Senture
asked on
Hijacked only when using a celluar modem card
The system seems to be hijacked "windows open automaticly even the command line" only happens when using the celluar modem. Here is the hijackthis log. Thaks for any assistance
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:50:07 AM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\DigitalPersona\Bin\D pHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Sprint\Pantech\Sprin t Mobile Broadband (Pantech)\PWIUtilityServic e.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\RealVNC\VNC4\WinVNC4 .exe
C:\Program Files\DigitalPersona\Bin\D PFUSMgr.ex e
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\TEMP\GUA306.EXE
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\logon. scr
C:\WINDOWS\system32\rdpcli p.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynT PLpr.exe
C:\Program Files\Synaptics\SynTP\SynT PEnh.exe
C:\Program Files\Real\RealPlayer\Real Play.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper. exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Tool box\Status Client\Sta tusClient. exe
C:\Program Files\HP\hpcoretech\hpcmpm gr.exe
C:\Program Files\DigitalPersona\Bin\D PAgnt.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iPod\bin\iPodService .exe
C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
C:\WINDOWS\system32\wuaucl t.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Documents and Settings\msnoble\Local Settings\Temporary Internet Files\Content.IE5\4P0N0PCN \HiJackThi s[1].exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.hp.com
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Common Files\Adobe\Acrobat\Active X\AcroIEHe lper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynT PLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT PEnh.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\Real Play.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper. exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobs ync.exe /logon
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Tool box\Status Client\Sta tusClient. exe /auto
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpm gr.exe"
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\D PAgnt.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [HP Mobile Printing] C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSC lientMsiTr ans\tscuin st.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSC lientMsiTr ans\tscuin st.vbs" (User 'Default user')
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopM gr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\j2re1.4.2\bin\n pjpi142.dl l
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\j2re1.4.2\bin\n pjpi142.dl l
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-0 0C04FAE2D4 F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-0 0C04FAE2D4 F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-0 0C04FAE2D4 F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5 C8D4460577 F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5 C8D4460577 F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0 0C0F0318AF E} - C:\WINDOWS\System32\Shdocv w.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {1C203F13-95AD-11D0-A84B-0 0A0247B735 B} (Infragistics ActiveTreeView Control) - http://symposium.senture.com/Common/controls/ssTree.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-4 74CAEEF531 D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {58A968A5-E3CE-4743-9CE4-A 2735700952 7} (ComponentOne Chart 8.0 2D Control) - http://symposium.senture.com/Common/Controls/olch2x8dd11.cab
O16 - DPF: {977DBE03-F527-11D3-8F03-0 0C04FA3EB9 1} (RtdControl Class) - http://symposium.senture.com/Common/Controls/RtdCtrl.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9 013E74E4B9 B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {D7208880-9B7A-43E1-AABB-8 C888A5704F 9} (NetCamPlayerWeb11gv2 Control) - http://172.18.1.35/NetCamPlayerWeb11gv2.cab
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = Senture.int
O17 - HKLM\Software\..\Telephony : DomainName = Senture.int
O17 - HKLM\System\CCS\Services\T cpip\..\{2 DFD7EE2-A2 83-4D7E-95 E1-7920EFC 3F815}: NameServer = 172.16.1.34
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = Senture.int
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEv Hd.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2ev xx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\D PFUSMgr.ex e
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\D pHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver \11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService .exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Pantech Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Pantech\Sprin t Mobile Broadband (Pantech)\PWIUtilityServic e.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm 12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4 .exe
--
End of file - 9453 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:50:07 AM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\DigitalPersona\Bin\D
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Sprint\Pantech\Sprin
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
C:\WINDOWS\System32\svchos
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\RealVNC\VNC4\WinVNC4
C:\Program Files\DigitalPersona\Bin\D
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\TEMP\GUA306.EXE
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\logon.
C:\WINDOWS\system32\rdpcli
C:\WINDOWS\Explorer.EXE
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynT
C:\Program Files\Synaptics\SynTP\SynT
C:\Program Files\Real\RealPlayer\Real
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Tool
C:\Program Files\HP\hpcoretech\hpcmpm
C:\Program Files\DigitalPersona\Bin\D
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iPod\bin\iPodService
C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
C:\WINDOWS\system32\wuaucl
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon
C:\Documents and Settings\msnoble\Local Settings\Temporary Internet Files\Content.IE5\4P0N0PCN
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\Real
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobs
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Tool
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpm
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\D
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [HP Mobile Printing] C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSC
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSC
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-0
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-0
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {1C203F13-95AD-11D0-A84B-0
O16 - DPF: {1EF9F042-C2EB-4293-8213-4
O16 - DPF: {58A968A5-E3CE-4743-9CE4-A
O16 - DPF: {977DBE03-F527-11D3-8F03-0
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9
O16 - DPF: {D7208880-9B7A-43E1-AABB-8
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEv
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2ev
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\D
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\D
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Pantech Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Pantech\Sprin
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4
--
End of file - 9453 bytes
I don't see anything suspicious there.
The below entry belongs to TrendMicro.
C:\WINDOWS\TEMP\GUA306.EXE
Run this tool and we'll see what it finds.
Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
The below entry belongs to TrendMicro.
C:\WINDOWS\TEMP\GUA306.EXE
Run this tool and we'll see what it finds.
Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Have you checked your dialup connection properties to see if anythign has beeb changed that forces it to a certain IP, url or other information?
I would suggest:
Check dialup properties for modem
Clean all Temp Directories
- C:\temp
- %TEMP%
- Internet Temp Files
Download all updates if you havent already of all your Antivirus and Antispyware programs
- I personally prefer Spybot and HijackThis.
After you have done latest update, reboot your computer into safe mode, without networking.
Scan your computer with Antivirus. If it finds something, clean it remove it, reboot if necessary then back into safe mode
Run Spybot, and clean what it finds. Run Hijaack and clean what it finds
Reboot as necessary. On your last reboot, go back to safe mode, but do it WITH networking. Now goto this url:
http://housecall.trendmicro.com
Perform a free full system scan and clean of Antivirus and Spyware. Clean/remove and note if it says your computer has any vulnerabilities.
Reboot into normal windows. Hopefully all is well and/or better
I would suggest:
Check dialup properties for modem
Clean all Temp Directories
- C:\temp
- %TEMP%
- Internet Temp Files
Download all updates if you havent already of all your Antivirus and Antispyware programs
- I personally prefer Spybot and HijackThis.
After you have done latest update, reboot your computer into safe mode, without networking.
Scan your computer with Antivirus. If it finds something, clean it remove it, reboot if necessary then back into safe mode
Run Spybot, and clean what it finds. Run Hijaack and clean what it finds
Reboot as necessary. On your last reboot, go back to safe mode, but do it WITH networking. Now goto this url:
http://housecall.trendmicro.com
Perform a free full system scan and clean of Antivirus and Spyware. Clean/remove and note if it says your computer has any vulnerabilities.
Reboot into normal windows. Hopefully all is well and/or better
ASKER
Here is the combofix log, thanks for the help.
ComboFix 07-08-03.4 - "msnoble" 2007-08-03 7:46:44.1 [GMT -4:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18. True
* Created a new restore point
(((((((((((((((((((((((((( (((((((((( ((( Other Deletions )))))))))))))))))))))))))) )))))))))) )))))))))) )))
C:\WINDOWS\system32\a.exe
((((((((((((((((((((((((( Files Created from 2007-07-03 to 2007-08-03 )))))))))))))))))))))))))) )))))
2007-08-03 07:45 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-02 22:18 <DIR> d-------- C:\DOCUME~1\msnoble\.house call6.6
2007-08-01 13:37 1,048,576 --ah----- C:\DOCUME~1\besadmin\NTUSE R.DAT
2007-08-01 13:37 <DIR> d-------- C:\DOCUME~1\besadmin\APPLI C~1\Resear ch In Motion
2007-08-01 13:37 <DIR> d-------- C:\DOCUME~1\besadmin\APPLI C~1\InterT rust
2007-08-01 13:37 <DIR> d-------- C:\DOCUME~1\besadmin\APPLI C~1\Digita lPersona
2007-07-24 00:08 840 --a------ C:\WINDOWS\system32\iaxcfg 32.dll
2007-07-24 00:07 4,096 -ra------ C:\WINDOWS\system32\rkkzgy eb.exe
2007-07-18 15:56 <DIR> d-------- C:\Program Files\Barracuda
2007-07-18 15:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
(((((((((((((((((((((((((( (((((((((( (((( Find3M Report )))))))))))))))))))))))))) )))))))))) )))))))))) ))))))
2007-06-27 16:22 --------- d-------- C:\Program Files\MSECache
2007-05-17 13:56 36352 --a------ C:\WINDOWS\system32\pxfhwm cp.dll
(((((((((((((((((((((((((( (((((((((( ( Reg Loading Points )))))))))))))))))))))))))) )))))))))) )))))))))) ))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run]
"ATIModeChange"="Ati2mdxx. exe" [2001-09-04 12:24 C:\WINDOWS\system32\Ati2md xx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-24 16:45]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2003-07-17 17:50]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2003-07-15 21:55]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynT PLpr.exe" [2004-11-04 19:40]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynT PEnh.exe" [2004-11-04 19:38]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-05-08 00:43]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-30 12:01 C:\WINDOWS\AGRSMMSG.exe]
"Synchronization Manager"="C:\WINDOWS\syste m32\mobsyn c.exe" [2004-08-04 00:56]
"RegistryMechanic"="" []
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Tool box\Status Client\Sta tusClient. exe" [2004-02-27 13:29]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpm gr.exe" [2003-06-26 19:50]
"DPAgnt"="C:\Program Files\DigitalPersona\Bin\D PAgnt.exe" [2004-09-08 15:41]
[HKEY_CURRENT_USER\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Run]
"HP Mobile Printing"="C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE" [2003-05-23 17:12]
"ctfmon.exe"="C:\WINDOWS\s ystem32\ct fmon.exe" [2004-08-04 00:56]
[HKEY_USERS\.default\softw are\micros oft\window s\currentv ersion\run once]
"TSClientMSIUninstaller"=c md.exe /C "cscript %systemroot%\Installer\TSC lientMsiTr ans\tscuin st.vbs"
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\poli cies\syste m]
"disablecad"=0 (0x0)
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\winlogon \notify\DP WLN ]
C:\WINDOWS\system32\DPWLEv Hd.dll 2004-09-08 15:45 102400 C:\WINDOWS\system32\DPWLEv Hd.dll
[HKEY_LOCAL_MACHINE\system \currentco ntrolset\c ontrol\lsa ]
"Notification Packages"= scecli DPPWDFLT
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\Machine\Scrip ts\Startup \0\0]
"Script"=Sen-Lon--computer s.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-2632 111346-353 8629143-97 115644-113 0\Scripts\ Logoff\0\0 ]
"Script"=wslogoff.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-2632 111346-353 8629143-97 115644-113 0\Scripts\ Logon\0\0]
"Script"=wslogon.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-2632 111346-353 8629143-97 115644-113 0\Scripts\ Logon\1\0]
"Script"=Public Drive Map.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-2632 111346-353 8629143-97 115644-115 5\Scripts\ Logoff\0\0 ]
"Script"=wslogoff.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-2632 111346-353 8629143-97 115644-115 5\Scripts\ Logon\0\0]
"Script"=wslogon.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-2632 111346-353 8629143-97 115644-115 5\Scripts\ Logon\1\0]
"Script"=Public Drive Map.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-2632 111346-353 8629143-97 115644-162 6\Scripts\ Logoff\0\0 ]
"Script"=wslogoff.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-2632 111346-353 8629143-97 115644-162 6\Scripts\ Logoff\1\0 ]
"Script"=wslogoff.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-2632 111346-353 8629143-97 115644-162 6\Scripts\ Logon\0\0]
"Script"=wslogon.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-2632 111346-353 8629143-97 115644-162 6\Scripts\ Logon\1\0]
"Script"=Public Drive Map.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-2632 111346-353 8629143-97 115644-162 6\Scripts\ Logon\2\0]
"Script"=wslogon.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-2632 111346-353 8629143-97 115644-162 6\Scripts\ Logon\3\0]
"Script"=Public Drive Map.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-2632 111346-353 8629143-97 115644-315 2\Scripts\ Logoff\0\0 ]
"Script"=wslogoff.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-2632 111346-353 8629143-97 115644-315 2\Scripts\ Logon\0\0]
"Script"=wslogon.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-2632 111346-353 8629143-97 115644-315 2\Scripts\ Logon\1\0]
"Script"=Public Drive Map.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-2632 111346-353 8629143-97 115644-622 9\Scripts\ Logoff\0\0 ]
"Script"=wslogoff.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\grou p policy\state\S-1-5-21-2632 111346-353 8629143-97 115644-622 9\Scripts\ Logon\0\0]
"Script"=wslogon.bat
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupfold er\C:^Docu ments and Settings^All Users^Start Menu^Programs^Startup^Desk top Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Desk top Manager.lnk
backup=C:\WINDOWS\pss\Desk top Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ HP Mobile Printing]
C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ IntelliPoi nt]
"C:\Program Files\Microsoft IntelliPoint\point32.exe"
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ iTunesHelp er]
"C:\Program Files\iTunes\iTunesHelper. exe"
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe " /background
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe " -atboottime
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ RealTray]
C:\Program Files\Real\RealPlayer\Real Play.exe SYSTEMBOOTHIDEPLAYER
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ type32]
"C:\Program Files\Microsoft IntelliType Pro\type32.exe"
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateMana ger.exe" AcRdB7_0_9 -reboot 1
R1 ClntMgmt.sys;ClntMgmt.sys; C:\WINDOWS \system32\ Drivers\Cl ntMgmt.sys
R1 eabfiltr;EABFiltr;\??\C:\W INDOWS\Sys tem32\driv ers\EABFil tr.sys
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI;C:\WINDOWS\system32\D RIVERS\wmi acpi.sys
R2 ASCTRM;ASCTRM;C:\WINDOWS\s ystem32\dr ivers\ASCT RM.sys
R2 BTSLBCSP;Bluetooth Port Client Driver;\??\C:\WINDOWS\Syst em32\drive rs\btslbcs p.sys
R2 ntrtscan;OfficeScanNT RealTime Scan;"C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe"
R2 SoundMAX Agent Service (default);SoundMAX Agent Service;C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
R2 TmFilter;Trend Micro Filter;\??\C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys
R2 tmlisten;OfficeScan NT Listener;"C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe"
R2 TmPreFilter;Trend Micro PreFilter;\??\C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys
R2 VSApiNt;Trend Micro VSAPI NT;\??\C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys
R3 CONAN;CONAN;C:\WINDOWS\sys tem32\driv ers\o2mmb. sys
R3 IFXTPM;IFXTPM;C:\WINDOWS\s ystem32\DR IVERS\IFXT PM.SYS
R3 MbxStby;MbxStby;C:\WINDOWS \system32\ drivers\Mb xStby.sys
R3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINDOWS\system32 \DRIVERS\p oint32.sys
R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\D RIVERS\Rim Serial.sys
R3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\system32 \Drivers\R ootMdm.sys
R3 SynTP;Synaptics TouchPad Driver;C:\WINDOWS\system32 \DRIVERS\S ynTP.sys
S1 wceusbsh;Windows CE USB Serial Host Driver;C:\WINDOWS\system32 \DRIVERS\w ceusbsh.sy s
S3 CE3;Xircom Ethernet Adapter 10/100 Service;C:\WINDOWS\system3 2\DRIVERS\ ce3n5.sys
S3 dpK0Bx01;Fingerprint Reader Filter Driver;C:\WINDOWS\system32 \DRIVERS\d pK0Bx01.sy s
S3 eabusb;eabusb;\??\C:\WINDO WS\System3 2\drivers\ eabusb.sys
S3 gv3;Intel GV3 Processor Driver;C:\WINDOWS\system32 \DRIVERS\g v3.sys
S3 idsvc;Windows CardSpace;"C:\WINDOWS\Micr osoft.NET\ Framework\ v3.0\Windo ws Communication Foundation\infocard.exe"
S3 pxfhbus;PANTECH PC Card Composite Device driver (WDM);C:\WINDOWS\system32\ DRIVERS\px fhbus.sys
S3 pxfhmdfl;PANTECH PC Card Filter;C:\WINDOWS\system32 \DRIVERS\p xfhmdfl.sy s
S3 pxfhmdm;PANTECH PC Card Drivers;C:\WINDOWS\system3 2\DRIVERS\ pxfhmdm.sy s
S3 pxfhserd;PANTECH PC Card Diagnostic Serial Port (WDM);C:\WINDOWS\system32\ DRIVERS\px fhserd.sys
S3 RimUsb;BlackBerry Device;C:\WINDOWS\system32 \Drivers\R imUsb.sys
S3 UsbdpFP;Fingerprint Reader Class Driver;C:\WINDOWS\system32 \DRIVERS\U sbdpFP.sys
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\ DRIVERS\wa natw4.sys
S3 WLAN_400_500_SERVICE;HP WLAN W400/W500 Wireless Network Adapter Service;C:\WINDOWS\system3 2\DRIVERS\ ar5211.sys
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;"C:\WINDOWS\Micros oft.NET\Fr amework\v3 .0\Windows Communication Foundation\SMSvcHost.exe"
Contents of the 'Scheduled Tasks' folder
2007-08-03 06:00:29 C:\WINDOWS\Tasks\CDD Laptop BK.job - C:\WINDOWS\system32\ntback up.exe
************************** ********** ********** ********** ********** ********
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-03 07:49:40
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************** ********** ********** ********** ********** ********
Completion time: 2007-08-03 7:50:34
C:\ComboFix-quarantined-fi les.txt ... 2007-08-03 07:50
--- E O F ---
ComboFix 07-08-03.4 - "msnoble" 2007-08-03 7:46:44.1 [GMT -4:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.
* Created a new restore point
((((((((((((((((((((((((((
C:\WINDOWS\system32\a.exe
((((((((((((((((((((((((( Files Created from 2007-07-03 to 2007-08-03 ))))))))))))))))))))))))))
2007-08-03 07:45 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-02 22:18 <DIR> d-------- C:\DOCUME~1\msnoble\.house
2007-08-01 13:37 1,048,576 --ah----- C:\DOCUME~1\besadmin\NTUSE
2007-08-01 13:37 <DIR> d-------- C:\DOCUME~1\besadmin\APPLI
2007-08-01 13:37 <DIR> d-------- C:\DOCUME~1\besadmin\APPLI
2007-08-01 13:37 <DIR> d-------- C:\DOCUME~1\besadmin\APPLI
2007-07-24 00:08 840 --a------ C:\WINDOWS\system32\iaxcfg
2007-07-24 00:07 4,096 -ra------ C:\WINDOWS\system32\rkkzgy
2007-07-18 15:56 <DIR> d-------- C:\Program Files\Barracuda
2007-07-18 15:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
((((((((((((((((((((((((((
2007-06-27 16:22 --------- d-------- C:\Program Files\MSECache
2007-05-17 13:56 36352 --a------ C:\WINDOWS\system32\pxfhwm
((((((((((((((((((((((((((
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWA
"ATIModeChange"="Ati2mdxx.
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-24 16:45]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2003-07-17 17:50]
"eabconfg.cpl"="C:\Program
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynT
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynT
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-05-08 00:43]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-30 12:01 C:\WINDOWS\AGRSMMSG.exe]
"Synchronization Manager"="C:\WINDOWS\syste
"RegistryMechanic"="" []
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Tool
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpm
"DPAgnt"="C:\Program Files\DigitalPersona\Bin\D
[HKEY_CURRENT_USER\SOFTWAR
"HP Mobile Printing"="C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE" [2003-05-23 17:12]
"ctfmon.exe"="C:\WINDOWS\s
[HKEY_USERS\.default\softw
"TSClientMSIUninstaller"=c
[HKEY_LOCAL_MACHINE\softwa
"disablecad"=0 (0x0)
[HKEY_LOCAL_MACHINE\softwa
C:\WINDOWS\system32\DPWLEv
[HKEY_LOCAL_MACHINE\system
"Notification Packages"= scecli DPPWDFLT
[HKEY_LOCAL_MACHINE\softwa
"Script"=Sen-Lon--computer
[HKEY_LOCAL_MACHINE\softwa
"Script"=wslogoff.bat
[HKEY_LOCAL_MACHINE\softwa
"Script"=wslogon.bat
[HKEY_LOCAL_MACHINE\softwa
"Script"=Public Drive Map.bat
[HKEY_LOCAL_MACHINE\softwa
"Script"=wslogoff.bat
[HKEY_LOCAL_MACHINE\softwa
"Script"=wslogon.bat
[HKEY_LOCAL_MACHINE\softwa
"Script"=Public Drive Map.bat
[HKEY_LOCAL_MACHINE\softwa
"Script"=wslogoff.bat
[HKEY_LOCAL_MACHINE\softwa
"Script"=wslogoff.bat
[HKEY_LOCAL_MACHINE\softwa
"Script"=wslogon.bat
[HKEY_LOCAL_MACHINE\softwa
"Script"=Public Drive Map.bat
[HKEY_LOCAL_MACHINE\softwa
"Script"=wslogon.bat
[HKEY_LOCAL_MACHINE\softwa
"Script"=Public Drive Map.bat
[HKEY_LOCAL_MACHINE\softwa
"Script"=wslogoff.bat
[HKEY_LOCAL_MACHINE\softwa
"Script"=wslogon.bat
[HKEY_LOCAL_MACHINE\softwa
"Script"=Public Drive Map.bat
[HKEY_LOCAL_MACHINE\softwa
"Script"=wslogoff.bat
[HKEY_LOCAL_MACHINE\softwa
"Script"=wslogon.bat
[HKEY_LOCAL_MACHINE\softwa
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Desk
backup=C:\WINDOWS\pss\Desk
[HKEY_LOCAL_MACHINE\softwa
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\softwa
C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
[HKEY_LOCAL_MACHINE\softwa
"C:\Program Files\Microsoft IntelliPoint\point32.exe"
[HKEY_LOCAL_MACHINE\softwa
"C:\Program Files\iTunes\iTunesHelper.
[HKEY_LOCAL_MACHINE\softwa
"C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\softwa
"C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\softwa
C:\Program Files\Real\RealPlayer\Real
[HKEY_LOCAL_MACHINE\softwa
"C:\Program Files\Microsoft IntelliType Pro\type32.exe"
[HKEY_LOCAL_MACHINE\softwa
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateMana
R1 ClntMgmt.sys;ClntMgmt.sys;
R1 eabfiltr;EABFiltr;\??\C:\W
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI;C:\WINDOWS\system32\D
R2 ASCTRM;ASCTRM;C:\WINDOWS\s
R2 BTSLBCSP;Bluetooth Port Client Driver;\??\C:\WINDOWS\Syst
R2 ntrtscan;OfficeScanNT RealTime Scan;"C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe"
R2 SoundMAX Agent Service (default);SoundMAX Agent Service;C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
R2 TmFilter;Trend Micro Filter;\??\C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys
R2 tmlisten;OfficeScan NT Listener;"C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe"
R2 TmPreFilter;Trend Micro PreFilter;\??\C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys
R2 VSApiNt;Trend Micro VSAPI NT;\??\C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys
R3 CONAN;CONAN;C:\WINDOWS\sys
R3 IFXTPM;IFXTPM;C:\WINDOWS\s
R3 MbxStby;MbxStby;C:\WINDOWS
R3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINDOWS\system32
R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\D
R3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\system32
R3 SynTP;Synaptics TouchPad Driver;C:\WINDOWS\system32
S1 wceusbsh;Windows CE USB Serial Host Driver;C:\WINDOWS\system32
S3 CE3;Xircom Ethernet Adapter 10/100 Service;C:\WINDOWS\system3
S3 dpK0Bx01;Fingerprint Reader Filter Driver;C:\WINDOWS\system32
S3 eabusb;eabusb;\??\C:\WINDO
S3 gv3;Intel GV3 Processor Driver;C:\WINDOWS\system32
S3 idsvc;Windows CardSpace;"C:\WINDOWS\Micr
S3 pxfhbus;PANTECH PC Card Composite Device driver (WDM);C:\WINDOWS\system32\
S3 pxfhmdfl;PANTECH PC Card Filter;C:\WINDOWS\system32
S3 pxfhmdm;PANTECH PC Card Drivers;C:\WINDOWS\system3
S3 pxfhserd;PANTECH PC Card Diagnostic Serial Port (WDM);C:\WINDOWS\system32\
S3 RimUsb;BlackBerry Device;C:\WINDOWS\system32
S3 UsbdpFP;Fingerprint Reader Class Driver;C:\WINDOWS\system32
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\
S3 WLAN_400_500_SERVICE;HP WLAN W400/W500 Wireless Network Adapter Service;C:\WINDOWS\system3
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;"C:\WINDOWS\Micros
Contents of the 'Scheduled Tasks' folder
2007-08-03 06:00:29 C:\WINDOWS\Tasks\CDD Laptop BK.job - C:\WINDOWS\system32\ntback
**************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-03 07:49:40
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************
Completion time: 2007-08-03 7:50:34
C:\ComboFix-quarantined-fi
--- E O F ---
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Check this out:
C:\WINDOWS\TEMP\GUA306.EXE
If you don't know what it is, reboot to safe mode and move that file off or delete it.
If you don't need these, use hijackthis to remove them:
O16 - DPF: {1C203F13-95AD-11D0-A84B-0
O16 - DPF: {58A968A5-E3CE-4743-9CE4-A
O16 - DPF: {977DBE03-F527-11D3-8F03-0
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T