Hello,

This evening my computer was infected with Antivirus Soft. It was exhibiting all the signs: fake security warnings, fake system scan screen, all programs disabled, IE redirects to Antivirus Soft webpage, etc etc.

I was able to open task manager and kill the .exe file. After which I went to msconfig and disabled it from the start-up list. I then went to %Documents and Settings%\user\Local Settings\Application Data\[random string] and delted the exe. (It was named some jibberish, [random string].exe.

Sadly, this is my work computer which puts me in even more of a bind. I would take this to our IT department, however we no longer have IT support in-house and now have to wait for a remote technician to make a visit. (I had to wait over a month for them just to send someone out to switch the extension on my phone when I moved desks). I would greatly appreciate it if someone could help. Thanks in advance!

As instructed here's the DDS log and the Attach.txt in a .zip.


DDS (Ver_10-03-17.01) - NTFSx86
Run by user at 22:09:32.13 on Wed 06/02/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.119 [GMT -6:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {860E5DC2-3A32-441D-AEED-A06D4F3C3FC0}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {07526210-19C0-48AC-8EB0-B15A9C95859C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\CATPC\CATSYS\CatSystemSvc.exe
C:\Program Files\Siemens\CAT Bulletin Board\CBBS.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Java\jre1.6.0_17\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\Program Files\OfficeScan NT\CNTAoSMgr.exe
C:\WINDOWS\TEMP\KVBA23.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Siemens\CAT Bulletin Board\CBB.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Siemens\CardOS API\bin\siecacst.exe
C:\Program Files\OfficeScan NT\Pccntmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Documents and Settings\user\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uWindow Title = Windows Internet Explorer provided by Siemens
uStart Page = https://intranet.industry.usa.siemens.com
uDefault_Page_URL = https://intranet.industry.usa.siemens.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=CatUInit
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - Java(tm) Plug-In SSV Helper
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre1.6.0_17\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre1.6.0_17\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [CatUserRun] exec32 /wh /c chgreg5 /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [USM] c:\program files\siemens\usm\USM.exe
mRun: [SIECACST] c:\program files\siemens\cardos api\bin\siecacst.exe
mRun: [OfficeScanNT Monitor] "c:\program files\officescan nt\Pccntmon.exe" -HideWindow
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe"
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\firewa~1.lnk - c:\program files\microsoft firewall client\ISATRAY.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\multim~1.lnk - c:\program files\mmtaskbar\MultiMon.exe
uPolicies-explorer: NoActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
uPolicies-explorer: NoWindowsUpdate = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: GreyMSIAds = 1 (0x1)
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: NoAutoUpdate = 1 (0x1)
uPolicies-explorer: StartRunNoHOMEPATH = 1 (0x1)
uPolicies-system: ConnectHomeDirToRoot = 0 (0x0)
uPolicies-system: HideLogonScripts = 0 (0x0)
mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoPublishingWizard = 1 (0x1)
mPolicies-explorer: NoWebServices = 1 (0x1)
mPolicies-explorer: NoOnlinePrintsWizard = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: RunStartupScriptSync = 1 (0x1)
mPolicies-system: MaxGPOScriptWait = 1800 (0x708)
mPolicies-system: HideShutdownScripts = 0 (0x0)
dPolicies-explorer: NoActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoWindowsUpdate = 0 (0x0)
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\program files\microsoft firewall client\wspwsp.dll
Trusted Zone: authoria.com
Trusted Zone: authoria.com\si-salplan
Trusted Zone: cexp.com\*.ib2b
Trusted Zone: extremelearning.com
Trusted Zone: hewitt.com\*.resources
Trusted Zone: learnatsiemens.com
Trusted Zone: microsoft.com
Trusted Zone: monsoon5.com
Trusted Zone: netglearning.com
Trusted Zone: sap-ag.de
Trusted Zone: sap.com
Trusted Zone: siemenshealthservices.com
Trusted Zone: skilldialogue.com
Trusted Zone: skillport.com
Trusted Zone: skillsoft.com
Trusted Zone: skillwsa.com
Trusted Zone: vinimaya.com\*.siemens
Trusted Zone: authoria.com
Trusted Zone: authoria.com\si-salplan
Trusted Zone: cexp.com\*.ib2b
Trusted Zone: extremelearning.com
Trusted Zone: hewitt.com\*.resources
Trusted Zone: learnatsiemens.com
Trusted Zone: microsoft.com
Trusted Zone: monsoon5.com
Trusted Zone: netglearning.com
Trusted Zone: sap-ag.de
Trusted Zone: sap.com
Trusted Zone: siemenshealthservices.com
Trusted Zone: skilldialogue.com
Trusted Zone: skillport.com
Trusted Zone: skillsoft.com
Trusted Zone: skillwsa.com
Trusted Zone: vinimaya.com\*.siemens
DPF: {41E6DDD6-FBD6-4718-80F7-9B160533C2F5} - hxxp://inet16.sbt.siemens.com/esonline/cabs/IGToolbars50.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18}
DPF: {B3014671-7872-4671-BE73-5D05EB5B2AF5} - hxxp://inet16.sbt.siemens.com/esonline/cabs/IGUltraGrid20.CAB
DPF: {B63EA811-FF25-4211-A6D2-58BF767432E1} - hxxp://inet16.sbt.siemens.com/esonline/cabs/pictureloader.cab
DPF: {CAFECAFE-0013-0001-0009-ABCDEFABCDEF}
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CC696B63-4159-11D0-BDCB-0020A90B183A} - hxxp://usbgresw01/esonline/cabs/PVDATECAL9.CAB
DPF: {F0D96671-A5CE-4854-AE49-6835742D232F} - hxxp://inet16.sbt.siemens.com/esonline/cabs/IGThreed40.cab
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 CatSystemSvc;CatSystem;c:\windows\catpc\catsys\CatSystemSvc.exe [2009-1-27 607744]
R2 CBBS;CAT Bulletin Board;c:\program files\siemens\cat bulletin board\CBBS.exe [2002-6-20 65536]
R2 TmFilter;Trend Micro Filter;c:\program files\officescan nt\TmXPFlt.sys [2008-8-15 230928]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\officescan nt\tmpreflt.sys [2008-8-15 36368]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-2 135664]
S3 AsyncSvc;Insight AsyncSvc;c:\commtool\system\asyncsvc.exe [2009-7-27 601344]
S3 BACnetClientSvc;Insight BACnetClientSvc;c:\commtool\system\bacin.exe [2009-7-27 306432]
S3 BACnetServerSvc;Insight BACnetServerSvc;c:\commtool\system\bnsvc.exe [2009-7-27 1015040]
S3 CrossTrunkService;Insight CrossTrunkService;c:\commtool\system\xtsvc.exe [2009-7-27 224512]
S3 EventLogSvc;Insight EventLogSvc;c:\commtool\Eventlog.exe [2009-7-27 150784]
S3 EventPrtSvc;Insight EventPrtSvc;c:\commtool\Eventptr.exe [2009-7-27 138496]
S3 GlobalTablesService;Insight GlobalTablesService;c:\commtool\system\gtsvc.exe [2009-7-27 437504]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2010-6-1 24576]
S3 Insight DBCSServer;Insight DBCSServer;c:\commtool\system\InsightDBCSServer.exe [2009-7-27 1838336]
S3 Insight MonitorSvc;Insight MonitorSvc;c:\commtool\system\monitor.exe [2009-7-27 81152]
S3 Insight RENOServer;Insight RENOServer;c:\commtool\system\InsightRENOServer.EXE [2009-7-27 494848]
S3 LoaderSvc;Insight LoaderSvc;c:\commtool\system\loader.exe [2009-7-27 740608]
S3 ooams-3;Objectivity AMS;c:\commtool\system\dbmanagr\ooams.exe [2007-10-15 24576]
S3 ools-13;Objectivity Lock Server;c:\commtool\system\dbmanagr\ools.exe [2007-10-15 98304]
S3 ResidentPointSvc;Insight ResidentPointSvc;c:\commtool\RPMonitor.exe [2009-7-27 195840]
S3 SchedulerSvc;Insight SchedulerSvc;c:\commtool\Schedsrv.exe [2009-7-27 97536]
S3 SoftControllerSvc;Insight Softcontroller Service;c:\commtool\system\vfpsvc.exe [2009-7-27 118080]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\officescan nt\TmProxy.exe [2008-7-2 652552]
S4 SentinelLM;SentinelLM;c:\program files\siemens\apogee\common\lservnt.exe [2006-7-12 577536]

============== File Associations ===============

.scr=AutoCADScriptFile

=============== Created Last 30 ================

2010-06-01 20:01:28 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ANDROIDUSB_01007.Wdf
2010-06-01 20:01:26 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-06-01 20:00:58 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-06-01 14:57:24 0 d-----w- c:\docume~1\user\applic~1\Teleca
2010-06-01 14:56:04 0 d-----w- c:\program files\common files\Teleca Shared
2010-06-01 14:53:42 24576 ----a-w- c:\windows\system32\drivers\ANDROIDUSB.sys
2010-06-01 14:53:42 1122664 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2010-06-01 14:53:33 0 d-----w- c:\program files\Spirent Communications
2010-06-01 14:53:20 0 d-----w- c:\program files\HTC
2010-06-01 14:50:10 0 d-----w- c:\windows\Downloaded Installations
2010-05-12 16:18:08 667648 ----a-w- c:\windows\system32\BCMLogon.dll
2010-05-12 16:18:08 424320 ----a-w- c:\windows\system32\drivers\BCMWL5.SYS
2010-05-12 16:17:54 69632 ----a-w- c:\windows\system32\bcmwlpkt.dll
2010-05-12 16:17:54 33664 ----a-w- c:\windows\system32\drivers\BCMWLNPF.SYS
2010-05-12 16:17:54 253952 ----a-w- c:\windows\system32\bcmwlu00.exe
2010-05-12 16:17:54 1200128 ----a-w- c:\windows\system32\BCMWLTRY.EXE
2010-05-12 16:17:47 3096576 ----a-w- c:\windows\system32\BCMWLCPL.CPL
2010-05-12 16:17:46 757760 ----a-w- c:\windows\system32\bcm1xsup.dll
2010-05-12 16:17:46 44032 ----a-w- c:\windows\system32\wltrynt.dll
2010-05-12 16:17:46 18944 ----a-w- c:\windows\system32\WLTRYSVC.EXE
2010-05-12 16:17:46 1347584 ----a-w- c:\windows\system32\WLTRAY.EXE
2010-05-12 16:17:45 86016 ----a-w- c:\windows\system32\preflib.dll
2010-05-12 16:17:45 2129920 ----a-w- c:\windows\system32\WLBCGCBPRO731.DLL
2010-05-12 16:16:20 0 d-----w- C:\DELL
2010-05-04 20:58:17 62196 ---ha-w- c:\windows\system32\mlfcache.dat

==================== Find3M ====================

2010-05-28 20:59:56 17920 ----a-w- c:\documents and settings\user\KWDCACHE.DAT
2010-05-28 14:45:29 3584 -c--a-w- c:\documents and settings\user\netcache.dat
2010-05-06 22:17:51 3072 ----a-w- c:\documents and settings\user\cdcache.dat
2010-04-08 19:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 19:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

============= FINISH: 22:10:56.39 ===============