Link to home
Start Free TrialLog in
Avatar of Philonator
PhilonatorFlag for United States of America

asked on

Windows has detected spyware infection

I have a red x in the righ hand corner by the clock. It is a red blick x that keeps saying windows has detected spyware infection.

I have tried a handfull of solutions with no luck.
Avatar of Philonator
Philonator
Flag of United States of America image

ASKER

I can't get hijack this to run either...in safe mode or reg.  tried renaming files for as well
Avatar of rank1sttech
rank1sttech

Got it to Hj to run by renaming the install file and renaming the exe to h.com and running it fromt the non-default directory.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:43:27 PM, on 7/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\StacSV.exe
C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\TEMP\WD7F1E.EXE
C:\Program Files\Trend Micro\OfficeScan Client\PCCNTMON.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Dell\E-Center\EULALauncher.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Trend Micro\h.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0080612
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0080612
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O1 - Hosts: 192.135.176.8 Commerce.health.state.ny.us commerce
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Acrobat Speed Launch] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Acrobat Synchronizer] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe"
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKUS\S-1-5-18\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = yatescounty.local
O17 - HKLM\Software\..\Telephony: DomainName = yatescounty.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = yatescounty.local
O20 - AppInit_DLLs: cru629.dat
O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: OracleOra9iClientCache - Unknown owner - c:\Oracle\Ora9i\BIN\ONRSD.EXE
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: NTRU TSS v1.2.1.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: WaveEnrollmentService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9481 bytes
SOLUTION
Avatar of IndiGenus
IndiGenus
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
all failed solutions so far:
avg
trend mirco antivirus
spybot search and destroy
Smitfraudfix

Will try combofix next.  Thanks guys
I think the source is coming from users clicking on UPS spoof emails.

I think combofix worked.  I can't get the red x to appear.  Is there anyway to know definitely for sure?

could you run hijack this again and post the new log please?
Also post the combofix log.
braviax usually patches beep.sys that's where SDFix is good for this infection as it replaces/restores if beep.sys is patched.
The combofix log as InDiGenus had asked should tell us if beep.sys is patched.
I had a combofix log yesterday where combofix didn't delete the C:\WINDOWS\system32\ntos.exe, so it's good to check the log to make sure.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Combo fix log

ComboFix 08-07-21.2 - debm 2008-07-22 16:09:57.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.543 [GMT -4:00]
Running from: C:\Documents and Settings\DebM\Desktop\cominbbinationfizzer.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

[color=red]C:\WINDOWS\system32\dllcache\beep.sys[/color]
[color=red]C:\WINDOWS\system32\drivers\beep.sys[/color]
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\DelSelf.bat
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\winivstr.exe
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\system32\x64

.
(((((((((((((((((((((((((   Files Created from 2008-06-22 to 2008-07-22  )))))))))))))))))))))))))))))))
.

2008-07-22 15:48 . 2008-07-22 15:48      4,864      --a------      C:\WINDOWS\system32\tmp.reg
2008-07-22 15:24 . 2008-07-22 15:24            d---s----      C:\Documents and Settings\ycadmin\UserData
2008-07-22 14:45 . 2008-02-15 20:45      172,032      --a------      C:\WINDOWS\system32\igfxres.dll
2008-07-22 11:53 . 2008-02-15 21:11      1,843,784      --a------      C:\WINDOWS\system32\igklg400.dll
2008-07-22 11:53 . 2008-02-15 21:11      1,399,880      --a------      C:\WINDOWS\system32\igklg450.dll
2008-07-22 11:53 . 2008-02-15 21:21      147,456      --a------      C:\WINDOWS\system32\igfxCoIn_v4926.dll
2008-07-22 11:53 . 2008-02-15 21:11      104,636      --a------      C:\WINDOWS\system32\igmedcompkrn.dll
2008-07-22 11:52 . 2008-07-22 11:52            d--------      C:\Intel
2008-07-22 10:46 . 2008-07-22 15:33      9,216      --a------      C:\WINDOWS\system32\buritos.exe
2008-07-22 10:46 . 2008-07-22 15:33      6,144      --a------      C:\WINDOWS\system32\karina.dat
2008-07-22 10:46 . 2008-07-22 15:33      6,144      --a------      C:\WINDOWS\karina.dat
2008-07-22 10:45 . 2008-07-22 15:33      9,216      --a------      C:\WINDOWS\buritos.exe
2008-07-22 10:44 . 2004-08-04 06:00      4,224      --a------      C:\WINDOWS\system32\dllcache\beep.sys
2008-07-22 10:25 . 2008-07-22 10:25            d---s----      C:\Documents and Settings\DebM\UserData
2008-07-22 10:23 . 2008-07-22 10:23            d--------      C:\Program Files\Spybot - Search & Destroy
2008-07-22 10:23 . 2008-07-22 10:36            d--------      C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-22 10:07 . 2008-07-22 10:07      118      --a------      C:\WINDOWS\system32\MRT.INI
2008-07-07 14:36 . 2008-07-07 14:36      23      --a------      C:\WINDOWS\bo9040cn.ini
2008-07-03 12:09 . 2008-07-03 12:09            d--------      C:\Program Files\AskSBar
2008-07-03 12:05 . 2008-07-22 10:24            d--------      C:\Program Files\AWS
2008-07-03 11:58 . 2001-08-17 13:48      12,160      --a------      C:\WINDOWS\system32\drivers\mouhid.sys
2008-07-03 11:58 . 2001-08-17 13:48      12,160      --a------      C:\WINDOWS\system32\dllcache\mouhid.sys
2008-07-03 11:57 . 2001-08-17 14:02      9,600      --a------      C:\WINDOWS\system32\drivers\hidusb.sys
2008-07-03 11:57 . 2001-08-17 14:02      9,600      --a------      C:\WINDOWS\system32\dllcache\hidusb.sys
2008-07-03 11:57 . 2008-07-03 11:57      4,128      --a------      C:\INFCACHE.1
2008-07-03 10:56 . 2008-07-03 10:56            d--------      C:\Documents and Settings\All Users\Application Data\Brother
2008-07-03 10:56 . 2008-07-07 14:36      426      --a------      C:\WINDOWS\BRWMARK.INI
2008-07-03 10:56 . 2008-07-03 10:56      26      --a------      C:\WINDOWS\BRPP2KA.INI
2008-07-03 10:27 . 2008-07-03 10:27            d--------      C:\Documents and Settings\All Users\Application Data\ESRI
2008-07-03 10:24 . 2008-07-03 10:24            d--------      C:\Program Files\Common Files\AnswerWorks 4.0
2008-07-03 10:23 . 2008-07-03 11:24            d--------      C:\Program Files\ArcGIS
2008-06-23 13:57 . 2005-03-30 09:14      1,867,776      --a------      C:\WINDOWS\system32\python24.dll
2008-06-23 13:39 . 2008-06-23 13:39            d--------      C:\Program Files\Leica Geosystems
2008-06-23 13:37 . 2008-06-23 13:57            d--------      C:\Python24
2008-06-23 12:16 . 2008-07-03 10:58            d--------      C:\Documents and Settings\DebM\Application Data\ESRI
2008-06-23 12:05 . 2008-06-23 12:08            d--------      C:\gis

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-22 19:43      ---------      d-----w      C:\Program Files\Trend Micro
2008-07-22 14:02      ---------      d-----w      C:\Program Files\Java
2008-07-09 15:44      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-03 14:37      ---------      d-----w      C:\Program Files\ESRI
2008-07-03 14:27      ---------      d-----w      C:\Program Files\Common Files\ESRI
2008-06-23 16:36      ---------      d-----w      C:\Documents and Settings\ycadmin\Application Data\ESRI
2008-06-20 10:45      360,320      ----a-w      C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44      138,368      ----a-w      C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52      225,920      ----a-w      C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 19:55      ---------      d-----w      C:\Program Files\MSXML 4.0
2008-06-19 18:28      ---------      d-----w      C:\Documents and Settings\DebM\Application Data\CyberLink
2008-06-19 18:24      ---------      d-----w      C:\Program Files\Centers for Disease Control and Prevention
2008-06-19 18:16      ---------      d--h--w      C:\Program Files\InstallShield Installation Information
2008-06-19 18:16      ---------      d-----w      C:\Program Files\3M Home Health Systems
2008-06-19 17:56      ---------      d-----w      C:\Program Files\Oracle
2008-06-19 17:42      ---------      d-----w      C:\Documents and Settings\ycadmin\Application Data\CyberLink
2008-06-19 16:58      ---------      d-----w      C:\Program Files\Microsoft SQL Server
2008-06-19 16:56      ---------      d-----w      C:\Program Files\Microsoft.NET
2008-06-19 16:52      ---------      d-----w      C:\Documents and Settings\DebM\Application Data\Dell
2008-06-19 13:48      ---------      d-----w      C:\Documents and Settings\ycadmin\Application Data\Dell
2008-06-19 13:47      ---------      d-----w      C:\Program Files\Google
2008-06-19 13:20      ---------      d-----w      C:\Documents and Settings\temp\Application Data\Dell
2008-06-13 13:10      272,128      ------w      C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 03:24      ---------      d-----w      C:\Program Files\Microsoft Small Business
2008-06-12 03:18      ---------      d-----w      C:\Program Files\Dell
2008-06-12 03:18      ---------      d-----w      C:\Program Files\Common Files\Adobe
2008-06-12 03:18      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-06-12 03:17      ---------      d-----w      C:\Program Files\Common Files\Macrovision Shared
2008-06-12 03:14      ---------      d-----w      C:\Program Files\Microsoft Works
2008-06-12 03:10      ---------      d-----w      C:\Program Files\CyberLink
2008-06-12 03:10      ---------      d-----w      C:\Program Files\Common Files\InstallShield
2008-06-12 03:08      ---------      d-----w      C:\Program Files\Sigmatel
2008-06-12 03:08      ---------      d-----w      C:\Program Files\CONEXANT
2008-06-12 03:04      ---------      d-----w      C:\Program Files\Wave Systems Corp
2008-06-12 03:04      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Wave Systems Corp
2008-06-12 03:03      ---------      d-----w      C:\Documents and Settings\ycadmin\Application Data\Wave Systems Corp
2008-06-12 03:03      ---------      d-----w      C:\Documents and Settings\temp\Application Data\Wave Systems Corp
2008-06-12 03:03      ---------      d-----w      C:\Documents and Settings\DebM\Application Data\Wave Systems Corp
2008-06-12 03:03      ---------      d-----w      C:\Documents and Settings\Administrator\Application Data\Wave Systems Corp
2008-06-12 03:00      ---------      d-----w      C:\Program Files\Fingerprint Sensor
2008-06-12 02:59      ---------      d-----w      C:\Program Files\Gemplus
2008-06-12 02:56      ---------      d-----w      C:\Program Files\NTRU Cryptosystems
2008-06-12 02:56      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\NTRU Cryptosystems
2008-06-12 02:52      ---------      d-----w      C:\Program Files\NetWaiting
2008-06-12 02:52      ---------      d-----w      C:\Program Files\Modem Diagnostic Tool
2008-06-12 02:52      ---------      d-----w      C:\Program Files\Digital Line Detect
2008-06-12 02:52      ---------      d-----w      C:\Program Files\Broadcom
2008-06-12 02:52      ---------      d-----w      C:\Documents and Settings\ycadmin\Application Data\InstallShield
2008-06-12 02:52      ---------      d-----w      C:\Documents and Settings\temp\Application Data\InstallShield
2008-06-12 02:52      ---------      d-----w      C:\Documents and Settings\DebM\Application Data\InstallShield
2008-06-12 02:52      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Dell
2008-06-12 02:52      ---------      d-----w      C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-06-12 02:50      ---------      d-----w      C:\Program Files\Common Files\Java
2008-06-12 02:34      ---------      d-----w      C:\Program Files\Apoint
2008-06-12 02:30      6,796      ----a-w      C:\WINDOWS\system32\drivers\1028_Dell_LAT_D630.mrk
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2007-01-25 03:34 159744]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2008-02-22 13:43 1245184]
"WavXMgr"="C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 10:55 92160]
"SecureUpgrade"="C:\Program Files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 11:53 218424]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-10-09 05:17 2183168]
"KADxMain"="C:\WINDOWS\system32\KADxMain.exe" [2006-11-02 15:05 282624]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 12:56 124200]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"Acrobat Speed Launch"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe" [2006-10-23 02:40 46200]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [2008-02-26 16:16 17920]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-05-08 01:43 702072]
"Acrobat Synchronizer"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe" [2007-05-11 01:29 738968]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-02-28 17:32 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-02-28 17:32 166424]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-02-28 17:32 137752]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-06-11 22:52:32 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 16:20 73728 C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages      REG_MULTI_SZ         msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-823518204-682003330-725345543-1230\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=\\yatescounty.local\SysVol\yatescounty.local\scripts\OFCSCAN.BAT

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-823518204-682003330-725345543-500\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=\\yatescounty.local\SysVol\yatescounty.local\scripts\OFCSCAN.BAT

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R0 PBADRV;PBADRV;C:\WINDOWS\system32\DRIVERS\PBADRV.sys [2007-09-07 10:57]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-12-19 15:21]
R2 TdmService;TdmService;C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe [2007-09-07 18:29]
R2 Wave UCSPlus;Wave UCSPlus;C:\WINDOWS\system32\dllhost.exe [2004-08-04 06:00]
R2 WavxDMgr;WavxDMgr;C:\WINDOWS\system32\DRIVERS\WavxDMgr.sys [2007-09-10 10:55]
R3 DXEC01;DXEC01;C:\WINDOWS\system32\drivers\dxec01.sys [2006-11-02 13:32]
R3 WaveFDE;Wave System Power Monitor Device Driver;C:\WINDOWS\system32\DRIVERS\WaveFDE.sys [2007-09-06 10:18]
S3 OracleClientCache80;OracleClientCache80;C:\orant\BIN\ONRSD80.EXE [2000-10-27 12:45]
S3 OracleOra9iClientCache;OracleOra9iClientCache;c:\Oracle\Ora9i\BIN\ONRSD.EXE [2002-04-26 19:34]
S3 SecureStorageService;SecureStorageService;C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe [2007-08-31 18:39]
S3 WaveEnrollmentService;WaveEnrollmentService;C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe [2007-09-13 15:31]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12      REG_MULTI_SZ         Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0080612
O8 -: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-22 16:13:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\WINDOWS\system32\stacsv.exe
C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\hidfind.exe
C:\Program Files\Apoint\ApntEx.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmListen.exe
C:\Program Files\Trend Micro\OfficeScan Client\NTRtScan.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\temp\RE9304.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wbem\wmiadap.exe
.
**************************************************************************
.
Completion time: 2008-07-22 16:16:46 - machine was rebooted [debm]
ComboFix-quarantined-files.txt  2008-07-22 20:16:43

Pre-Run: 62,886,752,256 bytes free
Post-Run: 63,663,267,840 bytes free

227      --- E O F ---      2008-07-22 14:07:18
Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:53, on 7/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\StacSV.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Dell\E-Center\EULALauncher.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\h.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0080612
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0080612
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Acrobat Speed Launch] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Acrobat Synchronizer] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKUS\S-1-5-21-823518204-682003330-725345543-1230\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'debm')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = yatescounty.local
O17 - HKLM\Software\..\Telephony: DomainName = yatescounty.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = yatescounty.local
O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: OracleOra9iClientCache - Unknown owner - c:\Oracle\Ora9i\BIN\ONRSD.EXE
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: NTRU TSS v1.2.1.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: WaveEnrollmentService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9050 bytes
I ran trend antivirus last night and it picked up and quarantineed 5 viruses...

-another improvement I can run hijack this from the start program menu.

I just ran combfix again from safe mode and here is the log:
ComboFix 08-07-21.2 - Administrator 2008-07-23 10:29:03.2 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\Administrator\Desktop\cominbbinationfizzer.exe
.

(((((((((((((((((((((((((   Files Created from 2008-06-23 to 2008-07-23  )))))))))))))))))))))))))))))))
.

2008-07-23 10:21 . 2008-07-23 10:21            d--h-----      C:\WINDOWS\PIF
2008-07-22 15:48 . 2008-07-22 15:48      4,864      --a------      C:\WINDOWS\system32\tmp.reg
2008-07-22 15:24 . 2008-07-22 15:24            d---s----      C:\Documents and Settings\ycadmin\UserData
2008-07-22 14:45 . 2008-02-15 20:45      172,032      --a------      C:\WINDOWS\system32\igfxres.dll
2008-07-22 11:53 . 2008-02-15 21:11      1,843,784      --a------      C:\WINDOWS\system32\igklg400.dll
2008-07-22 11:53 . 2008-02-15 21:11      1,399,880      --a------      C:\WINDOWS\system32\igklg450.dll
2008-07-22 11:53 . 2008-02-15 21:21      147,456      --a------      C:\WINDOWS\system32\igfxCoIn_v4926.dll
2008-07-22 11:53 . 2008-02-15 21:11      104,636      --a------      C:\WINDOWS\system32\igmedcompkrn.dll
2008-07-22 11:52 . 2008-07-22 11:52            d--------      C:\Intel
2008-07-22 10:46 . 2008-07-22 15:33      9,216      --a------      C:\WINDOWS\system32\buritos.exe
2008-07-22 10:45 . 2008-07-22 15:33      9,216      --a------      C:\WINDOWS\buritos.exe
2008-07-22 10:44 . 2004-08-04 06:00      4,224      --a------      C:\WINDOWS\system32\dllcache\beep.sys
2008-07-22 10:25 . 2008-07-22 10:25            d---s----      C:\Documents and Settings\DebM\UserData
2008-07-22 10:23 . 2008-07-22 10:23            d--------      C:\Program Files\Spybot - Search & Destroy
2008-07-22 10:23 . 2008-07-22 10:36            d--------      C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-22 10:07 . 2008-07-22 10:07      118      --a------      C:\WINDOWS\system32\MRT.INI
2008-07-07 14:36 . 2008-07-07 14:36      23      --a------      C:\WINDOWS\bo9040cn.ini
2008-07-03 12:09 . 2008-07-03 12:09            d--------      C:\Program Files\AskSBar
2008-07-03 12:05 . 2008-07-22 10:24            d--------      C:\Program Files\AWS
2008-07-03 11:58 . 2001-08-17 13:48      12,160      --a------      C:\WINDOWS\system32\drivers\mouhid.sys
2008-07-03 11:58 . 2001-08-17 13:48      12,160      --a------      C:\WINDOWS\system32\dllcache\mouhid.sys
2008-07-03 11:57 . 2001-08-17 14:02      9,600      --a------      C:\WINDOWS\system32\drivers\hidusb.sys
2008-07-03 11:57 . 2001-08-17 14:02      9,600      --a------      C:\WINDOWS\system32\dllcache\hidusb.sys
2008-07-03 11:57 . 2008-07-03 11:57      4,128      --a------      C:\INFCACHE.1
2008-07-03 10:56 . 2008-07-03 10:56            d--------      C:\Documents and Settings\All Users\Application Data\Brother
2008-07-03 10:56 . 2008-07-07 14:36      426      --a------      C:\WINDOWS\BRWMARK.INI
2008-07-03 10:56 . 2008-07-03 10:56      26      --a------      C:\WINDOWS\BRPP2KA.INI
2008-07-03 10:27 . 2008-07-03 10:27            d--------      C:\Documents and Settings\All Users\Application Data\ESRI
2008-07-03 10:24 . 2008-07-03 10:24            d--------      C:\Program Files\Common Files\AnswerWorks 4.0
2008-07-03 10:23 . 2008-07-03 11:24            d--------      C:\Program Files\ArcGIS
2008-06-23 13:57 . 2005-03-30 09:14      1,867,776      --a------      C:\WINDOWS\system32\python24.dll
2008-06-23 13:39 . 2008-06-23 13:39            d--------      C:\Program Files\Leica Geosystems
2008-06-23 13:37 . 2008-06-23 13:57            d--------      C:\Python24
2008-06-23 12:16 . 2008-07-03 10:58            d--------      C:\Documents and Settings\DebM\Application Data\ESRI
2008-06-23 12:05 . 2008-06-23 12:08            d--------      C:\gis

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-23 14:21      ---------      d-----w      C:\Program Files\Trend Micro
2008-07-22 14:02      ---------      d-----w      C:\Program Files\Java
2008-07-09 15:44      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-03 14:37      ---------      d-----w      C:\Program Files\ESRI
2008-07-03 14:27      ---------      d-----w      C:\Program Files\Common Files\ESRI
2008-06-23 16:36      ---------      d-----w      C:\Documents and Settings\ycadmin\Application Data\ESRI
2008-06-20 10:45      360,320      ----a-w      C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44      138,368      ----a-w      C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52      225,920      ----a-w      C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 19:55      ---------      d-----w      C:\Program Files\MSXML 4.0
2008-06-19 18:28      ---------      d-----w      C:\Documents and Settings\DebM\Application Data\CyberLink
2008-06-19 18:24      ---------      d-----w      C:\Program Files\Centers for Disease Control and Prevention
2008-06-19 18:16      ---------      d--h--w      C:\Program Files\InstallShield Installation Information
2008-06-19 18:16      ---------      d-----w      C:\Program Files\3M Home Health Systems
2008-06-19 17:56      ---------      d-----w      C:\Program Files\Oracle
2008-06-19 17:42      ---------      d-----w      C:\Documents and Settings\ycadmin\Application Data\CyberLink
2008-06-19 16:58      ---------      d-----w      C:\Program Files\Microsoft SQL Server
2008-06-19 16:56      ---------      d-----w      C:\Program Files\Microsoft.NET
2008-06-19 16:52      ---------      d-----w      C:\Documents and Settings\DebM\Application Data\Dell
2008-06-19 13:48      ---------      d-----w      C:\Documents and Settings\ycadmin\Application Data\Dell
2008-06-19 13:47      ---------      d-----w      C:\Program Files\Google
2008-06-19 13:20      ---------      d-----w      C:\Documents and Settings\temp\Application Data\Dell
2008-06-13 13:10      272,128      ------w      C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 03:24      ---------      d-----w      C:\Program Files\Microsoft Small Business
2008-06-12 03:18      ---------      d-----w      C:\Program Files\Dell
2008-06-12 03:18      ---------      d-----w      C:\Program Files\Common Files\Adobe
2008-06-12 03:18      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-06-12 03:17      ---------      d-----w      C:\Program Files\Common Files\Macrovision Shared
2008-06-12 03:14      ---------      d-----w      C:\Program Files\Microsoft Works
2008-06-12 03:10      ---------      d-----w      C:\Program Files\CyberLink
2008-06-12 03:10      ---------      d-----w      C:\Program Files\Common Files\InstallShield
2008-06-12 03:08      ---------      d-----w      C:\Program Files\Sigmatel
2008-06-12 03:08      ---------      d-----w      C:\Program Files\CONEXANT
2008-06-12 03:04      ---------      d-----w      C:\Program Files\Wave Systems Corp
2008-06-12 03:04      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Wave Systems Corp
2008-06-12 03:03      ---------      d-----w      C:\Documents and Settings\ycadmin\Application Data\Wave Systems Corp
2008-06-12 03:03      ---------      d-----w      C:\Documents and Settings\temp\Application Data\Wave Systems Corp
2008-06-12 03:03      ---------      d-----w      C:\Documents and Settings\DebM\Application Data\Wave Systems Corp
2008-06-12 03:03      ---------      d-----w      C:\Documents and Settings\Administrator\Application Data\Wave Systems Corp
2008-06-12 03:00      ---------      d-----w      C:\Program Files\Fingerprint Sensor
2008-06-12 02:59      ---------      d-----w      C:\Program Files\Gemplus
2008-06-12 02:56      ---------      d-----w      C:\Program Files\NTRU Cryptosystems
2008-06-12 02:56      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\NTRU Cryptosystems
2008-06-12 02:52      ---------      d-----w      C:\Program Files\NetWaiting
2008-06-12 02:52      ---------      d-----w      C:\Program Files\Modem Diagnostic Tool
2008-06-12 02:52      ---------      d-----w      C:\Program Files\Digital Line Detect
2008-06-12 02:52      ---------      d-----w      C:\Program Files\Broadcom
2008-06-12 02:52      ---------      d-----w      C:\Documents and Settings\ycadmin\Application Data\InstallShield
2008-06-12 02:52      ---------      d-----w      C:\Documents and Settings\temp\Application Data\InstallShield
2008-06-12 02:52      ---------      d-----w      C:\Documents and Settings\DebM\Application Data\InstallShield
2008-06-12 02:52      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Dell
2008-06-12 02:52      ---------      d-----w      C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-06-12 02:50      ---------      d-----w      C:\Program Files\Common Files\Java
2008-06-12 02:34      ---------      d-----w      C:\Program Files\Apoint
2008-06-12 02:30      6,796      ----a-w      C:\WINDOWS\system32\drivers\1028_Dell_LAT_D630.mrk
.

(((((((((((((((((((((((((((((   snapshot@2008-07-22_16.16.33.08   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-22 19:37:41      65,446      ----a-w      C:\WINDOWS\system32\perfc009.dat
+ 2008-07-23 14:30:26      65,044      ----a-w      C:\WINDOWS\system32\perfc009.dat
- 2008-07-22 19:37:41      411,142      ----a-w      C:\WINDOWS\system32\perfh009.dat
+ 2008-07-23 14:30:26      410,574      ----a-w      C:\WINDOWS\system32\perfh009.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2007-01-25 03:34 159744]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2008-02-22 13:43 1245184]
"WavXMgr"="C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 10:55 92160]
"SecureUpgrade"="C:\Program Files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 11:53 218424]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-10-09 05:17 2183168]
"KADxMain"="C:\WINDOWS\system32\KADxMain.exe" [2006-11-02 15:05 282624]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 12:56 124200]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"Acrobat Speed Launch"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe" [2006-10-23 02:40 46200]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [2008-02-26 16:16 17920]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-05-08 01:43 702072]
"Acrobat Synchronizer"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe" [2007-05-11 01:29 738968]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-02-28 17:32 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-02-28 17:32 166424]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-02-28 17:32 137752]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-06-11 22:52:32 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 16:20 73728 C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages      REG_MULTI_SZ         msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-823518204-682003330-725345543-1230\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=\\yatescounty.local\SysVol\yatescounty.local\scripts\OFCSCAN.BAT

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-823518204-682003330-725345543-500\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=\\yatescounty.local\SysVol\yatescounty.local\scripts\OFCSCAN.BAT

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R0 PBADRV;PBADRV;C:\WINDOWS\system32\DRIVERS\PBADRV.sys [2007-09-07 10:57]
S2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-12-19 15:21]
S2 TdmService;TdmService;C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe [2007-09-07 18:29]
S2 Wave UCSPlus;Wave UCSPlus;C:\WINDOWS\system32\dllhost.exe [2004-08-04 06:00]
S2 WavxDMgr;WavxDMgr;C:\WINDOWS\system32\DRIVERS\WavxDMgr.sys [2007-09-10 10:55]
S3 DXEC01;DXEC01;C:\WINDOWS\system32\drivers\dxec01.sys [2006-11-02 13:32]
S3 OracleClientCache80;OracleClientCache80;C:\orant\BIN\ONRSD80.EXE [2000-10-27 12:45]
S3 OracleOra9iClientCache;OracleOra9iClientCache;c:\Oracle\Ora9i\BIN\ONRSD.EXE [2002-04-26 19:34]
S3 SecureStorageService;SecureStorageService;C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe [2007-08-31 18:39]
S3 WaveEnrollmentService;WaveEnrollmentService;C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe [2007-09-13 15:31]
S3 WaveFDE;Wave System Power Monitor Device Driver;C:\WINDOWS\system32\DRIVERS\WaveFDE.sys [2007-09-06 10:18]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12      REG_MULTI_SZ         Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0080612
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
O8 -: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-23 10:37:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

.
Completion time: 2008-07-23 10:40:58 - machine was rebooted
ComboFix-quarantined-files.txt  2008-07-23 14:40:54

Pre-Run: 63,754,121,216 bytes free
Post-Run: 63,746,818,048 bytes free

194      --- E O F ---      2008-07-22 14:07:18
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Moh10ly, good call on the buritos.  I have 5 pcs running this virus now.  I have found it on others but not on this one.  This computer I thought was fixed but it looks it still has it.  I wrote a custom combofix script that works well for getting rid of burritos.  I will run it on this machine and repost my comobfix log.
I am closing this a little prematurely but, I think you guys got me down the home stretch.  The user is functional again and with an upgrade in the antivirus software it seems to have got the remaining gremlins.  Thanks, to all.