View Full Version : Search engine hijack, tdss* trojan?
lh017640
2009-02-28, 22:30
My father-in-law (ANgus Maciver) appeared to have acquired a search engine hijack trojan. No matter what we did we could not get rid of it. It denied us from loading Spybot S&D and accessing other anti-virus web sites and forums.
I originaly made a post which was closed as I didn't have the information in time to respond, and I'm not sure how to link to the orignal post in the archive.
We have been able to load a trial version of Steganos Internet Security 2009.
However when we started to run steganos, the progam said it was scanning but no files were shown to be scanned then the components that make up Steganos shut down and then restarted, and it then completes it's scan.
Stegaos identifies a trojan TDssmhxt.sys and other associated files if offers to delete which we do, however in order to take effect the system must reboot and they came back.
I created a Hijack this log see below on the 6th Feb 09. Following discussion wit IT guy's at work I ran combofix but prior to that I uninstalled Steganos (recommended by Steganos re the shutting down and restarting) however for some reason Steganos was not fully uninstalled as combofix recognised a remanant and we had to run it stating an AV program was present which we know it wasn't. The combofix log of the is the next log file. This appears to have got rid of the TDSS issue but not convinced the computer is clean. The last file is another Hijackthis log taken tonight 28th Feb
I would be grateful if someone could provide some advice.
Regards
Gordon
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:33:53, on 06/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Steganos\INTERN~1\avgfws8.exe
C:\Program Files\Dell V105\dldnmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\Steganos\INTERN~1\avgtray.exe
C:\Program Files\Dell V105\dldnMsdMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dldncoms.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Steganos\Internet Security 2009\avgui.exe
C:\Program Files\Steganos\Internet Security 2009\avgscanx.exe
C:\PROGRA~1\Steganos\INTERN~1\avgwdsvc.exe
C:\PROGRA~1\Steganos\INTERN~1\avgam.exe
C:\PROGRA~1\Steganos\INTERN~1\avgrsx.exe
C:\PROGRA~1\Steganos\INTERN~1\avgnsx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Steganos\Internet Security 2009\avgupd.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\system32\svchost.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Steganos.Pwm.BHO - {23162633-071E-4D3C-B347-B85451A92DBA} - C:\Program Files\Steganos Password Manager 2009\PwmBho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dldnmon.exe] "C:\Program Files\Dell V105\dldnmon.exe"
O4 - HKLM\..\Run: [dldnamon] "C:\Program Files\Dell V105\dldnamon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\Steganos\INTERN~1\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ChkDisk.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Steganos I.S. WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\Steganos\INTERN~1\avgwdsvc.exe
O23 - Service: Steganos I.S. Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\Steganos\INTERN~1\avgfws8.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: dldnCATSCustConnectService - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\dldnserv.exe
O23 - Service: dldn_device - - C:\WINDOWS\system32\dldncoms.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 7923 bytes
ComboFix 09-02-24.02 - Angus Maciver 2009-02-25 20:01:55.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.68 [GMT 0:00]
Running from: c:\documents and settings\Angus Maciver\My Documents\Downloads\ComboFix.exe
AV: Steganos Internet Security *On-access scanning enabled* (Updated)
FW: Steganos Firewall *enabled*
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
[i] ADS - svchost.exe: deleted 88 bytes in 2 streams.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Angus Maciver\Desktop\System Security.lnk
c:\documents and settings\Angus Maciver\Start Menu\Programs\Startup\ChkDisk.lnk
c:\documents and settings\Angus Maciver\Start Menu\Programs\System Security
c:\documents and settings\Angus Maciver\Start Menu\Programs\System Security\System Security.lnk
c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\documents and settings\NetworkService\Application Data\twain_32
c:\documents and settings\NetworkService\Application Data\twain_32\user.ds
c:\program files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll
c:\program files\Microsoft Common
C:\start.bat
c:\windows\system32\bbadffeccaf.dll
c:\windows\system32\Drivers\TDSSmhxt.sys
c:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL
c:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\DESKTOP.INI
c:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\LSSupCtl.dll
c:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\LSSupCtl.inf
c:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\sdclicense.txt
c:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\SymAData.dll
c:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\tgctlsi.inf
c:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\tgctlsr.inf
c:\windows\system32\mdm.exe
c:\windows\system32\reg_0001.txt
c:\windows\system32\TDSScfub.dll
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSoeqh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSStkdv.log
c:\windows\system32\twain_32
c:\windows\system32\twain_32\local.ds
c:\windows\system32\twain_32\user.ds
c:\windows\system32\twain_32\user.ds.cla
c:\windows\system32\twext.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_TDSSSERV.SYS
-------\Service_GbpSv
-------\Service_TDSSserv.sys
((((((((((((((((((((((((( Files Created from 2009-01-25 to 2009-02-25 )))))))))))))))))))))))))))))))
.
2009-02-24 14:45 . 2009-02-25 19:45 <DIR> d-------- c:\program files\Enigma Software Group
2009-02-24 14:20 . 2009-02-25 19:53 200,208 --a------ c:\windows\SYSTEM32\vumer.dll
2009-02-24 00:32 . 2009-02-24 00:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\771946947
2009-02-12 20:25 . 2009-02-12 20:32 <DIR> d-------- C:\test
2009-02-08 20:31 . 2009-02-08 20:32 <DIR> d-------- c:\documents and settings\Administrator\Application Data\U3
2009-02-08 19:33 . 2009-02-08 19:36 <DIR> d-------- c:\program files\SpywareBlaster
2009-02-08 19:27 . 2009-02-12 20:35 <DIR> d-------- c:\documents and settings\Angus Maciver\Application Data\U3
2009-02-06 17:32 . 2009-02-06 17:32 <DIR> d-------- c:\program files\Trend Micro
2009-02-06 16:58 . 2009-02-11 16:36 107,272 --a------ c:\windows\SYSTEM32\DRIVERS\avgtdix.sys
2009-02-06 16:58 . 2009-02-11 16:36 12,552 --a------ c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys
2009-02-06 16:58 . 2009-02-11 16:36 10,520 --a------ c:\windows\SYSTEM32\avgrsstx.dll
2009-02-06 16:57 . 2009-02-25 16:16 <DIR> d-------- c:\windows\SYSTEM32\DRIVERS\Avg
2009-02-06 16:57 . 2009-02-11 16:36 325,128 --a------ c:\windows\SYSTEM32\DRIVERS\avgldx86.sys
2009-02-06 16:56 . 2009-02-06 16:56 50,968 --a------ c:\windows\SYSTEM32\avgfwdx.dll
2009-02-06 16:56 . 2009-02-06 16:56 29,208 --a------ c:\windows\SYSTEM32\DRIVERS\avgfwdx.sys
2009-02-05 18:29 . 2009-02-05 18:29 <DIR> d-------- c:\documents and settings\Angus Maciver\Application Data\Steganos
2009-02-05 18:28 . 2009-02-05 18:28 <DIR> d-------- c:\program files\Steganos Password Manager 2009
2009-01-30 16:26 . 2009-02-08 20:06 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-29 23:51 . 2009-01-29 23:51 <DIR> d-------- c:\program files\Steganos
2009-01-29 23:51 . 2009-02-11 16:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-28 20:28 . 2009-01-28 20:42 <DIR> d---s---- c:\windows\Downloaded Program Files
2009-01-28 19:44 . 2004-11-16 13:00 <DIR> d-------- c:\documents and settings\Administrator\Application Data\You've Got Pictures Screensaver
2009-01-28 19:44 . 2004-11-16 13:03 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sonic
2009-01-28 19:44 . 2004-11-16 12:55 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2009-01-28 19:44 . 2009-02-05 16:42 <DIR> d-------- c:\documents and settings\Administrator
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-25 19:03 --------- d-----w c:\documents and settings\Angus Maciver\Application Data\MailWasherPro
2009-02-24 14:07 2,383 ----a-w c:\windows\SYSTEM32\TDSSfpmp.dll
2009-02-05 16:12 --------- d-----w c:\program files\Java
2009-01-28 20:26 --------- d-----w c:\program files\Yahoo!
2009-01-16 21:35 3,594,752 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-12-31 17:16 --------- d-----w c:\program files\CCleaner
2008-12-19 09:10 70,656 ------w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2008-12-19 05:25 634,024 ------w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
2008-12-19 05:23 161,792 ------w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
2008-12-12 11:55 410,984 ----a-w c:\windows\SYSTEM32\deploytk.dll
2008-12-11 10:57 333,952 ------w c:\windows\SYSTEM32\DLLCACHE\srv.sys
2008-12-03 16:54 7,753,415 ----a-w c:\windows\Internet Logs\tvDebug.zip
2007-02-07 18:14 92,064 ----a-w c:\documents and settings\Angus Maciver\mqdmmdm.sys
2007-02-07 18:14 9,232 ----a-w c:\documents and settings\Angus Maciver\mqdmmdfl.sys
2007-02-07 18:14 79,328 ----a-w c:\documents and settings\Angus Maciver\mqdmserd.sys
2007-02-07 18:14 66,656 ----a-w c:\documents and settings\Angus Maciver\mqdmbus.sys
2007-02-07 18:14 6,208 ----a-w c:\documents and settings\Angus Maciver\mqdmcmnt.sys
2007-02-07 18:14 5,936 ----a-w c:\documents and settings\Angus Maciver\mqdmwhnt.sys
2007-02-07 18:14 4,048 ----a-w c:\documents and settings\Angus Maciver\mqdmcr.sys
2007-02-07 18:14 25,600 ----a-w c:\documents and settings\Angus Maciver\usbsermptxp.sys
2007-02-07 18:14 22,768 ----a-w c:\documents and settings\Angus Maciver\usbsermpt.sys
2008-08-26 11:38 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008082620080827\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-09 2356088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 1388544]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-23 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-11-16 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"dldnmon.exe"="c:\program files\Dell V105\dldnmon.exe" [2008-03-17 668912]
"dldnamon"="c:\program files\Dell V105\dldnamon.exe" [2008-03-17 16624]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-12 136600]
"AVG8_TRAY"="c:\progra~1\Steganos\INTERN~1\avgtray.exe" [2009-02-11 1610520]
"468005841"="c:\documents and settings\All Users\Application Data\771946947\468005841.exe" [2009-02-24 1197607]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-11 16:36 10520 c:\windows\SYSTEM32\avgrsstx.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe"
"IntelMeM"=c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\dldncoms.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\dldnpswx.exe"=
"c:\\Program Files\\Dell V105\\dldnmon.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\dldntime.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\dldnjswx.exe"=
"c:\\Program Files\\Dell V105\\dldnlscn.exe"=
"c:\\Program Files\\Steganos\\Internet Security 2009\\avgam.exe"=
"c:\\Program Files\\Steganos\\Internet Security 2009\\avgupd.exe"=
"c:\\Program Files\\Steganos\\Internet Security 2009\\avgnsx.exe"=
R2 dldnCATSCustConnectService;dldnCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\dldnserv.exe [2008-03-04 99568]
R2 ZPMODEMSYSNTDRVNT;ZPMODEMSYSNTDRVNT;c:\windows\system32\drivers\zpmodemnt.sys [2006-01-15 1792]
R3 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwdx.sys [2009-02-06 29208]
S0 AvgRkx86;avgrkx86.sys;c:\windows\System32\Drivers\avgrkx86.sys [2009-02-11 12552]
S1 AvgLdx86;Steganos I.S. AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-02-11 325128]
S1 AvgTdiX;Steganos I.S. Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-02-11 107272]
S2 avg8wd;Steganos I.S. WatchDog;c:\progra~1\Steganos\INTERN~1\avgwdsvc.exe [2009-02-11 298264]
S2 avgfws8;Steganos I.S. Firewall;c:\progra~1\Steganos\INTERN~1\avgfws8.exe [2009-02-11 1339600]
S2 dldn_device;dldn_device;c:\windows\system32\dldncoms.exe [2008-03-04 595184]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\DRIVERS\avgfwdx.sys [2009-02-06 29208]
--- Other Services/Drivers In Memory ---
*Deregistered* - abp480n5
*Deregistered* - adpu160m
*Deregistered* - AFD
*Deregistered* - agp440
*Deregistered* - agpCPQ
*Deregistered* - Aha154x
*Deregistered* - aic78u2
*Deregistered* - aic78xx
*Deregistered* - ALG
*Deregistered* - AliIde
*Deregistered* - alim1541
*Deregistered* - amdagp
*Deregistered* - amsint
*Deregistered* - asc
*Deregistered* - asc3350p
*Deregistered* - asc3550
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - avg8wd
*Deregistered* - Avgfwdx
*Deregistered* - avgfws8
*Deregistered* - AvgLdx86
*Deregistered* - AvgMfx86
*Deregistered* - AvgRkx86
*Deregistered* - AvgTdiX
*Deregistered* - Beep
*Deregistered* - Browser
*Deregistered* - cbidf
*Deregistered* - cd20xrnt
*Deregistered* - Cdfs
*Deregistered* - CmdIde
*Deregistered* - Cpqarray
*Deregistered* - CryptSvc
*Deregistered* - dac2w2k
*Deregistered* - dac960nt
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dldn_device
*Deregistered* - Dnscache
*Deregistered* - dpti2o
*Deregistered* - drvnddm
*Deregistered* - eeCtrl
*Deregistered* - EPSONStatusAgent2
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - hpn
*Deregistered* - HTTP
*Deregistered* - i2omgmt
*Deregistered* - i2omp
*Deregistered* - ImapiService
*Deregistered* - ini910u
*Deregistered* - IntelIde
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - MDM
*Deregistered* - mnmdd
*Deregistered* - Mouclass
*Deregistered* - MountMgr
*Deregistered* - mraid35x
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - MSSQL$MICROSOFTBCM
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - perc2
*Deregistered* - perc2hib
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - ql1080
*Deregistered* - Ql10wnt
*Deregistered* - ql12160
*Deregistered* - ql1240
*Deregistered* - ql1280
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - sisagp
*Deregistered* - Sparrow
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - ssrtln
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - sym_hi
*Deregistered* - sym_u3
*Deregistered* - symc810
*Deregistered* - symc8xx
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - tfsnboio
*Deregistered* - tfsncofs
*Deregistered* - tfsndrct
*Deregistered* - tfsndres
*Deregistered* - tfsnifs
*Deregistered* - tfsnopio
*Deregistered* - tfsnpool
*Deregistered* - tfsnudf
*Deregistered* - tfsnudfa
*Deregistered* - Themes
*Deregistered* - TosIde
*Deregistered* - TrkWks
*Deregistered* - ultra
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - viaagp
*Deregistered* - ViaIde
*Deregistered* - VolSnap
*Deregistered* - w32time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
.
.
------- Supplementary Scan -------
.
uStart Page = www.blueyonder.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-25 20:12:39
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\Steganos\INTERN~1\avgam.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
c:\program files\Steganos\Internet Security 2009\avgrsx.exe
c:\progra~1\Steganos\INTERN~1\avgnsx.exe
c:\program files\Dell V105\dldnmsdmon.exe
.
**************************************************************************
.
Completion time: 2009-02-25 20:22:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-25 20:22:33
Pre-Run: 20,999,368,704 bytes free
Post-Run: 20,922,576,896 bytes free
368 --- E O F --- 2009-02-12 22:22:13
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:58:53, on 28/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\PROGRA~1\Steganos\INTERN~1\avgwdsvc.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\Steganos\INTERN~1\avgfws8.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell V105\dldnmon.exe
C:\WINDOWS\system32\dldncoms.exe
C:\Program Files\Dell V105\dldnMsdMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Steganos Privacy Suite 2008\PasswordManagerFFAutoFill.exe
C:\Program Files\Steganos Privacy Suite 2008\SteganosHotKeyService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Steganos Privacy Suite 2008\fredirstarter.exe
C:\PROGRA~1\Steganos\INTERN~1\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Steganos\INTERN~1\avgam.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\Steganos\INTERN~1\avgrsx.exe
C:\PROGRA~1\Steganos\INTERN~1\avgnsx.exe
C:\Program Files\Steganos\Internet Security 2009\avgcsrvx.exe
C:\WINDOWS\system32\SatSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Steganos\Internet Security 2009\avgcsrvx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.blueyonder.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Steganos Password Manager AutoFill - {1427A821-7B93-4F08-9A34-9FA03A3D93DB} - C:\Program Files\Steganos Privacy Suite 2008\PasswordManagerBHO.dll
O2 - BHO: Steganos.Pwm.BHO - {23162633-071E-4D3C-B347-B85451A92DBA} - C:\Program Files\Steganos Password Manager 2009\PwmBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dldnmon.exe] "C:\Program Files\Dell V105\dldnmon.exe"
O4 - HKLM\..\Run: [dldnamon] "C:\Program Files\Dell V105\dldnamon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SSS2008 PasswordManagerFFAutoFill] "C:\Program Files\Steganos Privacy Suite 2008\PasswordManagerFFAutoFill.exe"
O4 - HKLM\..\Run: [SSS2008 HotKeys] "C:\Program Files\Steganos Privacy Suite 2008\SteganosHotKeyService.exe"
O4 - HKLM\..\Run: [SSS2008 File Redirection Starter] "C:\Program Files\Steganos Privacy Suite 2008\fredirstarter.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\Steganos\INTERN~1\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Steganos I.S. WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\Steganos\INTERN~1\avgwdsvc.exe
O23 - Service: Steganos I.S. Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\Steganos\INTERN~1\avgfws8.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: dldnCATSCustConnectService - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\dldnserv.exe
O23 - Service: dldn_device - - C:\WINDOWS\system32\dldncoms.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Steganos AntiTheft (SatSrv) - Unknown owner - C:\WINDOWS\system32\\SatSrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 8846 bytes
Hi Gordon,
There was also a password stealing trojan there. It's strongly recommended to change all online used passwords using other clean system to change those.
Upload following file to http://www.virustotal.com and post back the results:
c:\documents and settings\All Users\Application Data\771946947\468005841.exe
Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer
Start hjt, do a system scan, check (if found):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
Close browsers and fix checked.
Uninstall old Adobe Reader versions and get the latest one here (http://www.filehippo.com/download_adobe_reader/) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader!
Open notepad and copy/paste the text in the quotebox below into it:
File::
c:\windows\SYSTEM32\vumer.dll
c:\windows\SYSTEM32\TDSSfpmp.dll
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif). If you get a message that latest Java must be installed "enable" the Java add-ons in IE7. Do that using "manage add-ons" from the IE7 toolbar.
Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.
lh017640
2009-03-01, 21:50
Dear Blade81
Many thanks for the reply, it'll be Tuesday before I'm back at my father-in-laws to carry out the above.
Regards
Gordon:)
Ok. Thanks for the heads up :)
lh017640
2009-03-04, 02:23
Dear Blade81
Ok went to do item 1 and upload file 468005841.exe but it was no longer on the PC ?
I could not download the ATF-cleaner, IE kept crashing?
My father-in-law has loaded Steganos Internet Security 2009 and it's not obvious how to disable it. Combofix would give the warning message even after I'd stopped all (or so I thought ) the processes in task manager.
Here is the Combofix log, HJT Log and the Kaspersky scan report
Regards
Gordon
ComboFix 09-03-02.03 - Angus Maciver 2009-03-03 18:26:24.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.75 [GMT 0:00]
Running from: c:\documents and settings\Angus Maciver\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Angus Maciver\Desktop\CFScript.txt
AV: Steganos Anti-Virus *On-access scanning enabled* (Updated)
* Created a new restore point
FILE ::
c:\windows\SYSTEM32\TDSSfpmp.dll
c:\windows\SYSTEM32\vumer.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\SYSTEM32\TDSSfpmp.dll
c:\windows\SYSTEM32\vumer.dll
.
((((((((((((((((((((((((( Files Created from 2009-02-03 to 2009-03-03 )))))))))))))))))))))))))))))))
.
2009-02-25 22:21 . 2009-03-03 12:46 <DIR> d-------- c:\windows\SYSTEM32\DRIVERS\Avg
2009-02-25 22:21 . 2009-02-25 22:21 325,128 --a------ c:\windows\SYSTEM32\DRIVERS\avgldx86.sys
2009-02-25 22:21 . 2009-02-25 22:21 107,272 --a------ c:\windows\SYSTEM32\DRIVERS\avgtdix.sys
2009-02-25 22:21 . 2009-02-25 22:21 12,552 --a------ c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys
2009-02-25 22:21 . 2009-02-25 22:21 10,520 --a------ c:\windows\SYSTEM32\avgrsstx.dll
2009-02-25 22:03 . 2009-02-25 22:04 <DIR> d-------- c:\program files\Steganos Privacy Suite 2008
2009-02-25 21:01 . 2009-02-25 21:01 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-25 21:01 . 2009-03-03 17:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-24 00:32 . 2009-03-02 16:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\771946947
2009-02-12 20:25 . 2009-02-12 20:32 <DIR> d-------- C:\test
2009-02-08 20:31 . 2009-02-08 20:32 <DIR> d-------- c:\documents and settings\Administrator\Application Data\U3
2009-02-08 19:33 . 2009-02-08 19:36 <DIR> d-------- c:\program files\SpywareBlaster
2009-02-08 19:27 . 2009-02-12 20:35 <DIR> d-------- c:\documents and settings\Angus Maciver\Application Data\U3
2009-02-06 17:32 . 2009-02-06 17:32 <DIR> d-------- c:\program files\Trend Micro
2009-02-05 18:29 . 2009-02-05 18:29 <DIR> d-------- c:\documents and settings\Angus Maciver\Application Data\Steganos
2009-02-05 18:28 . 2009-02-05 18:28 <DIR> d-------- c:\program files\Steganos Password Manager 2009
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-03 18:09 --------- d-----w c:\program files\Common Files\Adobe
2009-03-03 16:53 --------- d-----w c:\documents and settings\Angus Maciver\Application Data\MailWasherPro
2009-02-28 20:48 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-02-28 20:45 --------- d-----w c:\program files\Steganos
2009-02-05 16:12 --------- d-----w c:\program files\Java
2009-01-28 20:26 --------- d-----w c:\program files\Yahoo!
2007-02-07 18:14 92,064 ----a-w c:\documents and settings\Angus Maciver\mqdmmdm.sys
2007-02-07 18:14 9,232 ----a-w c:\documents and settings\Angus Maciver\mqdmmdfl.sys
2007-02-07 18:14 79,328 ----a-w c:\documents and settings\Angus Maciver\mqdmserd.sys
2007-02-07 18:14 66,656 ----a-w c:\documents and settings\Angus Maciver\mqdmbus.sys
2007-02-07 18:14 6,208 ----a-w c:\documents and settings\Angus Maciver\mqdmcmnt.sys
2007-02-07 18:14 5,936 ----a-w c:\documents and settings\Angus Maciver\mqdmwhnt.sys
2007-02-07 18:14 4,048 ----a-w c:\documents and settings\Angus Maciver\mqdmcr.sys
2007-02-07 18:14 25,600 ----a-w c:\documents and settings\Angus Maciver\usbsermptxp.sys
2007-02-07 18:14 22,768 ----a-w c:\documents and settings\Angus Maciver\usbsermpt.sys
2008-08-26 11:38 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008082620080827\index.dat
.
((((((((((((((((((((((((((((( SnapShot@2009-02-25_20.20.31.60 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-11 10:24:00 85,952 ----a-w c:\windows\sleen1664.sys
+ 2008-06-17 19:02:19 8,461,312 ------w c:\windows\SYSTEM32\DLLCACHE\shell32.dll
- 2009-02-11 16:36:47 27,656 ----a-w c:\windows\SYSTEM32\DRIVERS\avgmfx86.sys
+ 2009-02-25 22:21:36 27,656 ----a-w c:\windows\SYSTEM32\DRIVERS\avgmfx86.sys
+ 2007-10-11 10:24:00 79,104 ----a-w c:\windows\SYSTEM32\DRIVERS\sleen16.sys
+ 2006-12-05 08:27:04 184,320 ----a-w c:\windows\SYSTEM32\SatSrv.exe
- 2008-04-14 00:12:05 8,461,312 ----a-w c:\windows\SYSTEM32\shell32.dll
+ 2008-06-17 19:02:19 8,461,312 ----a-w c:\windows\SYSTEM32\shell32.dll
+ 2009-03-03 17:44:52 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_398.dat
+ 2009-03-03 17:45:08 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_540.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 1388544]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-23 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-11-16 98304]
"dldnmon.exe"="c:\program files\Dell V105\dldnmon.exe" [2008-03-17 668912]
"dldnamon"="c:\program files\Dell V105\dldnamon.exe" [2008-03-17 16624]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-12 136600]
"SSS2008 PasswordManagerFFAutoFill"="c:\program files\Steganos Privacy Suite 2008\PasswordManagerFFAutoFill.exe" [2008-09-11 21504]
"SSS2008 HotKeys"="c:\program files\Steganos Privacy Suite 2008\SteganosHotKeyService.exe" [2008-09-11 25088]
"SSS2008 File Redirection Starter"="c:\program files\Steganos Privacy Suite 2008\fredirstarter.exe" [2008-09-11 57344]
"AVG8_TRAY"="c:\progra~1\Steganos\ANTIVI~1\avgtray.exe" [2009-02-28 1610520]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-25 22:21 10520 c:\windows\SYSTEM32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-08-13 01:05 122939 c:\windows\SYSTEM32\dla\tfswctrl.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe"
"IntelMeM"=c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\dldncoms.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\dldnpswx.exe"=
"c:\\Program Files\\Dell V105\\dldnmon.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\dldntime.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\dldnjswx.exe"=
"c:\\Program Files\\Dell V105\\dldnlscn.exe"=
"c:\\Program Files\\Steganos\\Anti Virus 2009\\avgam.exe"=
"c:\\Program Files\\Steganos\\Anti Virus 2009\\avgupd.exe"=
R0 AvgRkx86;avgrkx86.sys;c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys [2009-02-25 12552]
R1 AvgLdx86;Steganos I.S. AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2009-02-25 325128]
R1 AvgTdiX;Steganos I.S. Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [2009-02-25 107272]
R1 SLEE_16_DRIVER;Steganos Live Encryption Engine 16 [Driver];c:\windows\SYSTEM32\DRIVERS\sleen16.sys [2007-10-11 10:24:00 79104]
R2 dldn_device;dldn_device;c:\windows\system32\dldncoms.exe -service --> c:\windows\system32\dldncoms.exe -service [?]
R2 SatSrv;Steganos AntiTheft;c:\windows\SYSTEM32\SatSrv.exe [2006-12-05 184320]
S2 avg8wd;Steganos A.V. WatchDog;c:\progra~1\Steganos\ANTIVI~1\avgwdsvc.exe [2009-02-28 298264]
S2 dldnCATSCustConnectService;dldnCATSCustConnectService;c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\dldnserv.exe [2008-03-04 99568]
S2 ZPMODEMSYSNTDRVNT;ZPMODEMSYSNTDRVNT;c:\windows\SYSTEM32\DRIVERS\zpmodemnt.sys [2006-01-15 1792]
.
.
------- Supplementary Scan -------
.
uStart Page = www.blueyonder.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-03 18:28:38
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-03-03 18:32:34
ComboFix-quarantined-files.txt 2009-03-03 18:32:29
ComboFix2.txt 2009-02-25 20:22:52
Pre-Run: 20,536,500,224 bytes free
Post-Run: 20,523,737,088 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
166 --- E O F --- 2009-02-25 23:46:52
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:11:44, on 04/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Steganos\ANTIVI~1\avgwdsvc.exe
C:\WINDOWS\system32\dldncoms.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\Steganos\ANTIVI~1\avgam.exe
C:\PROGRA~1\Steganos\ANTIVI~1\avgrsx.exe
C:\PROGRA~1\Steganos\ANTIVI~1\avgnsx.exe
C:\Program Files\Steganos\Anti Virus 2009\avgcsrvx.exe
C:\WINDOWS\system32\SatSrv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell V105\dldnmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Steganos Privacy Suite 2008\PasswordManagerFFAutoFill.exe
C:\Program Files\Steganos Privacy Suite 2008\SteganosHotKeyService.exe
C:\Program Files\Steganos Privacy Suite 2008\fredirstarter.exe
C:\Program Files\Dell V105\dldnMsdMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.blueyonder.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Steganos Password Manager AutoFill - {1427A821-7B93-4F08-9A34-9FA03A3D93DB} - C:\Program Files\Steganos Privacy Suite 2008\PasswordManagerBHO.dll
O2 - BHO: Steganos.Pwm.BHO - {23162633-071E-4D3C-B347-B85451A92DBA} - C:\Program Files\Steganos Password Manager 2009\PwmBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dldnmon.exe] "C:\Program Files\Dell V105\dldnmon.exe"
O4 - HKLM\..\Run: [dldnamon] "C:\Program Files\Dell V105\dldnamon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SSS2008 PasswordManagerFFAutoFill] "C:\Program Files\Steganos Privacy Suite 2008\PasswordManagerFFAutoFill.exe"
O4 - HKLM\..\Run: [SSS2008 HotKeys] "C:\Program Files\Steganos Privacy Suite 2008\SteganosHotKeyService.exe"
O4 - HKLM\..\Run: [SSS2008 File Redirection Starter] "C:\Program Files\Steganos Privacy Suite 2008\fredirstarter.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\Steganos\ANTIVI~1\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Steganos A.V. WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\Steganos\ANTIVI~1\avgwdsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: dldnCATSCustConnectService - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\dldnserv.exe
O23 - Service: dldn_device - - C:\WINDOWS\system32\dldncoms.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Steganos AntiTheft (SatSrv) - Unknown owner - C:\WINDOWS\system32\\SatSrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 7774 bytes
Tuesday, March 3, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, March 03, 2009 18:48:11
Records in database: 1865985
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
Scan statistics
Files scanned 57587
Threat name 20
Infected objects 56
Suspicious objects 0
Duration of the scan 02:56:28
File name Threat name Threats count
C:\autoexec.bat Infected: Trojan.BAT.KillFiles.gb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\05D91B33.tmp Infected: Trojan.Java.ClassLoader.d 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0AE145AD.jpg Infected: Trojan-Downloader.Win32.Small.cnh 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0DE96E42.exe Infected: Backdoor.Win32.Agent.rw 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\19564AE1.jpg Infected: Trojan-Downloader.Win32.Small.cnh 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1D134249.exe Infected: Trojan.Win32.DNSChanger.de 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1D592788.tmp Infected: Trojan-Downloader.Java.OpenConnection.aj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\211F513A.jpg Infected: Trojan-Downloader.Win32.Small.cnh 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\27AD16C9.tmp Infected: Trojan.Java.ClassLoader.h 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\27B140C5.tmp Infected: Trojan-Downloader.Java.OpenStream.c 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2EC441E8.jpg Infected: Trojan-Downloader.Win32.Small.cnh 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2EF01E61.zip Infected: Exploit.Java.ByteVerify 2
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2EF01E61.zip Infected: Trojan-Downloader.Java.OpenConnection.aa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2F05290C.exe Infected: Trojan-Downloader.Win32.Agent.uj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\341663AA.exe Infected: Trojan.Win32.Qhost.df 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\351C028A.exe Infected: not-a-virus:AdWare.Win32.FindSpy.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\351F2C87.exe Infected: not-a-virus:AdWare.Win32.Msnagent.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\35927C7F.jpg Infected: Trojan-Downloader.Win32.Small.cnh 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\36BC68E1.exe Infected: not-a-virus:Porn-Dialer.Win32.GBDialer.d 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\36D0587C.zip Infected: Exploit.Java.ByteVerify 2
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\36D0587C.zip Infected: Trojan-Downloader.Java.OpenConnection.aa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\36F10CAC.zip Infected: Exploit.Java.ByteVerify 2
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\36F10CAC.zip Infected: Trojan-Downloader.Java.OpenConnection.aa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\374A34F2.dll Infected: not-a-virus:AdWare.Win32.SBSoft.h 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\39247CE9.exe Infected: Backdoor.Win32.Agent.rw 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3A4D2E8E.tmp Infected: Trojan-Downloader.Java.OpenConnection.aj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3B2E14EE.exe Infected: Trojan-Downloader.Win32.Agent.uj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3B365E8C.zip Infected: Exploit.Java.ByteVerify 2
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3B365E8C.zip Infected: Trojan-Downloader.Java.OpenConnection.aa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3D267200.jpg Infected: Trojan-Downloader.Win32.Small.cnh 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\42E711B4.jpg Infected: Trojan-Downloader.Win32.Small.cnh 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\42F34160.exe Infected: Trojan.Win32.Small.fb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\458A2548.tmp Infected: Trojan-Downloader.Java.OpenConnection.aj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4B2762E6.def Infected: not-a-virus:Porn-Dialer.Win32.GBDialer.d 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\50121BE9.sys Infected: Trojan-Downloader.Win32.Small.cnh 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\57824634.exe Infected: Trojan.Win32.Small.fb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\582748B0.tmp Infected: Trojan-Downloader.Java.OpenConnection.aj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5978007E.tmp Infected: Trojan-Downloader.Win32.Botol.d 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5CCF0106.exe Infected: Backdoor.Win32.Agent.rw 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\604A54E7.jpg Infected: Trojan-Downloader.Win32.Small.cnh 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6B9D0DDB.jpg Infected: Trojan-Downloader.Win32.Small.cnh 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6BC82DD5.tmp Infected: Trojan.Java.ClassLoader.d 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6DBE62BE.tmp Infected: Trojan-Downloader.Java.OpenConnection.aj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6DC20CBA.tmp Infected: Trojan-Downloader.Java.OpenConnection.aj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6F044B9F.tmp Infected: Trojan.Java.ClassLoader.h 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6F285206.exe Infected: Trojan-Downloader.Win32.Agent.uj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\72C52E1F.tmp Infected: Trojan.Java.ClassLoader.d 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\77A6522C.dll Infected: not-a-virus:AdWare.Win32.SBSoft.h 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\785C6111.tmp Infected: Trojan.Java.ClassLoader.h 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79BF5BB9.jpg Infected: Trojan-Downloader.Win32.Small.cnh 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7ED43FA9.exe Infected: Trojan.Win32.Favadd.an 1
C:\Qoobox\Quarantine\C\start.bat.vir Infected: Trojan.BAT.KillFiles.gh 1
The selected area was scanned.
Hi
Creating & executing batch file
-------------------------------
Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@echo off
notepad C:\autoexec.bat
Double-click on fixes.bat file to execute it. Notepad should open up with contents of c:\autoexec.bat file. Please post back contents of it.
Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Delete items in C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine folder.
Open notepad and copy/paste the text in the quotebox below into it:
DirLook::
c:\documents and settings\All Users\Application Data\771946947
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log. How's the system running?
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
lh017640
2009-03-06, 19:45
Hi Blade81
Here is the contents of fixes.bat
@echo off
del c:\windows\downlo~1\gb*.*
del c:\windows\downlo~1\*.g??
del c:\windows\downlo~1\g*.*
del c:\arquiv~1\GbPlugin\g*.*
All the files in the Quarantine folder have been removed. Should we get rid of all the Norton remnants?
Here is the Combofix log
ComboFix 09-03-04.01 - Angus Maciver 2009-03-06 17:13:22.3 - NTFSx86
Running from: c:\documents and settings\Angus Maciver\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Angus Maciver\Desktop\CFScript.txt
AV: Steganos Anti-Virus *On-access scanning enabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-02-06 to 2009-03-06 )))))))))))))))))))))))))))))))
.
2009-03-05 18:53 . 2009-03-05 18:53 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-04 01:13 . 2009-03-04 01:13 <DIR> d-------- c:\documents and settings\Angus Maciver\Application Data\Yahoo!
2009-03-04 01:13 . 2009-03-04 01:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-02-25 22:21 . 2009-03-06 16:46 <DIR> d-------- c:\windows\SYSTEM32\DRIVERS\Avg
2009-02-25 22:21 . 2009-02-25 22:21 325,128 --a------ c:\windows\SYSTEM32\DRIVERS\avgldx86.sys
2009-02-25 22:21 . 2009-02-25 22:21 107,272 --a------ c:\windows\SYSTEM32\DRIVERS\avgtdix.sys
2009-02-25 22:21 . 2009-02-25 22:21 12,552 --a------ c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys
2009-02-25 22:21 . 2009-02-25 22:21 10,520 --a------ c:\windows\SYSTEM32\avgrsstx.dll
2009-02-25 22:03 . 2009-02-25 22:04 <DIR> d-------- c:\program files\Steganos Privacy Suite 2008
2009-02-25 21:01 . 2009-02-25 21:01 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-25 21:01 . 2009-03-04 01:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-24 00:32 . 2009-03-02 16:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\771946947
2009-02-12 20:25 . 2009-02-12 20:32 <DIR> d-------- C:\test
2009-02-08 20:31 . 2009-02-08 20:32 <DIR> d-------- c:\documents and settings\Administrator\Application Data\U3
2009-02-08 19:33 . 2009-02-08 19:36 <DIR> d-------- c:\program files\SpywareBlaster
2009-02-08 19:27 . 2009-02-12 20:35 <DIR> d-------- c:\documents and settings\Angus Maciver\Application Data\U3
2009-02-06 17:32 . 2009-02-06 17:32 <DIR> d-------- c:\program files\Trend Micro
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-06 00:10 --------- d-----w c:\documents and settings\Angus Maciver\Application Data\MailWasherPro
2009-03-05 18:50 --------- d-----w c:\program files\Common Files\Adobe
2009-02-28 20:48 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-02-28 20:45 --------- d-----w c:\program files\Steganos
2009-02-05 18:29 --------- d-----w c:\documents and settings\Angus Maciver\Application Data\Steganos
2009-02-05 18:28 --------- d-----w c:\program files\Steganos Password Manager 2009
2009-02-05 16:12 --------- d-----w c:\program files\Java
2009-01-28 20:26 --------- d-----w c:\program files\Yahoo!
2007-02-07 18:14 92,064 ----a-w c:\documents and settings\Angus Maciver\mqdmmdm.sys
2007-02-07 18:14 9,232 ----a-w c:\documents and settings\Angus Maciver\mqdmmdfl.sys
2007-02-07 18:14 79,328 ----a-w c:\documents and settings\Angus Maciver\mqdmserd.sys
2007-02-07 18:14 66,656 ----a-w c:\documents and settings\Angus Maciver\mqdmbus.sys
2007-02-07 18:14 6,208 ----a-w c:\documents and settings\Angus Maciver\mqdmcmnt.sys
2007-02-07 18:14 5,936 ----a-w c:\documents and settings\Angus Maciver\mqdmwhnt.sys
2007-02-07 18:14 4,048 ----a-w c:\documents and settings\Angus Maciver\mqdmcr.sys
2007-02-07 18:14 25,600 ----a-w c:\documents and settings\Angus Maciver\usbsermptxp.sys
2007-02-07 18:14 22,768 ----a-w c:\documents and settings\Angus Maciver\usbsermpt.sys
2008-08-26 11:38 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008082620080827\index.dat
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\771946947 ----
2009-02-25 22:35 96 --a------ c:\documents and settings\All Users\Application Data\771946947\config.udb
2009-02-24 00:32 241 --a------ c:\documents and settings\All Users\Application Data\771946947\init.udb
2009-02-24 00:32 12930 --a------ c:\documents and settings\All Users\Application Data\771946947\Langs.udb
((((((((((((((((((((((((((((( SnapShot@2009-02-25_20.20.31.60 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-12 15:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
+ 2007-10-11 10:24:00 85,952 ----a-w c:\windows\sleen1664.sys
+ 2008-06-17 19:02:19 8,461,312 ------w c:\windows\SYSTEM32\DLLCACHE\shell32.dll
- 2009-02-11 16:36:47 27,656 ----a-w c:\windows\SYSTEM32\DRIVERS\avgmfx86.sys
+ 2009-02-25 22:21:36 27,656 ----a-w c:\windows\SYSTEM32\DRIVERS\avgmfx86.sys
+ 2007-10-11 10:24:00 79,104 ----a-w c:\windows\SYSTEM32\DRIVERS\sleen16.sys
+ 2006-12-05 08:27:04 184,320 ----a-w c:\windows\SYSTEM32\SatSrv.exe
- 2008-04-14 00:12:05 8,461,312 ----a-w c:\windows\SYSTEM32\shell32.dll
+ 2008-06-17 19:02:19 8,461,312 ----a-w c:\windows\SYSTEM32\shell32.dll
+ 2009-03-06 16:38:11 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_224.dat
+ 2009-03-06 16:38:23 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_33c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 1388544]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-23 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-11-16 98304]
"dldnmon.exe"="c:\program files\Dell V105\dldnmon.exe" [2008-03-17 668912]
"dldnamon"="c:\program files\Dell V105\dldnamon.exe" [2008-03-17 16624]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-12 136600]
"SSS2008 PasswordManagerFFAutoFill"="c:\program files\Steganos Privacy Suite 2008\PasswordManagerFFAutoFill.exe" [2008-09-11 21504]
"SSS2008 HotKeys"="c:\program files\Steganos Privacy Suite 2008\SteganosHotKeyService.exe" [2008-09-11 25088]
"SSS2008 File Redirection Starter"="c:\program files\Steganos Privacy Suite 2008\fredirstarter.exe" [2008-09-11 57344]
"AVG8_TRAY"="c:\progra~1\Steganos\ANTIVI~1\avgtray.exe" [2009-02-28 1610520]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-25 22:21 10520 c:\windows\SYSTEM32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-08-13 01:05 122939 c:\windows\SYSTEM32\dla\tfswctrl.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe"
"IntelMeM"=c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\dldncoms.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\dldnpswx.exe"=
"c:\\Program Files\\Dell V105\\dldnmon.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\dldntime.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\dldnjswx.exe"=
"c:\\Program Files\\Dell V105\\dldnlscn.exe"=
"c:\\Program Files\\Steganos\\Anti Virus 2009\\avgam.exe"=
"c:\\Program Files\\Steganos\\Anti Virus 2009\\avgupd.exe"=
R0 AvgRkx86;avgrkx86.sys;c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys [2009-02-25 12552]
R1 AvgLdx86;Steganos I.S. AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2009-02-25 325128]
R1 AvgTdiX;Steganos I.S. Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [2009-02-25 107272]
R1 SLEE_16_DRIVER;Steganos Live Encryption Engine 16 [Driver];c:\windows\SYSTEM32\DRIVERS\sleen16.sys [2007-10-11 10:24:00 79104]
S2 ZPMODEMSYSNTDRVNT;ZPMODEMSYSNTDRVNT;c:\windows\SYSTEM32\DRIVERS\zpmodemnt.sys [2006-01-15 1792]
--- Other Services/Drivers In Memory ---
*Deregistered* - ALG
*Deregistered* - AudioSrv
*Deregistered* - avg8wd
*Deregistered* - Browser
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dldn_device
*Deregistered* - Dnscache
*Deregistered* - EPSONStatusAgent2
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - ImapiService
*Deregistered* - JavaQuickStarterService
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - MDM
*Deregistered* - MSSQL$MICROSOFTBCM
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - SatSrv
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - w32time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
.
.
------- Supplementary Scan -------
.
uStart Page = www.blueyonder.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-06 17:21:35
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-03-06 17:28:02
ComboFix-quarantined-files.txt 2009-03-06 17:27:49
ComboFix2.txt 2009-03-03 18:32:37
ComboFix3.txt 2009-02-25 20:22:52
Pre-Run: 20,394,242,048 bytes free
Post-Run: 20,381,306,880 bytes free
206 --- E O F --- 2009-02-25 23:46:52
And here is the HJT Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:35:37, on 06/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Steganos\ANTIVI~1\avgwdsvc.exe
C:\WINDOWS\system32\dldncoms.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Steganos\ANTIVI~1\avgam.exe
C:\PROGRA~1\Steganos\ANTIVI~1\avgrsx.exe
C:\WINDOWS\system32\SatSrv.exe
C:\PROGRA~1\Steganos\ANTIVI~1\avgnsx.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell V105\dldnmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell V105\dldnMsdMon.exe
C:\Program Files\Steganos Privacy Suite 2008\PasswordManagerFFAutoFill.exe
C:\Program Files\Steganos Privacy Suite 2008\SteganosHotKeyService.exe
C:\Program Files\Steganos\Anti Virus 2009\avgcsrvx.exe
C:\Program Files\Steganos Privacy Suite 2008\fredirstarter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Steganos\Anti Virus 2009\avgcsrvx.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.blueyonder.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Steganos Password Manager AutoFill - {1427A821-7B93-4F08-9A34-9FA03A3D93DB} - C:\Program Files\Steganos Privacy Suite 2008\PasswordManagerBHO.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Steganos.Pwm.BHO - {23162633-071E-4D3C-B347-B85451A92DBA} - C:\Program Files\Steganos Password Manager 2009\PwmBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dldnmon.exe] "C:\Program Files\Dell V105\dldnmon.exe"
O4 - HKLM\..\Run: [dldnamon] "C:\Program Files\Dell V105\dldnamon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SSS2008 PasswordManagerFFAutoFill] "C:\Program Files\Steganos Privacy Suite 2008\PasswordManagerFFAutoFill.exe"
O4 - HKLM\..\Run: [SSS2008 HotKeys] "C:\Program Files\Steganos Privacy Suite 2008\SteganosHotKeyService.exe"
O4 - HKLM\..\Run: [SSS2008 File Redirection Starter] "C:\Program Files\Steganos Privacy Suite 2008\fredirstarter.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\Steganos\ANTIVI~1\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Steganos A.V. WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\Steganos\ANTIVI~1\avgwdsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: dldnCATSCustConnectService - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\dldnserv.exe
O23 - Service: dldn_device - - C:\WINDOWS\system32\dldncoms.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Steganos AntiTheft (SatSrv) - Unknown owner - C:\WINDOWS\system32\\SatSrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 8887 bytes
The system is very slow, it takes a good 15~20mins to boot up all the processes
We also get a runtime error on IE with the message asking if we wish to debug, Line 1 error: syntax error. this pops up everytime you move from one web page to the next.
Regards
Gordon
Hi again,
Open c:\autoexec.bat in notepad, empty its contents and save.
Should we get rid of all the Norton remnants?
Yes, following instructions should take care of that too :)
The system is very slow, it takes a good 15~20mins to boot up all the processes
We also get a runtime error on IE with the message asking if we wish to debug, Line 1 error: syntax error. this pops up everytime you move from one web page to the next.
Were these symptoms present before instructions were given or did they appear during the process?
Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer
Start hjt, do a system scan, check (if found):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
Close browsers and fix checked.
Open notepad and copy/paste the text in the quotebox below into it:
Driver::
CLTNetCnService
"Symantec Core LC"
Folder::
c:\documents and settings\All Users\Application Data\771946947
C:\Program Files\Common Files\Symantec Shared
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
lh017640
2009-03-10, 19:20
Hi Blade81
Firstly I missed the first step to clear the autoexec.bat file before doing everthing else, so whats been done has been sort of in the reverse order.
The IE runtime error was present before we started doning this clean-up.
The teatimer appears to be persistent, even after unchecking the boxes it reappears on reboot in the sys tray and on the process list and have then close these down.
Found and fixed the the registry line R0...........
Here is the Combofix log file
ComboFix 09-03-06.02 - Angus Maciver 2009-03-10 16:36:25.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.76 [GMT 0:00]
Running from: c:\documents and settings\Angus Maciver\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Angus Maciver\Desktop\CFScript 10-09.txt
AV: Steganos Anti-Virus *On-access scanning enabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\771946947
c:\documents and settings\All Users\Application Data\771946947\config.udb
c:\documents and settings\All Users\Application Data\771946947\init.udb
c:\documents and settings\All Users\Application Data\771946947\Langs.udb
c:\program files\Common Files\Symantec Shared
c:\program files\Common Files\Symantec Shared\CCPD-LC\ez_log.htm
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcnet.dll
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlctnk.dll
c:\program files\Common Files\Symantec Shared\COH\coh.cache
c:\program files\Common Files\Symantec Shared\COH\COH32.exe
c:\program files\Common Files\Symantec Shared\COH\COH64.exe
c:\program files\Common Files\Symantec Shared\COH\COHClean.dll
c:\program files\Common Files\Symantec Shared\COH\EraserAHS.log
c:\program files\Common Files\Symantec Shared\COH\EraserAHS.tlg
c:\program files\Common Files\Symantec Shared\COH\sH0000.dll
c:\program files\Common Files\Symantec Shared\DecABI\decB36.tmp
c:\program files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
c:\program files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\DRMLFC.exe
c:\program files\Common Files\Symantec Shared\SPManifests\eraser.grd
c:\program files\Common Files\Symantec Shared\SPManifests\eraser.sig
c:\program files\Common Files\Symantec Shared\SPManifests\eraser.spm
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\concat-webauth.sql.bin
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\tmp6efb.tmp\cur.enc
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\CATALOG.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\CCERASER.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\ECBOOTIL.VXD
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\ECMSVR32.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\EECTRL.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\ERASER.GRD
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\ERASER.SIG
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\ERASER.SPM
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\ERASER.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\ESRDEF.BIN
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\HH
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\NAVENG.EXP
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\NAVENG.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\NAVENG.VXD
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\NAVENG32.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\NAVEX15.EXP
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\NAVEX15.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\NAVEX15.VXD
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\NAVEX32A.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\NCSACERT.TXT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\SCRAUTH.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\SYMAVENG.CAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\SYMAVENG.INF
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\SYMERASE.CAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\SYMERASE.INF
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\TCDEFS.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\TCSCAN7.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\TCSCAN8.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\TCSCAN9.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\TECHNOTE.TXT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\TINF.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\TINFIDX.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\TINFL.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\TSCAN1.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\TSCAN1HD.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\V.GRD
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\V.SIG
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\VIRSCAN.INF
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\VIRSCAN1.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\VIRSCAN2.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\VIRSCAN3.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\VIRSCAN4.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\VIRSCAN5.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\VIRSCAN6.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\VIRSCAN7.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\VIRSCAN8.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\VIRSCAN9.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\VIRSCANT.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\vscanmsx.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\WHATSNEW.TXT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071104.009\ZDONE.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\CATALOG.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\CCERASER.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\ECBOOTIL.VXD
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\ECMSVR32.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\EECTRL.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\ERASER.GRD
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\ERASER.SIG
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\ERASER.SPM
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\ERASER.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\ESRDEF.BIN
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\HH
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\NAVENG.EXP
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\NAVENG.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\NAVENG.VXD
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\NAVENG32.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\NAVEX15.EXP
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\NAVEX15.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\NAVEX15.VXD
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\NAVEX32A.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\NCSACERT.TXT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\SCRAUTH.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\SYMAVENG.CAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\SYMAVENG.INF
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\SYMERASE.CAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\SYMERASE.INF
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\TCDEFS.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\TCSCAN7.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\TCSCAN8.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\TCSCAN9.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\TECHNOTE.TXT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\TINF.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\TINFIDX.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\TINFL.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\TSCAN1.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\TSCAN1HD.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\V.GRD
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\V.SIG
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\VIRSCAN.INF
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\VIRSCAN1.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\VIRSCAN2.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\VIRSCAN3.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\VIRSCAN4.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\VIRSCAN5.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\VIRSCAN6.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\VIRSCAN7.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\VIRSCAN8.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\VIRSCAN9.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\VIRSCANT.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\WHATSNEW.TXT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071202.001\ZDONE.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\CATALOG.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\CCERASER.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\ECBOOTIL.VXD
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\ECMSVR32.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\EECTRL.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\ERASER.GRD
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\ERASER.SIG
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\ERASER.SPM
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\ERASER.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\ESRDEF.BIN
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\HH
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\NAVENG.EXP
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\NAVENG.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\NAVENG.VXD
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\NAVENG32.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\NAVEX15.EXP
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\NAVEX15.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\NAVEX15.VXD
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\NAVEX32A.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\NCSACERT.TXT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\SCRAUTH.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\SYMAVENG.CAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\SYMAVENG.INF
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\SYMERASE.CAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\SYMERASE.INF
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\TCDEFS.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\TCSCAN7.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\TCSCAN8.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\TCSCAN9.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\TECHNOTE.TXT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\TINF.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\TINFIDX.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\TINFL.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\TSCAN1.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\TSCAN1HD.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\V.GRD
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\V.SIG
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\VIRSCAN.INF
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\VIRSCAN1.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\VIRSCAN2.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\VIRSCAN3.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\VIRSCAN4.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\VIRSCAN5.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\VIRSCAN6.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\VIRSCAN7.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\VIRSCAN8.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\VIRSCAN9.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\VIRSCANT.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\WHATSNEW.TXT
c:\program files\Common Files\Symantec Shared\VirusDefs\20071203.003\ZDONE.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\catalog.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\cceraser.dll
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\ecmsvr32.dll
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\eeCtrl.sys
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\ERASER.grd
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\ERASER.sig
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\ERASER.spm
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\ERASER.sys
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\esrdef.bin
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\hh
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\naveng.sys
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\naveng32.dll
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\navex15.sys
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\navex32a.dll
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\ncsacert.txt
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\scrauth.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\symaveng.cat
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\symaveng.inf
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\SymErase.cat
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\SymErase.inf
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\tcdefs.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\tcscan7.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\tcscan8.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\tcscan9.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\technote.txt
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\tinf.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\tinfidx.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\tinfl.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\tscan1.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\tscan1hd.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\v.grd
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\v.sig
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\virscan.inf
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\virscan1.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\virscan2.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\virscan3.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\virscan4.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\virscan5.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\virscan6.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\virscan7.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\virscan8.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\virscan9.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\whatsnew.txt
c:\program files\Common Files\Symantec Shared\VirusDefs\BinHub\zdone.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\definfo.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\TextHub\virscant.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\CATALOG.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\CCERASER.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\ECBOOTIL.VXD
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\ECMSVR32.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\EECTRL.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\ERASER.GRD
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\ERASER.SIG
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\ERASER.SPM
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\ERASER.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\ESRDEF.BIN
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\HH
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\NAVENG.EXP
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\NAVENG.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\NAVENG.VXD
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\NAVENG32.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\NAVEX15.EXP
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\NAVEX15.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\NAVEX15.VXD
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\NAVEX32A.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\NCSACERT.TXT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\SCRAUTH.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\SYMAVENG.CAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\SYMAVENG.INF
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\SYMERASE.CAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\SYMERASE.INF
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\TCDEFS.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\TCSCAN7.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\TCSCAN8.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\TCSCAN9.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\TECHNOTE.TXT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\TINF.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\TINFIDX.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\TINFL.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\TSCAN1.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\TSCAN1HD.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\V.GRD
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\V.SIG
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\VIRSCAN.INF
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\VIRSCAN1.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\VIRSCAN2.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\VIRSCAN3.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\VIRSCAN4.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\VIRSCAN5.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\VIRSCAN6.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\VIRSCAN7.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\VIRSCAN8.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\VIRSCAN9.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\VIRSCANT.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\WHATSNEW.TXT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp3ed5.tmp\ZDONE.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\CATALOG.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\CCERASER.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\ECBOOTIL.VXD
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\ECMSVR32.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\EECTRL.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\ERASER.GRD
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\ERASER.SIG
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\ERASER.SPM
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\ERASER.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\ESRDEF.BIN
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\HH
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\NAVENG.EXP
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\NAVENG.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\NAVENG.VXD
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\NAVENG32.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\NAVEX15.EXP
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\NAVEX15.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\NAVEX15.VXD
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\NAVEX32A.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\NCSACERT.TXT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\SCRAUTH.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\SYMAVENG.CAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\SYMAVENG.INF
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\SYMERASE.CAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\SYMERASE.INF
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\TCDEFS.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\TCSCAN7.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\TCSCAN8.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\TCSCAN9.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\TECHNOTE.TXT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\TINF.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\TINFIDX.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\TINFL.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\TSCAN1.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\TSCAN1HD.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\V.GRD
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\V.SIG
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\VIRSCAN.INF
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\VIRSCAN1.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\VIRSCAN2.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\VIRSCAN3.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\VIRSCAN4.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\VIRSCAN5.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\VIRSCAN6.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\VIRSCAN7.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\VIRSCAN8.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\VIRSCAN9.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\VIRSCANT.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\vscanmsx.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\WHATSNEW.TXT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4dd0.tmp\ZDONE.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4f54.tmp\cur.scr
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4f54.tmp\ESRDEF.999
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4f54.tmp\nco.dis
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4f54.tmp\sesmvirdef32incr.dis
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4f54.tmp\TCDEFS.998
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4f54.tmp\TCSCAN7.997
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4f54.tmp\TCSCAN8.996
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4f54.tmp\TCSCAN9.995
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4f54.tmp\TINF.994
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4f54.tmp\TINFL.993
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4f54.tmp\TSCAN1.992
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4f54.tmp\V.990
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4f54.tmp\V.991
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4f54.tmp\VIRSCAN1.989
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4f54.tmp\VIRSCAN2.988
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4f54.tmp\VIRSCAN3.987
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4f54.tmp\VIRSCAN4.986
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4f54.tmp\VIRSCAN5.985
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4f54.tmp\VIRSCAN6.984
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4f54.tmp\VIRSCAN7.983
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4f54.tmp\VIRSCAN8.982
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4f54.tmp\VIRSCAN9.981
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4f54.tmp\virscant.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp4f54.tmp\WHATSNEW.980
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp502c.tmp\cur.scr
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp502c.tmp\ESRDEF.999
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp502c.tmp\nco.dis
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp502c.tmp\sesmvirdef32incr.dis
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp502c.tmp\TCDEFS.998
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp502c.tmp\TCSCAN7.997
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp502c.tmp\TCSCAN8.996
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp502c.tmp\TCSCAN9.995
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp502c.tmp\TINF.994
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp502c.tmp\TINFL.993
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp502c.tmp\TSCAN1.992
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp502c.tmp\V.990
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp502c.tmp\V.991
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp502c.tmp\VIRSCAN1.989
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp502c.tmp\VIRSCAN2.988
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp502c.tmp\VIRSCAN3.987
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp502c.tmp\VIRSCAN4.986
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp502c.tmp\VIRSCAN5.985
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp502c.tmp\VIRSCAN6.984
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp502c.tmp\VIRSCAN7.983
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp502c.tmp\VIRSCAN8.982
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp502c.tmp\VIRSCAN9.981
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp502c.tmp\virscant.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp502c.tmp\WHATSNEW.980
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\CATALOG.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\CCERASER.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\ECBOOTIL.VXD
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\ECMSVR32.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\EECTRL.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\ERASER.GRD
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\ERASER.SIG
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\ERASER.SPM
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\ERASER.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\ESRDEF.BIN
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\HH
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\NAVENG.EXP
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\NAVENG.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\NAVENG.VXD
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\NAVENG32.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\NAVEX15.EXP
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\NAVEX15.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\NAVEX15.VXD
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\NAVEX32A.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\NCSACERT.TXT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\SCRAUTH.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\SYMAVENG.CAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\SYMAVENG.INF
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\SYMERASE.CAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\SYMERASE.INF
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\TCDEFS.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\TCSCAN7.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\TCSCAN8.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\TCSCAN9.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\TECHNOTE.TXT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\TINF.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\TINFIDX.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\TINFL.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\TSCAN1.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\TSCAN1HD.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\V.GRD
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\V.SIG
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\VIRSCAN.INF
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\VIRSCAN1.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\VIRSCAN2.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\VIRSCAN3.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\VIRSCAN4.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\VIRSCAN5.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\VIRSCAN6.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\VIRSCAN7.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\VIRSCAN8.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\VIRSCAN9.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\VIRSCANT.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\WHATSNEW.TXT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5610.tmp\ZDONE.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\CATALOG.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\CCERASER.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\ECBOOTIL.VXD
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\ECMSVR32.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\EECTRL.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\ERASER.GRD
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\ERASER.SIG
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\ERASER.SPM
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\ERASER.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\ESRDEF.BIN
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\HH
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\NAVENG.EXP
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\NAVENG.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\NAVENG.VXD
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\NAVENG32.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\NAVEX15.EXP
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\NAVEX15.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\NAVEX15.VXD
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\NAVEX32A.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\NCSACERT.TXT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\SCRAUTH.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\SYMAVENG.CAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\SYMAVENG.INF
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\SYMERASE.CAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\SYMERASE.INF
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\TCDEFS.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\TCSCAN7.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\TCSCAN8.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\TCSCAN9.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\TECHNOTE.TXT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\TINF.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\TINFIDX.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\TINFL.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\TSCAN1.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\TSCAN1HD.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\V.GRD
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\V.SIG
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\VIRSCAN.INF
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\VIRSCAN1.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\VIRSCAN2.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\VIRSCAN3.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\VIRSCAN4.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\VIRSCAN5.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\VIRSCAN6.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\VIRSCAN7.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\VIRSCAN8.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\VIRSCAN9.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\VIRSCANT.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\vscanmsx.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\WHATSNEW.TXT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6aff.tmp\ZDONE.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6ca8.tmp\cur.scr
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6ca8.tmp\ESRDEF.999
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6ca8.tmp\nco.dis
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6ca8.tmp\sesmvirdef32incr.dis
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6ca8.tmp\TCDEFS.998
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6ca8.tmp\TCSCAN7.997
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6ca8.tmp\TCSCAN8.996
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6ca8.tmp\TCSCAN9.995
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6ca8.tmp\TINF.994
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6ca8.tmp\TINFL.993
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6ca8.tmp\TSCAN1.992
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6ca8.tmp\V.990
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6ca8.tmp\V.991
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6ca8.tmp\VIRSCAN1.989
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6ca8.tmp\VIRSCAN2.988
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6ca8.tmp\VIRSCAN3.987
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6ca8.tmp\VIRSCAN4.986
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6ca8.tmp\VIRSCAN5.985
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6ca8.tmp\VIRSCAN6.984
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6ca8.tmp\VIRSCAN7.983
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6ca8.tmp\VIRSCAN8.982
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6ca8.tmp\VIRSCAN9.981
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6ca8.tmp\virscant.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp6ca8.tmp\WHATSNEW.980
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp7855.tmp\cur.scr
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp7855.tmp\ESRDEF.999
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp7855.tmp\nco.dis
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp7855.tmp\sesmvirdef32incr.dis
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp7855.tmp\TCDEFS.998
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp7855.tmp\TCSCAN7.997
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp7855.tmp\TCSCAN8.996
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp7855.tmp\TCSCAN9.995
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp7855.tmp\TINF.994
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp7855.tmp\TINFL.993
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp7855.tmp\TSCAN1.992
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp7855.tmp\V.990
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp7855.tmp\V.991
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp7855.tmp\VIRSCAN1.989
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp7855.tmp\VIRSCAN2.988
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp7855.tmp\VIRSCAN3.987
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp7855.tmp\VIRSCAN4.986
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp7855.tmp\VIRSCAN5.985
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp7855.tmp\VIRSCAN6.984
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp7855.tmp\VIRSCAN7.983
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp7855.tmp\VIRSCAN8.982
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp7855.tmp\VIRSCAN9.981
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp7855.tmp\virscant.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp7855.tmp\WHATSNEW.980
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpd4c.tmp\cur.scr
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpd4c.tmp\ESRDEF.999
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpd4c.tmp\nco.dis
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpd4c.tmp\sesmvirdef32incr.dis
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpd4c.tmp\TCDEFS.998
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpd4c.tmp\TCSCAN7.997
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpd4c.tmp\TCSCAN8.996
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpd4c.tmp\TCSCAN9.995
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpd4c.tmp\TINF.994
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpd4c.tmp\TINFL.993
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpd4c.tmp\TSCAN1.992
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpd4c.tmp\V.990
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpd4c.tmp\V.991
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpd4c.tmp\VIRSCAN1.989
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpd4c.tmp\VIRSCAN2.988
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpd4c.tmp\VIRSCAN3.987
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpd4c.tmp\VIRSCAN4.986
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpd4c.tmp\VIRSCAN5.985
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpd4c.tmp\VIRSCAN6.984
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpd4c.tmp\VIRSCAN7.983
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpd4c.tmp\VIRSCAN8.982
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpd4c.tmp\VIRSCAN9.981
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpd4c.tmp\virscant.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpd4c.tmp\WHATSNEW.980
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\CATALOG.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\CCERASER.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\ECBOOTIL.VXD
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\ECMSVR32.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\EECTRL.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\ERASER.GRD
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\ERASER.SIG
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\ERASER.SPM
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\ERASER.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\ESRDEF.BIN
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\HH
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\NAVENG.EXP
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\NAVENG.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\NAVENG.VXD
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\NAVENG32.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\NAVEX15.EXP
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\NAVEX15.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\NAVEX15.VXD
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\NAVEX32A.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\NCSACERT.TXT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\SCRAUTH.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\SYMAVENG.CAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\SYMAVENG.INF
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\SYMERASE.CAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\SYMERASE.INF
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\TCDEFS.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\TCSCAN7.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\TCSCAN8.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\TCSCAN9.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\TECHNOTE.TXT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\TINF.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\TINFIDX.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\TINFL.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\TSCAN1.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\TSCAN1HD.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\V.GRD
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\V.SIG
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\VIRSCAN.INF
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\VIRSCAN1.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\VIRSCAN2.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\VIRSCAN3.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\VIRSCAN4.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\VIRSCAN5.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\VIRSCAN6.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\VIRSCAN7.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\VIRSCAN8.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\VIRSCAN9.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\VIRSCANT.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\vscanmsx.dat
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\WHATSNEW.TXT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmpeaf.tmp\ZDONE.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\usage.dat
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CLTNETCNSERVICE
-------\Legacy_SYMANTEC_CORE_LC
-------\Service_CLTNetCnService
-------\Service_Symantec Core LC
((((((((((((((((((((((((( Files Created from 2009-02-10 to 2009-03-10 )))))))))))))))))))))))))))))))
.
2009-03-05 18:53 . 2009-03-05 18:53 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-04 01:13 . 2009-03-04 01:13 <DIR> d-------- c:\documents and settings\Angus Maciver\Application Data\Yahoo!
2009-03-04 01:13 . 2009-03-04 01:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-02-25 22:21 . 2009-03-10 12:58 <DIR> d-------- c:\windows\SYSTEM32\DRIVERS\Avg
2009-02-25 22:21 . 2009-02-25 22:21 325,128 --a------ c:\windows\SYSTEM32\DRIVERS\avgldx86.sys
2009-02-25 22:21 . 2009-02-25 22:21 107,272 --a------ c:\windows\SYSTEM32\DRIVERS\avgtdix.sys
2009-02-25 22:21 . 2009-02-25 22:21 12,552 --a------ c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys
2009-02-25 22:21 . 2009-02-25 22:21 10,520 --a------ c:\windows\SYSTEM32\avgrsstx.dll
2009-02-25 22:03 . 2009-02-25 22:04 <DIR> d-------- c:\program files\Steganos Privacy Suite 2008
2009-02-25 21:01 . 2009-02-25 21:01 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-25 21:01 . 2009-03-10 16:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-12 20:25 . 2009-02-12 20:32 <DIR> d-------- C:\test
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-10 15:28 --------- d-----w c:\documents and settings\Angus Maciver\Application Data\MailWasherPro
2009-03-05 18:50 --------- d-----w c:\program files\Common Files\Adobe
2009-02-28 20:48 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-02-28 20:45 --------- d-----w c:\program files\Steganos
2009-02-12 20:35 --------- d-----w c:\documents and settings\Angus Maciver\Application Data\U3
2009-02-08 20:32 --------- d-----w c:\documents and settings\Administrator\Application Data\U3
2009-02-08 19:36 --------- d-----w c:\program files\SpywareBlaster
2009-02-06 17:32 --------- d-----w c:\program files\Trend Micro
2009-02-05 18:29 --------- d-----w c:\documents and settings\Angus Maciver\Application Data\Steganos
2009-02-05 18:28 --------- d-----w c:\program files\Steganos Password Manager 2009
2009-02-05 16:12 --------- d-----w c:\program files\Java
2009-01-28 20:26 --------- d-----w c:\program files\Yahoo!
2009-01-16 21:35 3,594,752 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-12-19 09:10 70,656 ------w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2008-12-19 05:25 634,024 ------w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
2008-12-19 05:23 161,792 ------w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
2008-12-12 11:55 410,984 ----a-w c:\windows\SYSTEM32\deploytk.dll
2008-12-11 10:57 333,952 ------w c:\windows\SYSTEM32\DLLCACHE\srv.sys
2007-02-07 18:14 92,064 ----a-w c:\documents and settings\Angus Maciver\mqdmmdm.sys
2007-02-07 18:14 9,232 ----a-w c:\documents and settings\Angus Maciver\mqdmmdfl.sys
2007-02-07 18:14 79,328 ----a-w c:\documents and settings\Angus Maciver\mqdmserd.sys
2007-02-07 18:14 66,656 ----a-w c:\documents and settings\Angus Maciver\mqdmbus.sys
2007-02-07 18:14 6,208 ----a-w c:\documents and settings\Angus Maciver\mqdmcmnt.sys
2007-02-07 18:14 5,936 ----a-w c:\documents and settings\Angus Maciver\mqdmwhnt.sys
2007-02-07 18:14 4,048 ----a-w c:\documents and settings\Angus Maciver\mqdmcr.sys
2007-02-07 18:14 25,600 ----a-w c:\documents and settings\Angus Maciver\usbsermptxp.sys
2007-02-07 18:14 22,768 ----a-w c:\documents and settings\Angus Maciver\usbsermpt.sys
2008-08-26 11:38 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008082620080827\index.dat
.
((((((((((((((((((((((((((((( SnapShot@2009-02-25_20.20.31.60 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-12 15:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
+ 2007-10-11 10:24:00 85,952 ----a-w c:\windows\sleen1664.sys
+ 2008-06-17 19:02:19 8,461,312 ------w c:\windows\SYSTEM32\DLLCACHE\shell32.dll
- 2009-02-11 16:36:47 27,656 ----a-w c:\windows\SYSTEM32\DRIVERS\avgmfx86.sys
+ 2009-02-25 22:21:36 27,656 ----a-w c:\windows\SYSTEM32\DRIVERS\avgmfx86.sys
+ 2007-10-11 10:24:00 79,104 ----a-w c:\windows\SYSTEM32\DRIVERS\sleen16.sys
+ 2006-12-05 08:27:04 184,320 ----a-w c:\windows\SYSTEM32\SatSrv.exe
- 2008-04-14 00:12:05 8,461,312 ----a-w c:\windows\SYSTEM32\shell32.dll
+ 2008-06-17 19:02:19 8,461,312 ----a-w c:\windows\SYSTEM32\shell32.dll
+ 2009-03-10 16:46:30 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_37c.dat
+ 2009-03-10 16:46:39 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 1388544]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-23 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-11-16 98304]
"dldnmon.exe"="c:\program files\Dell V105\dldnmon.exe" [2008-03-17 668912]
"dldnamon"="c:\program files\Dell V105\dldnamon.exe" [2008-03-17 16624]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-12 136600]
"SSS2008 PasswordManagerFFAutoFill"="c:\program files\Steganos Privacy Suite 2008\PasswordManagerFFAutoFill.exe" [2008-09-11 21504]
"SSS2008 HotKeys"="c:\program files\Steganos Privacy Suite 2008\SteganosHotKeyService.exe" [2008-09-11 25088]
"SSS2008 File Redirection Starter"="c:\program files\Steganos Privacy Suite 2008\fredirstarter.exe" [2008-09-11 57344]
"AVG8_TRAY"="c:\progra~1\Steganos\ANTIVI~1\avgtray.exe" [2009-02-28 1610520]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-25 22:21 10520 c:\windows\SYSTEM32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-08-13 01:05 122939 c:\windows\SYSTEM32\dla\tfswctrl.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe"
"IntelMeM"=c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\dldncoms.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\dldnpswx.exe"=
"c:\\Program Files\\Dell V105\\dldnmon.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\dldntime.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\dldnjswx.exe"=
"c:\\Program Files\\Dell V105\\dldnlscn.exe"=
"c:\\Program Files\\Steganos\\Anti Virus 2009\\avgam.exe"=
"c:\\Program Files\\Steganos\\Anti Virus 2009\\avgupd.exe"=
R0 AvgRkx86;avgrkx86.sys;c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys [2009-02-25 12552]
R1 AvgLdx86;Steganos I.S. AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2009-02-25 325128]
R1 AvgTdiX;Steganos I.S. Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [2009-02-25 107272]
R1 SLEE_16_DRIVER;Steganos Live Encryption Engine 16 [Driver];c:\windows\SYSTEM32\DRIVERS\sleen16.sys [2007-10-11 10:24:00 79104]
S2 ZPMODEMSYSNTDRVNT;ZPMODEMSYSNTDRVNT;c:\windows\SYSTEM32\DRIVERS\zpmodemnt.sys [2006-01-15 1792]
--- Other Services/Drivers In Memory ---
*Deregistered* - ALG
*Deregistered* - AudioSrv
*Deregistered* - avg8wd
*Deregistered* - BITS
*Deregistered* - Browser
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dldn_device
*Deregistered* - Dnscache
*Deregistered* - EPSONStatusAgent2
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - ImapiService
*Deregistered* - JavaQuickStarterService
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - MDM
*Deregistered* - MSSQL$MICROSOFTBCM
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - SatSrv
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - w32time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
.
.
------- Supplementary Scan -------
.
uStart Page = www.blueyonder.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-10 16:47:35
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\Steganos\ANTIVI~1\avgwdsvc.exe
c:\windows\SYSTEM32\dldncoms.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
c:\windows\SYSTEM32\SatSrv.exe
c:\progra~1\Steganos\ANTIVI~1\avgam.exe
c:\program files\Steganos\Anti Virus 2009\avgrsx.exe
c:\progra~1\Steganos\ANTIVI~1\avgnsx.exe
c:\program files\Steganos\Anti Virus 2009\avgcsrvx.exe
c:\program files\Dell V105\dldnmsdmon.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-03-10 17:03:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-10 17:02:49
ComboFix2.txt 2009-03-06 17:28:18
ComboFix3.txt 2009-03-03 18:32:37
ComboFix4.txt 2009-02-25 20:22:52
Pre-Run: 20,395,249,664 bytes free
Post-Run: 20,277,510,144 bytes free
826 --- E O F --- 2009-02-25 23:46:52
I'll need to post another reply with the HJT Log file, I got a warning that the number of characters was too long >64000
lh017640
2009-03-10, 19:21
Hi Blade81
Here is the HJT Log file
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:06:33, on 10/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Steganos\ANTIVI~1\avgwdsvc.exe
C:\WINDOWS\system32\dldncoms.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\SatSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Steganos\ANTIVI~1\avgam.exe
C:\PROGRA~1\Steganos\ANTIVI~1\avgrsx.exe
C:\PROGRA~1\Steganos\ANTIVI~1\avgnsx.exe
C:\Program Files\Steganos\Anti Virus 2009\avgcsrvx.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell V105\dldnmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Steganos Privacy Suite 2008\PasswordManagerFFAutoFill.exe
C:\Program Files\Steganos Privacy Suite 2008\SteganosHotKeyService.exe
C:\Program Files\Steganos Privacy Suite 2008\fredirstarter.exe
C:\Program Files\Dell V105\dldnMsdMon.exe
C:\PROGRA~1\Steganos\ANTIVI~1\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.blueyonder.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Steganos Password Manager AutoFill - {1427A821-7B93-4F08-9A34-9FA03A3D93DB} - C:\Program Files\Steganos Privacy Suite 2008\PasswordManagerBHO.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Steganos.Pwm.BHO - {23162633-071E-4D3C-B347-B85451A92DBA} - C:\Program Files\Steganos Password Manager 2009\PwmBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dldnmon.exe] "C:\Program Files\Dell V105\dldnmon.exe"
O4 - HKLM\..\Run: [dldnamon] "C:\Program Files\Dell V105\dldnamon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SSS2008 PasswordManagerFFAutoFill] "C:\Program Files\Steganos Privacy Suite 2008\PasswordManagerFFAutoFill.exe"
O4 - HKLM\..\Run: [SSS2008 HotKeys] "C:\Program Files\Steganos Privacy Suite 2008\SteganosHotKeyService.exe"
O4 - HKLM\..\Run: [SSS2008 File Redirection Starter] "C:\Program Files\Steganos Privacy Suite 2008\fredirstarter.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\Steganos\ANTIVI~1\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Steganos A.V. WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\Steganos\ANTIVI~1\avgwdsvc.exe
O23 - Service: dldnCATSCustConnectService - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\dldnserv.exe
O23 - Service: dldn_device - - C:\WINDOWS\system32\dldncoms.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Steganos AntiTheft (SatSrv) - Unknown owner - C:\WINDOWS\system32\\SatSrv.exe
--
End of file - 8397 bytes
Realising I'd missed a step, I then cleaned out the autoexec.bat file
Regards
Gordon
Hi
Does that IE error message appear on every website or only on some specific ones?
lh017640
2009-03-14, 01:03
Hi Blade81
The error appears every time you change a page even within a website and not just when you move from one website to another.
Gordon
Hi
In IE7 choose Tools -> Internet Options, Advanced, and uncheck "display a notification about every script error". Approve the changes and restart IE.
lh017640
2009-03-15, 23:32
Hi blade81
The box is already unchecked?
Gordon
Hi
In that case I recommend to reinstall IE7 or alternatively install IE8 (http://www.microsoft.com/windows/internet-explorer/beta/?ocid=ie8_s_cb9908b0-34f4-4a90-9dab-b6ab2df4629d).
lh017640
2009-03-18, 20:24
Dear Blade81
My father in law has downloaded Firefox and that appears to work fine. He much prefers Firefox anyway.
Are we clear from the other issues?
Regards
Gordon
Hi
Please post a fresh dds log and let me know how's the system running. I'll then see if it's time for final steps :)
lh017640
2009-03-23, 22:22
Hi Blade81
Excuse my ignorance dds log? is that the combofix and HJT logs?
Regards
Gordon
Sorry for that. I meant hjt log.
lh017640
2009-03-29, 21:25
Hi Blade81
Here is the requested HJT log file, in my opinion the system is still a bit sluggish.
Regards
Gordon
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:22:44, on 29/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Steganos\ANTIVI~1\avgwdsvc.exe
C:\WINDOWS\system32\dldncoms.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell V105\dldnmon.exe
C:\PROGRA~1\Steganos\ANTIVI~1\avgam.exe
C:\PROGRA~1\Steganos\ANTIVI~1\avgrsx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\Steganos\ANTIVI~1\avgnsx.exe
C:\Program Files\Dell V105\dldnMsdMon.exe
C:\Program Files\Steganos Privacy Suite 2008\PasswordManagerFFAutoFill.exe
C:\Program Files\Steganos Privacy Suite 2008\SteganosHotKeyService.exe
C:\Program Files\Steganos Privacy Suite 2008\fredirstarter.exe
C:\PROGRA~1\Steganos\ANTIVI~1\avgtray.exe
C:\WINDOWS\system32\SatSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Steganos\Anti Virus 2009\avgcsrvx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Steganos\Anti Virus 2009\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.blueyonder.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Steganos Password Manager AutoFill - {1427A821-7B93-4F08-9A34-9FA03A3D93DB} - C:\Program Files\Steganos Privacy Suite 2008\PasswordManagerBHO.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Steganos.Pwm.BHO - {23162633-071E-4D3C-B347-B85451A92DBA} - C:\Program Files\Steganos Password Manager 2009\PwmBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dldnmon.exe] "C:\Program Files\Dell V105\dldnmon.exe"
O4 - HKLM\..\Run: [dldnamon] "C:\Program Files\Dell V105\dldnamon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SSS2008 PasswordManagerFFAutoFill] "C:\Program Files\Steganos Privacy Suite 2008\PasswordManagerFFAutoFill.exe"
O4 - HKLM\..\Run: [SSS2008 HotKeys] "C:\Program Files\Steganos Privacy Suite 2008\SteganosHotKeyService.exe"
O4 - HKLM\..\Run: [SSS2008 File Redirection Starter] "C:\Program Files\Steganos Privacy Suite 2008\fredirstarter.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\Steganos\ANTIVI~1\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Steganos A.V. WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\Steganos\ANTIVI~1\avgwdsvc.exe
O23 - Service: dldnCATSCustConnectService - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\dldnserv.exe
O23 - Service: dldn_device - - C:\WINDOWS\system32\dldncoms.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Steganos AntiTheft (SatSrv) - Unknown owner - C:\WINDOWS\system32\\SatSrv.exe
--
End of file - 8667 bytes
Hi Gordon
Log looks ok to me. Hints for improving system performance can be found here (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html) :)
Now lets uninstall ComboFix:
Click START then RUN
Now type "c:\documents and settings\Angus Maciver\My Documents\Downloads\ComboFix.exe" /u in the runbox and click OK
lh017640
2009-04-05, 23:32
Hi Blade81
My father-in-law was able to delete combofix himself using the instructions, so we're all done I suppose.
Many thanks for all your help and patience
Regards
Gordon
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.