Search engine hijack, tdss* trojan?
My father-in-law (ANgus Maciver) appeared to have acquired a search engine hijack trojan. No matter what we did we could not get rid of it. It denied us from loading Spybot S&D and accessing other anti-virus web sites and forums.
I originaly made a post which was closed as I didn't have the information in time to respond, and I'm not sure how to link to the orignal post in the archive.
We have been able to load a trial version of Steganos Internet Security 2009.
However when we started to run steganos, the progam said it was scanning but no files were shown to be scanned then the components that make up Steganos shut down and then restarted, and it then completes it's scan.
Stegaos identifies a trojan TDssmhxt.sys and other associated files if offers to delete which we do, however in order to take effect the system must reboot and they came back.
I created a Hijack this log see below on the 6th Feb 09. Following discussion wit IT guy's at work I ran combofix but prior to that I uninstalled Steganos (recommended by Steganos re the shutting down and restarting) however for some reason Steganos was not fully uninstalled as combofix recognised a remanant and we had to run it stating an AV program was present which we know it wasn't. The combofix log of the is the next log file. This appears to have got rid of the TDSS issue but not convinced the computer is clean. The last file is another Hijackthis log taken tonight 28th Feb
I would be grateful if someone could provide some advice.
Regards
Gordon
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:33:53, on 06/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Steganos\INTERN~1\avgfws8.exe
C:\Program Files\Dell V105\dldnmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\Steganos\INTERN~1\avgtray.exe
C:\Program Files\Dell V105\dldnMsdMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dldncoms.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Steganos\Internet Security 2009\avgui.exe
C:\Program Files\Steganos\Internet Security 2009\avgscanx.exe
C:\PROGRA~1\Steganos\INTERN~1\avgwdsvc.exe
C:\PROGRA~1\Steganos\INTERN~1\avgam.exe
C:\PROGRA~1\Steganos\INTERN~1\avgrsx.exe
C:\PROGRA~1\Steganos\INTERN~1\avgnsx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Steganos\Internet Security 2009\avgupd.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\system32\svchost.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Steganos.Pwm.BHO - {23162633-071E-4D3C-B347-B85451A92DBA} - C:\Program Files\Steganos Password Manager 2009\PwmBho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dldnmon.exe] "C:\Program Files\Dell V105\dldnmon.exe"
O4 - HKLM\..\Run: [dldnamon] "C:\Program Files\Dell V105\dldnamon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\Steganos\INTERN~1\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ChkDisk.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Steganos I.S. WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\Steganos\INTERN~1\avgwdsvc.exe
O23 - Service: Steganos I.S. Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\Steganos\INTERN~1\avgfws8.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: dldnCATSCustConnectService - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\dldnserv.exe
O23 - Service: dldn_device - - C:\WINDOWS\system32\dldncoms.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 7923 bytes
ComboFix 09-02-24.02 - Angus Maciver 2009-02-25 20:01:55.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.68 [GMT 0:00]
Running from: c:\documents and settings\Angus Maciver\My Documents\Downloads\ComboFix.exe
AV: Steganos Internet Security *On-access scanning enabled* (Updated)
FW: Steganos Firewall *enabled*
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - svchost.exe: deleted 88 bytes in 2 streams.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Angus Maciver\Desktop\System Security.lnk
c:\documents and settings\Angus Maciver\Start Menu\Programs\Startup\ChkDisk.lnk
c:\documents and settings\Angus Maciver\Start Menu\Programs\System Security
c:\documents and settings\Angus Maciver\Start Menu\Programs\System Security\System Security.lnk
c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\documents and settings\NetworkService\Application Data\twain_32
c:\documents and settings\NetworkService\Application Data\twain_32\user.ds
c:\program files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll
c:\program files\Microsoft Common
C:\start.bat
c:\windows\system32\bbadffeccaf.dll
c:\windows\system32\Drivers\TDSSmhxt.sys
c:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL
c:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\DESKTOP.INI
c:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\LSSupCtl.dll
c:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\LSSupCtl.inf
c:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\sdclicense.txt
c:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\SymAData.dll
c:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\tgctlsi.inf
c:\windows\system32\gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, GBIEHABN.DLL, SCPSSSH2.DLL\tgctlsr.inf
c:\windows\system32\mdm.exe
c:\windows\system32\reg_0001.txt
c:\windows\system32\TDSScfub.dll
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSoeqh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSStkdv.log
c:\windows\system32\twain_32
c:\windows\system32\twain_32\local.ds
c:\windows\system32\twain_32\user.ds
c:\windows\system32\twain_32\user.ds.cla
c:\windows\system32\twext.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_TDSSSERV.SYS
-------\Service_GbpSv
-------\Service_TDSSserv.sys
((((((((((((((((((((((((( Files Created from 2009-01-25 to 2009-02-25 )))))))))))))))))))))))))))))))
.
2009-02-24 14:45 . 2009-02-25 19:45 <DIR> d-------- c:\program files\Enigma Software Group
2009-02-24 14:20 . 2009-02-25 19:53 200,208 --a------ c:\windows\SYSTEM32\vumer.dll
2009-02-24 00:32 . 2009-02-24 00:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\771946947
2009-02-12 20:25 . 2009-02-12 20:32 <DIR> d-------- C:\test
2009-02-08 20:31 . 2009-02-08 20:32 <DIR> d-------- c:\documents and settings\Administrator\Application Data\U3
2009-02-08 19:33 . 2009-02-08 19:36 <DIR> d-------- c:\program files\SpywareBlaster
2009-02-08 19:27 . 2009-02-12 20:35 <DIR> d-------- c:\documents and settings\Angus Maciver\Application Data\U3
2009-02-06 17:32 . 2009-02-06 17:32 <DIR> d-------- c:\program files\Trend Micro
2009-02-06 16:58 . 2009-02-11 16:36 107,272 --a------ c:\windows\SYSTEM32\DRIVERS\avgtdix.sys
2009-02-06 16:58 . 2009-02-11 16:36 12,552 --a------ c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys
2009-02-06 16:58 . 2009-02-11 16:36 10,520 --a------ c:\windows\SYSTEM32\avgrsstx.dll
2009-02-06 16:57 . 2009-02-25 16:16 <DIR> d-------- c:\windows\SYSTEM32\DRIVERS\Avg
2009-02-06 16:57 . 2009-02-11 16:36 325,128 --a------ c:\windows\SYSTEM32\DRIVERS\avgldx86.sys
2009-02-06 16:56 . 2009-02-06 16:56 50,968 --a------ c:\windows\SYSTEM32\avgfwdx.dll
2009-02-06 16:56 . 2009-02-06 16:56 29,208 --a------ c:\windows\SYSTEM32\DRIVERS\avgfwdx.sys
2009-02-05 18:29 . 2009-02-05 18:29 <DIR> d-------- c:\documents and settings\Angus Maciver\Application Data\Steganos
2009-02-05 18:28 . 2009-02-05 18:28 <DIR> d-------- c:\program files\Steganos Password Manager 2009
2009-01-30 16:26 . 2009-02-08 20:06 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-29 23:51 . 2009-01-29 23:51 <DIR> d-------- c:\program files\Steganos
2009-01-29 23:51 . 2009-02-11 16:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-28 20:28 . 2009-01-28 20:42 <DIR> d---s---- c:\windows\Downloaded Program Files
2009-01-28 19:44 . 2004-11-16 13:00 <DIR> d-------- c:\documents and settings\Administrator\Application Data\You've Got Pictures Screensaver
2009-01-28 19:44 . 2004-11-16 13:03 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sonic
2009-01-28 19:44 . 2004-11-16 12:55 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2009-01-28 19:44 . 2009-02-05 16:42 <DIR> d-------- c:\documents and settings\Administrator
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-25 19:03 --------- d-----w c:\documents and settings\Angus Maciver\Application Data\MailWasherPro
2009-02-24 14:07 2,383 ----a-w c:\windows\SYSTEM32\TDSSfpmp.dll
2009-02-05 16:12 --------- d-----w c:\program files\Java
2009-01-28 20:26 --------- d-----w c:\program files\Yahoo!
2009-01-16 21:35 3,594,752 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-12-31 17:16 --------- d-----w c:\program files\CCleaner
2008-12-19 09:10 70,656 ------w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2008-12-19 05:25 634,024 ------w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
2008-12-19 05:23 161,792 ------w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
2008-12-12 11:55 410,984 ----a-w c:\windows\SYSTEM32\deploytk.dll
2008-12-11 10:57 333,952 ------w c:\windows\SYSTEM32\DLLCACHE\srv.sys
2008-12-03 16:54 7,753,415 ----a-w c:\windows\Internet Logs\tvDebug.zip
2007-02-07 18:14 92,064 ----a-w c:\documents and settings\Angus Maciver\mqdmmdm.sys
2007-02-07 18:14 9,232 ----a-w c:\documents and settings\Angus Maciver\mqdmmdfl.sys
2007-02-07 18:14 79,328 ----a-w c:\documents and settings\Angus Maciver\mqdmserd.sys
2007-02-07 18:14 66,656 ----a-w c:\documents and settings\Angus Maciver\mqdmbus.sys
2007-02-07 18:14 6,208 ----a-w c:\documents and settings\Angus Maciver\mqdmcmnt.sys
2007-02-07 18:14 5,936 ----a-w c:\documents and settings\Angus Maciver\mqdmwhnt.sys
2007-02-07 18:14 4,048 ----a-w c:\documents and settings\Angus Maciver\mqdmcr.sys
2007-02-07 18:14 25,600 ----a-w c:\documents and settings\Angus Maciver\usbsermptxp.sys
2007-02-07 18:14 22,768 ----a-w c:\documents and settings\Angus Maciver\usbsermpt.sys
2008-08-26 11:38 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008082620080827\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-09 2356088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 1388544]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-23 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-11-16 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"dldnmon.exe"="c:\program files\Dell V105\dldnmon.exe" [2008-03-17 668912]
"dldnamon"="c:\program files\Dell V105\dldnamon.exe" [2008-03-17 16624]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-12 136600]
"AVG8_TRAY"="c:\progra~1\Steganos\INTERN~1\avgtray.exe" [2009-02-11 1610520]
"468005841"="c:\documents and settings\All Users\Application Data\771946947\468005841.exe" [2009-02-24 1197607]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-11 16:36 10520 c:\windows\SYSTEM32\avgrsstx.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe"
"IntelMeM"=c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\dldncoms.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\dldnpswx.exe"=
"c:\\Program Files\\Dell V105\\dldnmon.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\dldntime.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\dldnjswx.exe"=
"c:\\Program Files\\Dell V105\\dldnlscn.exe"=
"c:\\Program Files\\Steganos\\Internet Security 2009\\avgam.exe"=
"c:\\Program Files\\Steganos\\Internet Security 2009\\avgupd.exe"=
"c:\\Program Files\\Steganos\\Internet Security 2009\\avgnsx.exe"=
R2 dldnCATSCustConnectService;dldnCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\dldnserv.exe [2008-03-04 99568]
R2 ZPMODEMSYSNTDRVNT;ZPMODEMSYSNTDRVNT;c:\windows\system32\drivers\zpmodemnt.sys [2006-01-15 1792]
R3 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwdx.sys [2009-02-06 29208]
S0 AvgRkx86;avgrkx86.sys;c:\windows\System32\Drivers\avgrkx86.sys [2009-02-11 12552]
S1 AvgLdx86;Steganos I.S. AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-02-11 325128]
S1 AvgTdiX;Steganos I.S. Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-02-11 107272]
S2 avg8wd;Steganos I.S. WatchDog;c:\progra~1\Steganos\INTERN~1\avgwdsvc.exe [2009-02-11 298264]
S2 avgfws8;Steganos I.S. Firewall;c:\progra~1\Steganos\INTERN~1\avgfws8.exe [2009-02-11 1339600]
S2 dldn_device;dldn_device;c:\windows\system32\dldncoms.exe [2008-03-04 595184]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\DRIVERS\avgfwdx.sys [2009-02-06 29208]
--- Other Services/Drivers In Memory ---
*Deregistered* - abp480n5
*Deregistered* - adpu160m
*Deregistered* - AFD
*Deregistered* - agp440
*Deregistered* - agpCPQ
*Deregistered* - Aha154x
*Deregistered* - aic78u2
*Deregistered* - aic78xx
*Deregistered* - ALG
*Deregistered* - AliIde
*Deregistered* - alim1541
*Deregistered* - amdagp
*Deregistered* - amsint
*Deregistered* - asc
*Deregistered* - asc3350p
*Deregistered* - asc3550
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - avg8wd
*Deregistered* - Avgfwdx
*Deregistered* - avgfws8
*Deregistered* - AvgLdx86
*Deregistered* - AvgMfx86
*Deregistered* - AvgRkx86
*Deregistered* - AvgTdiX
*Deregistered* - Beep
*Deregistered* - Browser
*Deregistered* - cbidf
*Deregistered* - cd20xrnt
*Deregistered* - Cdfs
*Deregistered* - CmdIde
*Deregistered* - Cpqarray
*Deregistered* - CryptSvc
*Deregistered* - dac2w2k
*Deregistered* - dac960nt
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dldn_device
*Deregistered* - Dnscache
*Deregistered* - dpti2o
*Deregistered* - drvnddm
*Deregistered* - eeCtrl
*Deregistered* - EPSONStatusAgent2
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - hpn
*Deregistered* - HTTP
*Deregistered* - i2omgmt
*Deregistered* - i2omp
*Deregistered* - ImapiService
*Deregistered* - ini910u
*Deregistered* - IntelIde
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - MDM
*Deregistered* - mnmdd
*Deregistered* - Mouclass
*Deregistered* - MountMgr
*Deregistered* - mraid35x
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - MSSQL$MICROSOFTBCM
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - perc2
*Deregistered* - perc2hib
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - ql1080
*Deregistered* - Ql10wnt
*Deregistered* - ql12160
*Deregistered* - ql1240
*Deregistered* - ql1280
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - sisagp
*Deregistered* - Sparrow
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - ssrtln
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - sym_hi
*Deregistered* - sym_u3
*Deregistered* - symc810
*Deregistered* - symc8xx
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - tfsnboio
*Deregistered* - tfsncofs
*Deregistered* - tfsndrct
*Deregistered* - tfsndres
*Deregistered* - tfsnifs
*Deregistered* - tfsnopio
*Deregistered* - tfsnpool
*Deregistered* - tfsnudf
*Deregistered* - tfsnudfa
*Deregistered* - Themes
*Deregistered* - TosIde
*Deregistered* - TrkWks
*Deregistered* - ultra
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - viaagp
*Deregistered* - ViaIde
*Deregistered* - VolSnap
*Deregistered* - w32time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
.
.
------- Supplementary Scan -------
.
uStart Page = www.blueyonder.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-25 20:12:39
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\Steganos\INTERN~1\avgam.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
c:\program files\Steganos\Internet Security 2009\avgrsx.exe
c:\progra~1\Steganos\INTERN~1\avgnsx.exe
c:\program files\Dell V105\dldnmsdmon.exe
.
**************************************************************************
.
Completion time: 2009-02-25 20:22:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-25 20:22:33
Pre-Run: 20,999,368,704 bytes free
Post-Run: 20,922,576,896 bytes free
368 --- E O F --- 2009-02-12 22:22:13
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:58:53, on 28/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\PROGRA~1\Steganos\INTERN~1\avgwdsvc.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\Steganos\INTERN~1\avgfws8.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell V105\dldnmon.exe
C:\WINDOWS\system32\dldncoms.exe
C:\Program Files\Dell V105\dldnMsdMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Steganos Privacy Suite 2008\PasswordManagerFFAutoFill.exe
C:\Program Files\Steganos Privacy Suite 2008\SteganosHotKeyService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Steganos Privacy Suite 2008\fredirstarter.exe
C:\PROGRA~1\Steganos\INTERN~1\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Steganos\INTERN~1\avgam.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\Steganos\INTERN~1\avgrsx.exe
C:\PROGRA~1\Steganos\INTERN~1\avgnsx.exe
C:\Program Files\Steganos\Internet Security 2009\avgcsrvx.exe
C:\WINDOWS\system32\SatSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Steganos\Internet Security 2009\avgcsrvx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.blueyonder.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Steganos Password Manager AutoFill - {1427A821-7B93-4F08-9A34-9FA03A3D93DB} - C:\Program Files\Steganos Privacy Suite 2008\PasswordManagerBHO.dll
O2 - BHO: Steganos.Pwm.BHO - {23162633-071E-4D3C-B347-B85451A92DBA} - C:\Program Files\Steganos Password Manager 2009\PwmBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dldnmon.exe] "C:\Program Files\Dell V105\dldnmon.exe"
O4 - HKLM\..\Run: [dldnamon] "C:\Program Files\Dell V105\dldnamon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SSS2008 PasswordManagerFFAutoFill] "C:\Program Files\Steganos Privacy Suite 2008\PasswordManagerFFAutoFill.exe"
O4 - HKLM\..\Run: [SSS2008 HotKeys] "C:\Program Files\Steganos Privacy Suite 2008\SteganosHotKeyService.exe"
O4 - HKLM\..\Run: [SSS2008 File Redirection Starter] "C:\Program Files\Steganos Privacy Suite 2008\fredirstarter.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\Steganos\INTERN~1\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Steganos I.S. WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\Steganos\INTERN~1\avgwdsvc.exe
O23 - Service: Steganos I.S. Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\Steganos\INTERN~1\avgfws8.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: dldnCATSCustConnectService - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\dldnserv.exe
O23 - Service: dldn_device - - C:\WINDOWS\system32\dldncoms.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Steganos AntiTheft (SatSrv) - Unknown owner - C:\WINDOWS\system32\\SatSrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 8846 bytes
