centaur63
2008-12-09, 15:29
I keep getting a bunch of popups and spybot has removed this file everytime but it keeps coming back. Here is my HJT log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:19:03, on 12/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Safe mode
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070119 (http://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070119)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169841472468
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mdcip.webex.com/client/T25L/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = masterdatacenter.com
O17 - HKLM\Software\..\Telephony: DomainName = masterdatacenter.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = masterdatacenter.com
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 6703 bytes
If there is any more information you need please let me know.
ComboFix 08-12-07.01 - Margaret 2008-12-09 9:53:45.4 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1750 [GMT -5:00]
Running from: c:\documents and settings\Margaret\Desktop\combofix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\temp\tn3
c:\windows\system32\drivers\core.cache.dsk
.
((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.
2008-12-08 13:41 . 2008-12-08 14:50 3,156 --a------ c:\windows\system32\tmp.reg
2008-12-08 13:29 . 2008-12-09 09:40 <DIR> d-------- c:\program files\Yahoo!
2008-12-08 13:29 . 2008-12-08 13:29 <DIR> d-------- c:\program files\CCleaner
2008-12-08 13:02 . 2008-12-08 13:02 <DIR> d-------- C:\VundoFix Backups
2008-12-05 14:02 . 2008-12-05 14:02 <DIR> d-------- c:\windows\system32\log
2008-12-05 14:02 . 2008-07-09 12:42 142,096 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-12-05 14:02 . 2008-12-08 12:13 13,817 --a------ c:\windows\cfgall.ini
2008-12-05 13:01 . 2008-12-05 14:01 <DIR> d-------- c:\program files\Trend Micro
2008-12-05 12:58 . 2008-12-05 13:56 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-05 09:09 . 2008-12-08 07:28 1,217 --a------ c:\windows\wininit.ini
2008-12-05 08:42 . 2008-12-05 09:30 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-05 08:42 . 2008-12-09 07:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-05 07:32 . 2008-12-05 07:32 <DIR> d-------- c:\program files\Windows Defender
2008-12-03 13:04 . 2008-12-03 13:04 139,264 --a------ c:\windows\avudebirita.dll
2008-11-28 12:58 . 2008-12-05 08:04 <DIR> d-------- c:\program files\Webtools
2008-11-27 09:57 . 2008-12-05 14:17 <DIR> d--hs---- c:\windows\TWFyZ2FyZXQ
2008-11-27 09:55 . 2008-12-08 08:23 <DIR> d-------- c:\windows\system32\oca
2008-11-27 09:55 . 2008-11-27 09:55 <DIR> d-------- c:\windows\system32\ns5
2008-11-27 09:55 . 2008-11-27 09:56 <DIR> d-------- c:\windows\system32\LN
2008-11-27 09:55 . 2008-12-05 14:55 <DIR> d-------- c:\windows\system32\jec
2008-11-27 09:55 . 2008-12-05 14:54 <DIR> d-------- c:\windows\system32\DEC
2008-11-27 09:55 . 2008-11-27 09:55 <DIR> d-------- c:\windows\system32\AI
2008-11-27 09:55 . 2008-11-27 09:55 86,272 --a------ c:\windows\system32\drivers\tdtcpp.sys
2008-11-27 09:52 . 2008-12-09 09:53 <DIR> d-------- C:\Temp
2008-11-26 19:03 . 2008-11-26 19:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\PMB Files
2008-11-26 18:59 . 2008-11-26 18:59 <DIR> d-------- c:\program files\Pando Networks
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 14:40 --------- d-----w c:\documents and settings\Margaret\Application Data\Move Networks
2008-12-05 18:55 --------- d-----w c:\program files\Google
2008-11-27 00:28 --------- d-----w c:\documents and settings\Margaret\Application Data\U3
2008-11-24 17:09 --------- d-----w c:\program files\IPMaster
2008-11-13 19:03 --------- d-----w c:\documents and settings\Margaret\Application Data\webex
2008-10-24 15:15 73,216 ----a-w c:\windows\ST6UNST.EXE
2008-10-24 15:15 249,856 ------w c:\windows\Setup1.exe
2008-10-24 14:47 --------- d-----w c:\program files\IPSynch
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-02-04 16:21 56,912 ----a-w c:\documents and settings\Margaret\g2mdlhlpx.exe
2007-02-01 18:11 28,672 ----a-w c:\documents and settings\Margaret\atwbxdet.dll
.
((((((((((((((((((((((((((((( snapshot_2008-12-09_ 6.59.02.84 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-09 11:54:50 262,568 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2008-12-09 14:50:09 262,571 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\progra~1\DELLSU~1\DSAgnt.exe" [2006-08-28 395776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1392640]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-05-16 102400]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-01-20 169984]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"Ink Monitor"="c:\program files\EPSON\Ink Monitor\InkMonitor.exe" [2001-12-07 258118]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2008-07-09 709928]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-01-20 24576]
EMBASSY Trust Suite Secure Update.lnk - c:\program files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2006-01-30 192512]
EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2008-09-07 135680]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2007-05-23 81920]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\svr-dc2\installs$\ScreenSaver\ss.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=\\svr-dc2\installs$\Rating\rat.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-12-13 17:45 118784 c:\windows\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\WINDOWS\\system32\\cmd.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58478:TCP"= 58478:TCP:Pando Media Booster
"58478:UDP"= 58478:UDP:Pando Media Booster
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
S1 tdtcpp;tdtcpp;c:\windows\system32\drivers\tdtcpp.sys [2008-11-27 86272]
S2 MSSEARCH;Microsoft Search;"c:\program files\Common Files\System\MSSearch\Bin\mssearch.exe" [2007-05-23 69632]
S2 TmFilter;Trend Micro Filter;\??\c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [2008-07-09 205328]
S2 TmPreFilter;Trend Micro PreFilter;\??\c:\program files\Trend Micro\OfficeScan Client\TmPreFlt.sys [2008-07-09 36368]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-03-12 24652]
S3 EPUSBSTOR;EPSON USB Storage Driver;c:\windows\system32\DRIVERS\epusbsto.sys [2008-09-07 17976]
S3 GTKCMOS;GTKCMOS;\??\c:\windows\system32\GTKCMOS.sys [2004-06-15 7882]
S3 SEM43XX;Sony Ericsson 802.11 Wireless LAN Adapter Driver SEM43XX;c:\windows\system32\DRIVERS\semwl5.sys [2005-01-02 368896]
S3 SEMWModem;Sony Ericsson SEMWModem;c:\windows\system32\DRIVERS\GCXX.sys [2005-01-02 114944]
S3 SEMWWNIC;Sony Ericsson SEMWWNIC;c:\windows\system32\DRIVERS\GCXXNet.sys [2005-01-02 53248]
S3 Sony_EricssonWWSC;Sony Ericsson SIM Card Reader;c:\windows\system32\DRIVERS\GCXXSC.sys [2004-12-21 21888]
S3 TmProxy;OfficeScan NT Proxy Service;"c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe" [2008-07-09 652552]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{02838618-bbfa-11dd-a591-00188bad8db1}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a46a7402-0afb-11dc-a2ef-00197d5575e0}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
2008-12-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 10:00:19
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(296)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
Completion time: 2008-12-09 10:03:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-09 15:03:55
ComboFix2.txt 2008-12-09 14:49:24
ComboFix3.txt 2008-12-09 11:59:34
ComboFix4.txt 2008-12-08 19:02:35
Pre-Run: 56,286,707,712 bytes free
Post-Run: 56,274,698,240 bytes free
158 --- E O F --- 2008-12-08 19:03:50
-------------------------------------------
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
Do NOT run 'FIXES' before helpers have analyzed the HJT log (http://forums.spybot.info/showthread.php?t=16806)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:19:03, on 12/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Safe mode
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070119 (http://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070119)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169841472468
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mdcip.webex.com/client/T25L/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = masterdatacenter.com
O17 - HKLM\Software\..\Telephony: DomainName = masterdatacenter.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = masterdatacenter.com
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 6703 bytes
If there is any more information you need please let me know.
ComboFix 08-12-07.01 - Margaret 2008-12-09 9:53:45.4 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1750 [GMT -5:00]
Running from: c:\documents and settings\Margaret\Desktop\combofix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\temp\tn3
c:\windows\system32\drivers\core.cache.dsk
.
((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.
2008-12-08 13:41 . 2008-12-08 14:50 3,156 --a------ c:\windows\system32\tmp.reg
2008-12-08 13:29 . 2008-12-09 09:40 <DIR> d-------- c:\program files\Yahoo!
2008-12-08 13:29 . 2008-12-08 13:29 <DIR> d-------- c:\program files\CCleaner
2008-12-08 13:02 . 2008-12-08 13:02 <DIR> d-------- C:\VundoFix Backups
2008-12-05 14:02 . 2008-12-05 14:02 <DIR> d-------- c:\windows\system32\log
2008-12-05 14:02 . 2008-07-09 12:42 142,096 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-12-05 14:02 . 2008-12-08 12:13 13,817 --a------ c:\windows\cfgall.ini
2008-12-05 13:01 . 2008-12-05 14:01 <DIR> d-------- c:\program files\Trend Micro
2008-12-05 12:58 . 2008-12-05 13:56 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-05 09:09 . 2008-12-08 07:28 1,217 --a------ c:\windows\wininit.ini
2008-12-05 08:42 . 2008-12-05 09:30 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-05 08:42 . 2008-12-09 07:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-05 07:32 . 2008-12-05 07:32 <DIR> d-------- c:\program files\Windows Defender
2008-12-03 13:04 . 2008-12-03 13:04 139,264 --a------ c:\windows\avudebirita.dll
2008-11-28 12:58 . 2008-12-05 08:04 <DIR> d-------- c:\program files\Webtools
2008-11-27 09:57 . 2008-12-05 14:17 <DIR> d--hs---- c:\windows\TWFyZ2FyZXQ
2008-11-27 09:55 . 2008-12-08 08:23 <DIR> d-------- c:\windows\system32\oca
2008-11-27 09:55 . 2008-11-27 09:55 <DIR> d-------- c:\windows\system32\ns5
2008-11-27 09:55 . 2008-11-27 09:56 <DIR> d-------- c:\windows\system32\LN
2008-11-27 09:55 . 2008-12-05 14:55 <DIR> d-------- c:\windows\system32\jec
2008-11-27 09:55 . 2008-12-05 14:54 <DIR> d-------- c:\windows\system32\DEC
2008-11-27 09:55 . 2008-11-27 09:55 <DIR> d-------- c:\windows\system32\AI
2008-11-27 09:55 . 2008-11-27 09:55 86,272 --a------ c:\windows\system32\drivers\tdtcpp.sys
2008-11-27 09:52 . 2008-12-09 09:53 <DIR> d-------- C:\Temp
2008-11-26 19:03 . 2008-11-26 19:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\PMB Files
2008-11-26 18:59 . 2008-11-26 18:59 <DIR> d-------- c:\program files\Pando Networks
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 14:40 --------- d-----w c:\documents and settings\Margaret\Application Data\Move Networks
2008-12-05 18:55 --------- d-----w c:\program files\Google
2008-11-27 00:28 --------- d-----w c:\documents and settings\Margaret\Application Data\U3
2008-11-24 17:09 --------- d-----w c:\program files\IPMaster
2008-11-13 19:03 --------- d-----w c:\documents and settings\Margaret\Application Data\webex
2008-10-24 15:15 73,216 ----a-w c:\windows\ST6UNST.EXE
2008-10-24 15:15 249,856 ------w c:\windows\Setup1.exe
2008-10-24 14:47 --------- d-----w c:\program files\IPSynch
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-02-04 16:21 56,912 ----a-w c:\documents and settings\Margaret\g2mdlhlpx.exe
2007-02-01 18:11 28,672 ----a-w c:\documents and settings\Margaret\atwbxdet.dll
.
((((((((((((((((((((((((((((( snapshot_2008-12-09_ 6.59.02.84 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-09 11:54:50 262,568 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2008-12-09 14:50:09 262,571 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\progra~1\DELLSU~1\DSAgnt.exe" [2006-08-28 395776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1392640]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-05-16 102400]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-01-20 169984]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"Ink Monitor"="c:\program files\EPSON\Ink Monitor\InkMonitor.exe" [2001-12-07 258118]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2008-07-09 709928]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-01-20 24576]
EMBASSY Trust Suite Secure Update.lnk - c:\program files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2006-01-30 192512]
EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2008-09-07 135680]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2007-05-23 81920]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\svr-dc2\installs$\ScreenSaver\ss.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=\\svr-dc2\installs$\Rating\rat.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-12-13 17:45 118784 c:\windows\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\WINDOWS\\system32\\cmd.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58478:TCP"= 58478:TCP:Pando Media Booster
"58478:UDP"= 58478:UDP:Pando Media Booster
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
S1 tdtcpp;tdtcpp;c:\windows\system32\drivers\tdtcpp.sys [2008-11-27 86272]
S2 MSSEARCH;Microsoft Search;"c:\program files\Common Files\System\MSSearch\Bin\mssearch.exe" [2007-05-23 69632]
S2 TmFilter;Trend Micro Filter;\??\c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [2008-07-09 205328]
S2 TmPreFilter;Trend Micro PreFilter;\??\c:\program files\Trend Micro\OfficeScan Client\TmPreFlt.sys [2008-07-09 36368]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-03-12 24652]
S3 EPUSBSTOR;EPSON USB Storage Driver;c:\windows\system32\DRIVERS\epusbsto.sys [2008-09-07 17976]
S3 GTKCMOS;GTKCMOS;\??\c:\windows\system32\GTKCMOS.sys [2004-06-15 7882]
S3 SEM43XX;Sony Ericsson 802.11 Wireless LAN Adapter Driver SEM43XX;c:\windows\system32\DRIVERS\semwl5.sys [2005-01-02 368896]
S3 SEMWModem;Sony Ericsson SEMWModem;c:\windows\system32\DRIVERS\GCXX.sys [2005-01-02 114944]
S3 SEMWWNIC;Sony Ericsson SEMWWNIC;c:\windows\system32\DRIVERS\GCXXNet.sys [2005-01-02 53248]
S3 Sony_EricssonWWSC;Sony Ericsson SIM Card Reader;c:\windows\system32\DRIVERS\GCXXSC.sys [2004-12-21 21888]
S3 TmProxy;OfficeScan NT Proxy Service;"c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe" [2008-07-09 652552]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{02838618-bbfa-11dd-a591-00188bad8db1}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a46a7402-0afb-11dc-a2ef-00197d5575e0}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
2008-12-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 10:00:19
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(296)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
Completion time: 2008-12-09 10:03:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-09 15:03:55
ComboFix2.txt 2008-12-09 14:49:24
ComboFix3.txt 2008-12-09 11:59:34
ComboFix4.txt 2008-12-08 19:02:35
Pre-Run: 56,286,707,712 bytes free
Post-Run: 56,274,698,240 bytes free
158 --- E O F --- 2008-12-08 19:03:50
-------------------------------------------
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
Do NOT run 'FIXES' before helpers have analyzed the HJT log (http://forums.spybot.info/showthread.php?t=16806)