007-08-03  )))))))))))))))))))))))))))))))


2007-08-03 07:45      51,200      --a------      C:\WINDOWS\nircmd.exe
2007-08-02 22:18      <DIR>      d--------      C:\DOCUME~1\msnoble\.housecall6.6
2007-08-01 13:37      1,048,576      --ah-----      C:\DOCUME~1\besadmin\NTUSER.DAT
2007-08-01 13:37      <DIR>      d--------      C:\DOCUME~1\besadmin\APPLIC~1\Research In Motion
2007-08-01 13:37      <DIR>      d--------      C:\DOCUME~1\besadmin\APPLIC~1\InterTrust
2007-08-01 13:37      <DIR>      d--------      C:\DOCUME~1\besadmin\APPLIC~1\DigitalPersona
2007-07-24 00:08      840      --a------      C:\WINDOWS\system32\iaxcfg32.dll
2007-07-24 00:07      4,096      -ra------      C:\WINDOWS\system32\rkkzgyeb.exe
2007-07-18 15:56      <DIR>      d--------      C:\Program Files\Barracuda
2007-07-18 15:55      <DIR>      d--------      C:\Program Files\Common Files\Wise Installation Wizard


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-27 16:22      ---------      d--------      C:\Program Files\MSECache
2007-05-17 13:56      36352      --a------      C:\WINDOWS\system32\pxfhwmcp.dll


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 12:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-24 16:45]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2003-07-17 17:50]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2003-07-15 21:55]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 19:40]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 19:38]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-05-08 00:43]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-30 12:01 C:\WINDOWS\AGRSMMSG.exe]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 00:56]
"RegistryMechanic"="" []
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 13:29]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-06-26 19:50]
"DPAgnt"="C:\Program Files\DigitalPersona\Bin\DPAgnt.exe" [2004-09-08 15:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Mobile Printing"="C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE" [2003-05-23 17:12]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"TSClientMSIUninstaller"=cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DPWLN  ]
C:\WINDOWS\system32\DPWLEvHd.dll 2004-09-08 15:45 102400 C:\WINDOWS\system32\DPWLEvHd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli DPPWDFLT

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=Sen-Lon--computers.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2632111346-3538629143-97115644-1130\Scripts\Logoff\0\0]
"Script"=wslogoff.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2632111346-3538629143-97115644-1130\Scripts\Logon\0\0]
"Script"=wslogon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2632111346-3538629143-97115644-1130\Scripts\Logon\1\0]
"Script"=Public Drive Map.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2632111346-3538629143-97115644-1155\Scripts\Logoff\0\0]
"Script"=wslogoff.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2632111346-3538629143-97115644-1155\Scripts\Logon\0\0]
"Script"=wslogon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2632111346-3538629143-97115644-1155\Scripts\Logon\1\0]
"Script"=Public Drive Map.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2632111346-3538629143-97115644-1626\Scripts\Logoff\0\0]
"Script"=wslogoff.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2632111346-3538629143-97115644-1626\Scripts\Logoff\1\0]
"Script"=wslogoff.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2632111346-3538629143-97115644-1626\Scripts\Logon\0\0]
"Script"=wslogon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2632111346-3538629143-97115644-1626\Scripts\Logon\1\0]
"Script"=Public Drive Map.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2632111346-3538629143-97115644-1626\Scripts\Logon\2\0]
"Script"=wslogon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2632111346-3538629143-97115644-1626\Scripts\Logon\3\0]
"Script"=Public Drive Map.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2632111346-3538629143-97115644-3152\Scripts\Logoff\0\0]
"Script"=wslogoff.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2632111346-3538629143-97115644-3152\Scripts\Logon\0\0]
"Script"=wslogon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2632111346-3538629143-97115644-3152\Scripts\Logon\1\0]
"Script"=Public Drive Map.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2632111346-3538629143-97115644-6229\Scripts\Logoff\0\0]
"Script"=wslogoff.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2632111346-3538629143-97115644-6229\Scripts\Logon\0\0]
"Script"=wslogon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=C:\WINDOWS\pss\Desktop Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Mobile Printing]
C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
"C:\Program Files\Microsoft IntelliPoint\point32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]
"C:\Program Files\Microsoft IntelliType Pro\type32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

R1 ClntMgmt.sys;ClntMgmt.sys;C:\WINDOWS\system32\Drivers\ClntMgmt.sys
R1 eabfiltr;EABFiltr;\??\C:\WINDOWS\System32\drivers\EABFiltr.sys
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI;C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
R2 ASCTRM;ASCTRM;C:\WINDOWS\system32\drivers\ASCTRM.sys
R2 BTSLBCSP;Bluetooth Port Client Driver;\??\C:\WINDOWS\System32\drivers\btslbcsp.sys
R2 ntrtscan;OfficeScanNT RealTime Scan;"C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe"
R2 SoundMAX Agent Service (default);SoundMAX Agent Service;C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
R2 TmFilter;Trend Micro Filter;\??\C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys
R2 tmlisten;OfficeScan NT Listener;"C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe"
R2 TmPreFilter;Trend Micro PreFilter;\??\C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys
R2 VSApiNt;Trend Micro VSAPI NT;\??\C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys
R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
R3 MbxStby;MbxStby;C:\WINDOWS\system32\drivers\MbxStby.sys
R3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINDOWS\system32\DRIVERS\point32.sys
R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys
R3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\system32\Drivers\RootMdm.sys
R3 SynTP;Synaptics TouchPad Driver;C:\WINDOWS\system32\DRIVERS\SynTP.sys
S1 wceusbsh;Windows CE USB Serial Host Driver;C:\WINDOWS\system32\DRIVERS\wceusbsh.sys
S3 CE3;Xircom Ethernet Adapter 10/100 Service;C:\WINDOWS\system32\DRIVERS\ce3n5.sys
S3 dpK0Bx01;Fingerprint Reader Filter Driver;C:\WINDOWS\system32\DRIVERS\dpK0Bx01.sys
S3 eabusb;eabusb;\??\C:\WINDOWS\System32\drivers\eabusb.sys
S3 gv3;Intel GV3 Processor Driver;C:\WINDOWS\system32\DRIVERS\gv3.sys
S3 idsvc;Windows CardSpace;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
S3 pxfhbus;PANTECH PC Card Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\pxfhbus.sys
S3 pxfhmdfl;PANTECH PC Card Filter;C:\WINDOWS\system32\DRIVERS\pxfhmdfl.sys
S3 pxfhmdm;PANTECH PC Card Drivers;C:\WINDOWS\system32\DRIVERS\pxfhmdm.sys
S3 pxfhserd;PANTECH PC Card Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\pxfhserd.sys
S3 RimUsb;BlackBerry Device;C:\WINDOWS\system32\Drivers\RimUsb.sys
S3 UsbdpFP;Fingerprint Reader Class Driver;C:\WINDOWS\system32\DRIVERS\UsbdpFP.sys
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S3 WLAN_400_500_SERVICE;HP WLAN W400/W500 Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\ar5211.sys
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"


Contents of the 'Scheduled Tasks' folder
2007-08-03 06:00:29 C:\WINDOWS\Tasks\CDD Laptop BK.job - C:\WINDOWS\system32\ntbackup.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-03 07:49:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-03  7:50:34
C:\ComboFix-quarantined-files.txt ... 2007-08-03 07:50

      --- E O F ---
0
 
rpggamergirlCommented:
These files below are SDBot variant, you can use combofix to delete them, you can also run SDFix later, there might be other files not showing in the log.
C:\WINDOWS\system32\iaxcfg32.dll
C:\WINDOWS\system32\rkkzgyeb.exe



Open notepad and copy/paste the text inside the lines below into it.
--------------------------------------------------------------
File::
C:\WINDOWS\system32\iaxcfg32.dll
C:\WINDOWS\system32\rkkzgyeb.exe
--------------------------------------------------------------
Save this as CFScript
then drag CFScript into ComboFix.exe

This will start ComboFix again.



Here's the instructions for SDFix, doesn't hurt to run a scan just ot make sure no other SDBot files lurking there.
Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and paste the contents of the results file "Report.txt" back
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now