Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan / Malware Problem (possibly Duped Into Downloading A Codec)


  • Please log in to reply
6 replies to this topic

#1 jfriel

jfriel

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 10 June 2008 - 03:09 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26:14, on 6/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\Client\ScheduleSrvc.exe
C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\dbssys\DBSNTS.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\CA\SharedComponents\DesktopCommonServices\DMPrimer\dmprimer.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\Client\BAOF\Ofant.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\Explorer.EXE
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\Program Files\CA\Unicenter DSM\Bin\caf.exe
C:\Program Files\CA\Unicenter DSM\Bin\cfsmsmd.exe
C:\Program Files\CA\Unicenter DSM\Bin\ccnfagent.exe
C:\Program Files\CA\Unicenter DSM\Bin\cfnotsrvd.exe
C:\Program Files\CA\Unicenter DSM\Bin\ccsmagtd.exe
C:\Program Files\CA\Unicenter DSM\Bin\rcHost.exe
C:\Program Files\CA\Unicenter DSM\PMAgent\capmuamagt.exe
C:\Program Files\CA\Unicenter DSM\Bin\cfftplugin.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\thpsrv.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\WINDOWS\system32\TPSBattM.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\dbssys\DBSValidReceive.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\CA\Unicenter DSM\Bin\cfSysTray.exe
C:\Program Files\CA\Unicenter DSM\Bin\sxplog32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Symantec AntiVirus\vpc32.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Documents and Settings\agent\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 78.42.196.237 DBS-SMTP-SERVER
O1 - Hosts: 172.17.1.58 NYPROD
O1 - Hosts: 172.17.1.48 VIPER
O1 - Hosts: 172.17.1.43 SNAP01
O1 - Hosts: 172.17.1.45 SPYSWEEPER
O1 - Hosts: 172.17.1.5 LDAP
O1 - Hosts: 172.17.1.83 JAGUAR
O1 - Hosts: 172.17.1.46 OMSCAV
O1 - Hosts: 172.17.1.5 MCS02A
O1 - Hosts: 172.17.1.5 MCS02
O1 - Hosts: 172.17.1.113 STEALTH
O1 - Hosts: 172.17.1.188 PGORDON
O1 - Hosts: 172.17.1.44 NSMR11
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: QXK Olive - {92C92F37-2DD0-4960-A821-7F19D1E0A152} - C:\WINDOWS\nogxfvblmtv.dll (file missing)
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [ThpSrv] thpsrv /logon
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [PINGER] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SpySweeperEnterprise] "C:\Program Files\Webroot\Enterprise\Spy Sweeper\\SpySweeperUI.exe"
O4 - HKLM\..\Run: [Mobile Backup] C:\PROGRA~1\CA\BRIGHT~1\Client\rwclient.exe -Login
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SalesTrackTMR] c:\dbssys\DBSValidReceive.exe
O4 - HKLM\..\Run: [HPWRTOOLBOX] C:\Program Files\Hewlett-Packard\hp deskjet 460 series\Toolbox\HPWRTBX.exe "-i"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [CAF_SystemTray] "C:\Program Files\CA\Unicenter DSM\Bin\cfSysTray.exe"
O4 - HKLM\..\Run: [DsmSxplog] "C:\Program Files\CA\Unicenter DSM\Bin\sxpstub.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [advap32] C:\DOCUME~1\agent\LOCALS~1\Temp\rbnpsrv.exe/r
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-21-662433435-3988582327-564788697-1005\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (User '?')
O4 - HKUS\S-1-5-21-662433435-3988582327-564788697-1005\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (User '?')
O4 - HKUS\S-1-5-21-662433435-3988582327-564788697-1005\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0 (User '?')
O4 - HKUS\S-1-5-21-662433435-3988582327-564788697-1005\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (User '?')
O4 - HKUS\S-1-5-21-662433435-3988582327-564788697-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-662433435-3988582327-564788697-1005\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h (User '?')
O4 - HKUS\S-1-5-21-662433435-3988582327-564788697-1005\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all (User '?')
O4 - S-1-5-21-662433435-3988582327-564788697-1005 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User '?')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Mobile User VPN.lnk = C:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.fling.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1163851189046
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193211608921
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/html/ac...B/e-Safekey.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CDC62ECC-1513-479C-89C6-EA79DC302505}: NameServer = 195.238.50.254,195.238.40.44
O17 - HKLM\System\CCS\Services\Tcpip\..\{E6F89A52-6548-4939-A8D9-09BBFAA4964B}: NameServer = 195.238.50.254,195.238.40.45
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: CAF - C:\Program Files\CA\Unicenter DSM\Bin\cfwlogon.dll
O20 - Winlogon Notify: rcHostExt - C:\Program Files\CA\Unicenter DSM\Bin\rcLoginExt.dll
O20 - Winlogon Notify: WinCtrl32 - WinCtrl32.dll (file missing)
O21 - SSODL: erpobmsw - {9351EA54-170A-4675-83B1-1AD6FB2A61E6} - C:\WINDOWS\erpobmsw.dll (file missing)
O21 - SSODL: adgpfoxs - {09BD9DC6-CFA8-4A30-B7D2-072E34C54D73} - C:\WINDOWS\adgpfoxs.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CA BrightStor ARCserve Backup for Laptops & Desktops Scheduler - Computer Associates International, Inc. - C:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\Client\ScheduleSrvc.exe
O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe
O23 - Service: CA Unicenter DSM r11 Common Application Framework. (caf) - Computer Associates International, Inc. - C:\Program Files\CA\Unicenter DSM\Bin\caf.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: DBSNTS - Cipherbase - c:\dbssys\DBSNTS.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DM Primer (DMPrimer) - Computer Associates - C:\Program Files\CA\SharedComponents\DesktopCommonServices\DMPrimer\dmprimer.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
O23 - Service: Keyboard Manager (keyb) - Unknown owner - C:\WINDOWS\system32\type32.dll (file missing)
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: core windows service windows (ms leap) - Unknown owner - C:\Program Files\Cerver.exe (file missing)
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\mssrv32.exe (file missing)
O23 - Service: CA Backup Agent for Open Files (OpenFileAgent) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\Client\BAOF\Ofant.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\commagent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\spysweeper.exe
O23 - Service: VNC Server (winvnc) - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe

--
End of file - 20226 bytes

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 12 June 2008 - 02:06 AM

Hi and Welcome to the forums.

Duped Into Downloading A Codec huh...I like that. :thumbsup:

You should make a copy of your Hosts file,its looks to be customized.

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall


ComboFix will usually replace the Hosts file in cases as such,I cant atest that it does it every single time but it would be in your best interst to check it after each usage of ComboFix.


After ComboFix has finished and you have posted that log,follow the instructions below to download,install and run SDFix in Safe Mode.
http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/

Post that log when completed,please.

Edited by Cretemonster, 12 June 2008 - 02:10 AM.


#3 jfriel

jfriel
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  

Posted 14 June 2008 - 10:07 AM

Here is the log from the combofix scan as requested - had to wait til i got access to another pc as i cant even copy and paste anything on mine or move files around. I have the hosts file backed up and have a util that will restore it for me if it gets damaged or changed.

ComboFix 08-06-11.3 - agent 2008-06-13 11:08:30.1 - NTFSx86
Running from: C:\Documents and Settings\agent\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSUPDATE
-------\Service_msupdate


((((((((((((((((((((((((( Files Created from 2008-05-13 to 2008-06-13 )))))))))))))))))))))))))))))))
.

2008-06-10 16:37 . 2007-09-30 20:10 2,702 --a------ C:\WINDOWS\mariner.hi1
2008-06-10 16:37 . 2007-09-30 20:10 1,366 --a------ C:\WINDOWS\mariner.bu1
2008-06-10 14:44 . 2008-06-10 18:07 <DIR> d-------- C:\Program Files\Security Task Manager
2008-06-10 12:25 . 2008-06-10 12:25 <DIR> d-------- C:\Documents and Settings\agent\temp
2008-06-10 12:25 . 2008-06-10 12:25 <DIR> d-------- C:\Documents and Settings\agent\Application Data\TeamViewer
2008-06-07 16:33 . 2008-06-07 16:34 921,624 --a------ C:\snp2sxp-001.raw
2008-06-05 00:34 . 2008-06-10 17:23 8,338 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-04 23:42 . 2008-06-04 23:42 16,244 --a------ C:\WINDOWS\system32\rrt_is.wav
2008-06-04 23:42 . 2008-06-04 23:42 7,302 --a------ C:\WINDOWS\system32\rrt_vf.wav
2008-06-04 23:42 . 2008-06-04 23:42 7,148 --a------ C:\WINDOWS\system32\rrt_tv.wav
2008-06-04 23:42 . 2008-06-04 23:42 6,282 --a------ C:\WINDOWS\system32\rrt_tn.wav
2008-06-04 23:34 . 2008-06-04 23:34 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-30 14:06 . 2008-05-30 14:07 <DIR> d-------- C:\Documents and Settings\agent\nsapp
2008-05-30 14:05 . 2008-05-30 14:05 <DIR> d--h----- C:\Program Files\Zero G Registry
2008-05-30 14:05 . 2008-05-30 14:05 <DIR> d--h----- C:\Documents and Settings\agent\InstallAnywhere
2008-05-27 17:46 . 2008-05-27 17:46 <DIR> d-------- C:\LCCU_4.0.3.12
2008-05-25 14:25 . 2008-02-16 12:32 666,112 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2008-05-25 14:25 . 2008-02-16 12:32 618,496 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2008-05-25 14:25 . 2007-12-18 17:40 450,560 --a------ C:\WINDOWS\system32\dllcache\jscript.dll
2008-05-25 14:25 . 2007-12-18 17:40 417,792 --a------ C:\WINDOWS\system32\dllcache\vbscript.dll
2008-05-25 14:25 . 2008-02-16 12:32 16,384 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2008-05-23 15:38 . 2008-05-23 15:38 1,160 --a------ C:\WINDOWS\mozver.dat
2008-05-23 15:36 . 2008-05-23 15:36 <DIR> d-------- C:\Documents and Settings\agent\Application Data\Talkback

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 08:13 --------- d-----w C:\Program Files\DBS SalesTrack
2008-06-11 18:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-10 11:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-06-09 19:52 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-06-09 19:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-06-09 19:51 --------- d-----w C:\Documents and Settings\agent\Application Data\Skype
2008-06-09 13:02 --------- d-----w C:\Documents and Settings\agent\Application Data\skypePM
2008-06-09 05:58 --------- d-----w C:\Program Files\LogMeIn
2008-06-03 11:43 --------- d-----w C:\Program Files\Java
2008-05-28 11:23 --------- d-----w C:\Program Files\Kontiki
2008-05-19 07:27 240 ----a-w C:\Documents and Settings\agent\Application Data\wklnhst.dat
2008-05-12 10:22 --------- d-----w C:\Program Files\Apple Software Update
2008-05-05 05:46 --------- d-----w C:\Program Files\U.S. Robotics
2008-05-05 05:46 --------- d-----w C:\Program Files\Common Files\snp2std
2008-05-05 05:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-05 05:45 --------- d-----w C:\Documents and Settings\agent\Application Data\InstallShield
2008-04-27 12:32 24,576 ----a-w C:\test.exe
2008-04-19 09:49 --------- d-----w C:\Documents and Settings\agent\Application Data\FileZilla
2008-04-19 07:25 --------- d-----w C:\Program Files\FileZilla FTP Client
2008-04-19 07:00 --------- d-----w C:\Program Files\SmartFTP Client
2008-04-19 06:59 --------- d-----w C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-04-17 21:52 117,911 ----a-w C:\WINDOWS\DBS SalesTrack Uninstaller.exe
2008-04-16 12:20 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-04-15 07:38 --------- d-----w C:\Program Files\eMusic Download Manager
2008-03-01 12:37 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

------- Sigcheck -------

2004-08-04 15:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe

2005-03-02 21:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 18:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2005-03-02 21:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2007-03-08 18:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\user32.dll
2007-03-08 18:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\dllcache\user32.dll

2004-08-04 15:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll

2005-10-21 06:38 661504 af785c4947676a7fc1673fdc5c8d0b5b C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\wininet.dll
2006-01-09 21:02 662016 dde9597a3311748c1519444e2bc147bd C:\WINDOWS\$hf_mig$\KB912945\SP2QFE\wininet.dll
2007-12-07 05:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
2008-03-01 16:03 827392 6316c2f0c61271c8abdff7429174879e C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
2006-01-09 21:08 658432 d9e3f8440d208698b3f0e5cfac26daa1 C:\WINDOWS\$NtUninstallKB912945$\wininet.dll
2006-01-09 21:02 662016 dde9597a3311748c1519444e2bc147bd C:\WINDOWS\$NtUninstallKB922760$\wininet.dll
2006-09-14 11:31 664576 d207370287cf769aebebf03837784963 C:\WINDOWS\$NtUninstallKB937143$\wininet.dll
2007-06-26 17:35 665600 e1a3dd68b5380b360a7310a64d9bb188 C:\WINDOWS\$NtUninstallKB939653$\wininet.dll
2007-08-22 15:55 665600 a1bc17eb3758d73c3938b2318820f5b4 C:\WINDOWS\$NtUninstallKB942615$\wininet.dll
2007-10-11 08:57 666112 80d660a49e0d118144423099b2a9f5da C:\WINDOWS\$NtUninstallKB944533$\wininet.dll
2007-12-07 03:44 666112 085a7c37f9c6ede1ba870b7dbec06399 C:\WINDOWS\$NtUninstallKB947864$\wininet.dll
2008-02-16 12:32 666112 bb1eacd6ab47e78ebca02eb781550d55 C:\WINDOWS\ie7\wininet.dll
2007-12-07 05:21 824832 806d274c9a6c3aaea5eae8e4af841e04 C:\WINDOWS\ie7updates\KB947864-IE7\wininet.dll
2007-10-11 02:56 824832 30c1e0f34ad2972c72a01db5c74ab065 C:\WINDOWS\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2GDR\wininet.dll
2007-10-11 02:47 825344 0e5d918f87efa7d2424d66b499c7eb04 C:\WINDOWS\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2QFE\wininet.dll
2008-02-16 12:32 666112 bb1eacd6ab47e78ebca02eb781550d55 C:\WINDOWS\system32\wininet.dll
2008-02-16 12:32 666112 bb1eacd6ab47e78ebca02eb781550d55 C:\WINDOWS\system32\dllcache\wininet.dll

2005-03-14 04:17 359936 6129e70f3d2f1e60860c930ebeaf92c2 C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-04-20 15:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 19:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2005-03-14 03:55 359808 0e66b538096a6529d1ac66e78eb0d5c8 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 14:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 20:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 20:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\drivers\tcpip.sys

2004-08-04 15:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe

2004-08-04 15:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2004-08-04 15:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

2005-03-02 02:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2005-09-29 02:35 2015744 48472d224e1703882b4de0e28e205e9b C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2007-02-28 12:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2007-02-28 12:15 2017280 2dfb215e291e3d9b1cf9a6739b3bf16c C:\WINDOWS\system32\ntkrnlpa.exe
2007-02-28 12:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

2005-03-02 04:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2005-09-29 03:02 2136064 25c36dbc46e8eff2a811769a60715ac5 C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 12:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2007-02-28 12:53 2137600 e6679c3023b17d8b78946bc5df53fa20 C:\WINDOWS\system32\ntoskrnl.exe

2007-06-13 13:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\explorer.exe
2007-06-13 14:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 15:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 13:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\system32\dllcache\explorer.exe

2004-08-04 15:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\services.exe

2004-08-04 15:00 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\lsass.exe

2004-08-04 15:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 10:32 65536]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 17:22 21898024]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"ares"="C:\Program Files\Ares\Ares.exe" [ ]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2006-04-25 04:09 253952]
"000StTHK"="000StTHK.exe" [2001-06-23 14:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 02:50 88204 C:\WINDOWS\agrsmmsg.exe]
"DpUtil"="C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe" [2005-06-29 06:11 155648]
"TPSMain"="TPSMain.exe" [2006-04-25 05:54 315392 C:\WINDOWS\system32\TPSMain.exe]
"TPSODDCtl"="TPSODDCtl.exe" [2006-04-25 05:54 110592 C:\WINDOWS\system32\TPSODDCtl.exe]
"ThpSrv"="thpsrv /logon" []
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 02:13 122880]
"TFncKy"="TFncKy.exe" []
"TOSDCR"="TOSDCR.EXE" [2005-12-13 20:54 57344 C:\WINDOWS\system32\TOSDCR.exe]
"TMESRV.EXE"="C:\Program Files\TOSHIBA\TME3\TMESRV31.exe" [2005-12-14 22:00 126976]
"TMERzCtl.EXE"="C:\Program Files\TOSHIBA\TME3\TMERzCtl.exe" [2006-02-23 03:41 86016]
"PSQLLauncher"="C:\Program Files\Protector Suite QL\launcher.exe" [2006-05-06 03:36 30208]
"PINGER"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2005-03-18 03:37 151552]
"TosHKCW.exe"="C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 21:42 49152]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-23 17:40 196608]
"TFNF5"="TFNF5.exe" [2006-04-10 13:14 622592 C:\WINDOWS\system32\TFNF5.exe]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2006-05-22 15:20 122940]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 08:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 08:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 08:17 118784]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2004-08-17 22:37 184320]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 23:37 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 22:41 602182]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-13 02:16 1121792]
"SpySweeperEnterprise"="C:\Program Files\Webroot\Enterprise\Spy Sweeper\\SpySweeperUI.exe" [2006-08-23 02:15 397312]
"Mobile Backup"="C:\PROGRA~1\CA\BRIGHT~1\Client\rwclient.exe" [2005-10-26 21:05 487424]
"OneTouch Monitor"="C:\Program Files\Visioneer OneTouch\OneTouchMon.exe" [2002-10-10 19:19 90112]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-01-09 22:47 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-01-09 23:02 40960]
"Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe" [2001-05-02 16:10 20530]
"Client Access Help Update"="C:\Program Files\IBM\Client Access\cwbinhlp.exe" [2001-05-02 16:10 24576]
"Client Access Check Version"="C:\Program Files\IBM\Client Access\cwbckver.exe" [2001-05-02 16:10 49152]
"Client Access Express Welcome"="C:\Program Files\IBM\Client Access\cwbwlwiz.exe" [2001-05-02 16:10 20480]
"GhostStartTrayApp"="C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2002-08-15 02:21 94208]
"SalesTrackTMR"="c:\dbssys\DBSValidReceive.exe" [2008-03-01 15:02 61440]
"HPWRTOOLBOX"="C:\Program Files\Hewlett-Packard\hp deskjet 460 series\Toolbox\HPWRTBX.exe" [2005-10-26 00:29 344064]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 16:05 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-09-12 10:20 63048]
"CAF_SystemTray"="C:\Program Files\CA\Unicenter DSM\Bin\cfSysTray.exe" [2006-05-04 05:22 114688]
"DsmSxplog"="C:\Program Files\CA\Unicenter DSM\Bin\sxpstub.exe" [2006-05-04 09:25 18944]
"WinVNC"="C:\Program Files\RealVNC\WinVNC\WinVNC.exe" [2003-03-05 20:49 335872]
"CFSServ.exe"="CFSServ.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 17:33 16132608 C:\WINDOWS\RTHDCPL.EXE]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 13:02 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-03-17 06:34 124656]
"SalesTrackAgent"="" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-03 17:44 185896]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [2007-04-25 12:23 258048]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [2007-04-25 12:23 675840]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CAF]
C:\Program Files\CA\Unicenter DSM\Bin\cfwlogon.dll 2006-05-04 05:22 22016 C:\Program Files\CA\Unicenter DSM\bin\cfWlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
psqlpwd.dll 2006-05-06 03:48 40448 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rcHostExt]
C:\Program Files\CA\Unicenter DSM\Bin\rcLoginExt.dll 2006-05-04 05:24 4608 C:\Program Files\CA\Unicenter DSM\bin\rcLoginExt.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Poli0yAgent]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfm42.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:1\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\WatchGuard\\Mobile User VPN\\IreIKE.exe"=
"C:\Program Files\WatchGuard\Mobile User VPN\ViewLog.exe"= C:\Program Files\WatchGuard\Mobile User VPN\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog
"C:\Program Files\WatchGuard\Mobile User VPN\CmonApp.exe"= C:\Program Files\WatchGuard\Mobile User VPN\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp
"C:\Program Files\WatchGuard\Mobile User VPN\vpn.exe"= C:\Program Files\WatchGuard\Mobile User VPN\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
dmseroer REG_MULTI_SZ dmseroer
krnlsrvc REG_MULTI_SZ DcomLunch

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##172.17.1.58#MQshare]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\mqauto.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b577cdd-06d5-11dd-b654-001b774b22e0}]
\Shell\Auto\command - Cn911.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38eabde7-cd6b-11dc-b630-001b774b22e0}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4cb635b5-0fae-11dd-b668-001b774b22e0}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe nar.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88337ed5-820f-11dc-b5ef-001b774b22e0}]
\Shell\AutoRun\command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f1ba12b-8785-11dc-b5f7-001b774b22e0}]
\Shell\AutoRun\command - RavMon.exe
\Shell\explore\Command - RavMon.exe -e
\Shell\open\Command - RavMon.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-05 06:15:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2006-11-18 10:04:27 C:\WINDOWS\Tasks\Registration reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2006-11-18 10:04:28 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2006-11-18 10:04:28 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-13 11:14:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Documents and Settings\agent\Local Settings\Application Data\Toshiba\BluetoothStack\V1.0\SDP00122.sdb 3247 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\DMPrimer]
"ImagePath"="\"C:\Program Files\CA\SharedComponents\DesktopCommonServices\DMPrimer\dmprimer.exe\" -DMPRIMER_SERVICE_:"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\Client\ScheduleSrvc.exe
C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\dbssys\DBSNTS.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\CA\SharedComponents\DesktopCommonServices\DMPrimer\dmprimer.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\Client\BAOF\OFANT.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\CA\Unicenter DSM\bin\CAF.exe
C:\Program Files\CA\Unicenter DSM\bin\cfsmsmd.exe
C:\Program Files\CA\Unicenter DSM\bin\ccnfAgent.exe
C:\Program Files\CA\Unicenter DSM\bin\cfnotsrvd.exe
C:\Program Files\CA\Unicenter DSM\bin\ccsmagtd.exe
C:\Program Files\CA\Unicenter DSM\bin\rcHost.exe
C:\Program Files\CA\Unicenter DSM\PMAgent\capmuamagt.exe
C:\Program Files\CA\Unicenter DSM\bin\cfFTPlugin.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Toshiba\TME3\TMEEJME.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\CA\Unicenter DSM\bin\sxplog32.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
C:\TOSHIBA\IVP\ISM\Ivpsvmgr.exe
.
**************************************************************************
.
Completion time: 2008-06-13 11:22:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-13 08:22:54

Pre-Run: 65,233,567,744 bytes free
Post-Run: 65,587,200,000 bytes free

320 --- E O F --- 2008-05-28 07:47:19

Will complete the next step now and post the results hopefully within the hour.

#4 jfriel

jfriel
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 15 June 2008 - 02:19 AM

Here is the SDfix log that was created;


SDFix: Version 1.192
Run by agent on Sat 06/14/2008 at 18:39

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\CLIENT.TMP - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 18:48:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]
"khjeh"=hex:20,02,00,00,53,93,d0,e2,8b,39,29,20,7f,dd,fe,81,bd,b8,13,d2,fb,..
"hj34z0"=hex:75,1d,f5,f9,c0,81,e8,f5,de,e4,04,a6,6f,d0,27,d5,2d,c4,64,c4,f3,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41]
"khjeh"=hex:20,02,00,00,53,93,d0,e2,e7,5d,86,44,7f,dd,fe,81,c4,a9,13,d2,ff,..
"hj34z0"=hex:58,1c,f5,f9,d0,80,e8,f5,de,e4,04,a6,6f,d0,27,d5,2d,c4,64,c4,4e,..
"hj34z1"=hex:c1,1c,f5,f9,a8,80,e8,f5,df,e4,05,a6,6e,d0,27,d5,2d,c4,64,c4,a4,..
"hj34z2"=hex:c1,1c,f5,f9,a8,80,e8,f5,df,e4,05,a6,6e,d0,27,d5,2d,c4,64,c4,a4,..
"hj34z3"=hex:c1,1c,f5,f9,a8,80,e8,f5,df,e4,05,a6,6e,d0,27,d5,2d,c4,64,c4,a4,..
"hj34z4"=hex:c1,1c,f5,f9,a8,80,e8,f5,df,e4,05,a6,6e,d0,27,d5,2d,c4,64,c4,a4,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"="C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine"
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"="C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:1\\Program Files\\SmartFTP Client\\SmartFTP.exe"="C:1\\Program Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\WINDOWS\\system32\\ftp.exe"="C:\\WINDOWS\\system32\\ftp.exe:*:Enabled:File Transfer Program"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\WatchGuard\\Mobile User VPN\\IreIKE.exe"="C:\\Program Files\\WatchGuard\\Mobile User VPN\\IreIKE.exe:*:Enabled:IreIke"
"C:\\Program Files\\WatchGuard\\Mobile User VPN\\ViewLog.exe"="C:\\Program Files\\WatchGuard\\Mobile User VPN\\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog"
"C:\\Program Files\\WatchGuard\\Mobile User VPN\\CmonApp.exe"="C:\\Program Files\\WatchGuard\\Mobile User VPN\\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp"
"C:\\Program Files\\WatchGuard\\Mobile User VPN\\vpn.exe"="C:\\Program Files\\WatchGuard\\Mobile User VPN\\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\WatchGuard\\Mobile User VPN\\IreIKE.exe"="C:\\Program Files\\WatchGuard\\Mobile User VPN\\IreIKE.exe:*:Enabled:IreIke"
"C:\\Program Files\\WatchGuard\\Mobile User VPN\\ViewLog.exe"="C:\\Program Files\\WatchGuard\\Mobile User VPN\\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog"
"C:\\Program Files\\WatchGuard\\Mobile User VPN\\CmonApp.exe"="C:\\Program Files\\WatchGuard\\Mobile User VPN\\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp"
"C:\\Program Files\\WatchGuard\\Mobile User VPN\\vpn.exe"="C:\\Program Files\\WatchGuard\\Mobile User VPN\\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 20 Mar 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 21 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 3 Dec 2007 12,411,017 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4760267afd36bfb22419ce847c4b742f\BIT3837.tmp"
Mon 3 Dec 2007 12,411,017 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d7f8b7b26058f5e64cedb356a77a4b99\BIT3838.tmp"
Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\agent\Application Data\U3\temp\Launchpad Removal.exe"
Mon 9 Jun 2008 0 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS0093FB73-93B4-4E2B-826A-A9D8DA19D69E.tmp"
Mon 9 Jun 2008 9,776 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS02A1657D-DAD0-4BE8-8E15-AF14FA13E5D6.tmp"
Mon 9 Jun 2008 162 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS02354018-F779-4240-A91F-A30FF7700A4E.tmp"
Mon 9 Jun 2008 684,040 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS03A2A7A1-8907-42AA-A6FA-9E515D516D11.tmp"
Mon 9 Jun 2008 424 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS03D4749F-C08E-4780-866A-8EBDD47C85D0.tmp"
Mon 9 Jun 2008 5,464 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS04535692-A9EA-4027-A9C1-155764ACA43D.tmp"
Mon 9 Jun 2008 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS06C3308E-FAFE-4C4F-AD82-986DED4B697D.tmp"
Mon 9 Jun 2008 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS07E46F8F-BF77-4B39-96BB-F24C7EE53C22.tmp"
Mon 9 Jun 2008 42 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS08E38554-712C-432C-9A10-5819F94F1C8A.tmp"
Mon 9 Jun 2008 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS0ADE4286-9746-4FA8-8F09-23F73A958C82.tmp"
Mon 9 Jun 2008 351 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS110A698D-E14D-499C-BA6F-0B0D898A0A8F.tmp"
Mon 9 Jun 2008 196 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS15B743A4-3DF8-45AB-8B2D-BFEC80B54E9E.tmp"
Mon 9 Jun 2008 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS16741E8B-79D7-4281-B7D4-D003FA5DC442.tmp"
Mon 9 Jun 2008 552 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS17ECED5F-3C83-42F3-92A9-D089331614EB.tmp"
Mon 9 Jun 2008 46,362 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS19263F81-A829-41D7-8109-FCCEFDAC9D5F.tmp"
Mon 9 Jun 2008 48 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1EE80B9E-1184-43EB-A25D-0DC005F83F02.tmp"
Mon 9 Jun 2008 68 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1E1110CB-4DA5-4FA4-A403-AD9684F84303.tmp"
Mon 9 Jun 2008 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1ECCDEB1-870C-48F0-A7BB-75FB263BD7DE.tmp"
Mon 9 Jun 2008 2,320,948 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS292BD3A5-FE20-4422-AC06-55809A586B4A.tmp"
Mon 9 Jun 2008 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS29E323C7-BBA6-4C85-9B0F-589EB9238505.tmp"
Mon 9 Jun 2008 32 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2B7453C9-9D46-46EA-8B9F-58B1A5837C29.tmp"
Mon 9 Jun 2008 1,994,044 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2B4F0646-126B-4329-A410-5C2DFBFF358F.tmp"
Mon 9 Jun 2008 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2CA14B75-AE8B-42A3-991A-90AE390ACA04.tmp"
Mon 9 Jun 2008 42 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS34908CA4-35FC-4B6C-803E-C77485122961.tmp"
Mon 9 Jun 2008 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS355131FE-C093-47F0-989B-984E4BD29F22.tmp"
Mon 9 Jun 2008 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS360A4FEF-34B7-4DB8-8EF7-961E15041B6F.tmp"
Mon 9 Jun 2008 0 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS382ED1D8-823D-450D-B333-AEE6CE410B47.tmp"
Mon 9 Jun 2008 1,082 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3C63E93A-4871-4E9B-ACA2-BDA2ACC5ADFE.tmp"
Mon 9 Jun 2008 702 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3CA2D164-549B-4BC1-BB3C-34DE685C5F24.tmp"
Mon 9 Jun 2008 30 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3C2DB763-83CE-4222-9620-A5153D542CC3.tmp"
Mon 9 Jun 2008 118 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3DEAE9CE-C7B0-430C-8066-F11E80C87EEB.tmp"
Mon 9 Jun 2008 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3F670B09-E5DA-4735-99FA-C63CE9BC3591.tmp"
Mon 9 Jun 2008 120 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS432DB397-B8E1-49D9-90D1-CBB334B30301.tmp"
Mon 9 Jun 2008 622 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4982C9EA-3AE5-4161-A5AA-391503F94648.tmp"
Mon 9 Jun 2008 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4A66CBA7-A457-43CF-B522-64F659BFA612.tmp"
Mon 9 Jun 2008 3,116 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4B0233DF-631C-47D8-8512-3CC3C64304E8.tmp"
Mon 9 Jun 2008 114 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4B6B2C3F-080E-4C15-BEAF-82A8FDBE2E28.tmp"
Mon 9 Jun 2008 518 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4D192616-C3E9-4A74-B352-F76A3FA001E9.tmp"
Mon 9 Jun 2008 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS50AE4E5A-E995-46E5-95A4-09015803C57F.tmp"
Mon 9 Jun 2008 822 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5550DD7D-A22A-42A4-A0A1-35A156E84226.tmp"
Mon 9 Jun 2008 48 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS56FC09B7-98F7-4EB6-8B1E-50C1ED1F0583.tmp"
Mon 9 Jun 2008 26,748 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS57BCB72C-F63E-41ED-BAF0-956885D1372C.tmp"
Mon 9 Jun 2008 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5A493761-0F29-4AF4-AC99-2CD3A9877ADF.tmp"
Mon 9 Jun 2008 408 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5B4C772A-E0CB-4583-ACB9-602CF3E6A127.tmp"
Mon 9 Jun 2008 174,976 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6316FC29-3743-4465-B02D-55513047CA63.tmp"
Mon 9 Jun 2008 79,822 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6444B7F4-1F1B-4851-922C-1C6C41A4CB06.tmp"
Mon 9 Jun 2008 742 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS65C9689F-D446-43D1-8BEF-554671FAF355.tmp"
Mon 9 Jun 2008 3,982 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS67B23392-54FB-432C-A5F6-92922B231568.tmp"
Mon 9 Jun 2008 14 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS689EA0F9-0224-4639-9D4D-215880D407D4.tmp"
Mon 9 Jun 2008 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS682DB403-646B-49DC-9C95-F485815F3A56.tmp"
Mon 9 Jun 2008 408 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS69CB9D9B-39A0-44E6-8C51-61A92263E673.tmp"
Mon 9 Jun 2008 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6CB92E1F-90E1-42B4-AF2B-661411B2B065.tmp"
Mon 9 Jun 2008 2,313,076 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS72B2EC40-F2AF-49AE-BA14-80BDDF5CE9BC.tmp"
Mon 9 Jun 2008 96 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS72476AB9-1043-4607-9534-8334E82ACDFA.tmp"
Mon 9 Jun 2008 4,481,778 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS759EC83B-2813-468D-B31B-2086B1B74FE5.tmp"
Mon 9 Jun 2008 16,400 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS753C2619-35A4-4A8E-A862-1A2630AD2AE7.tmp"
Mon 9 Jun 2008 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS755D6B5A-ED24-428D-A7F9-194BFAAF9823.tmp"
Mon 9 Jun 2008 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS766D8AD0-4A76-472E-B6EB-240EE6662335.tmp"
Mon 9 Jun 2008 596 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7618218B-8483-405D-A18C-DC4ED93F5613.tmp"
Mon 9 Jun 2008 1,083,926 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS785C6175-DD27-4978-B4ED-25A25B6AB7D0.tmp"
Mon 9 Jun 2008 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7A8577C7-21C0-46C8-9D66-40A2C2E97D7B.tmp"
Mon 9 Jun 2008 938 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7EBB0B41-2F13-47BD-9E86-156D5E69A69F.tmp"
Mon 9 Jun 2008 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS806A8FEA-2225-48F7-B254-32A6F0DE7F64.tmp"
Mon 9 Jun 2008 7,282 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS847FD703-FC5A-4A67-AEC1-F4CBE2BC17D0.tmp"
Mon 9 Jun 2008 118,426 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8785EE4B-EE86-4D51-951C-F608EFC281F0.tmp"
Mon 9 Jun 2008 626 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS87A01088-545D-49D6-A70D-56805502B76F.tmp"
Mon 9 Jun 2008 79,908 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS885DD45E-F8B5-4589-A887-8566D007A618.tmp"
Mon 9 Jun 2008 2,862,252 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS89B93EA1-36B2-499E-B6DF-59C798E3048B.tmp"
Mon 9 Jun 2008 3,393 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS89FFEEB9-A803-4A90-8282-93180292792B.tmp"
Mon 9 Jun 2008 65,638 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8D7C8C37-C8FB-49DE-B20F-2C147DD08A08.tmp"
Mon 9 Jun 2008 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS943D4DB9-67E3-48D8-8018-265F0D54C30F.tmp"
Mon 9 Jun 2008 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS951B997A-C01D-447F-A00A-F5F36DAE5DCC.tmp"
Mon 9 Jun 2008 0 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9D526756-7F21-4E47-95B4-48E3B8C9F355.tmp"
Mon 9 Jun 2008 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9E88541E-40AB-4811-A7D5-B12A4F2CA742.tmp"
Mon 9 Jun 2008 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA06471C5-2EFA-416C-BC88-866445E4F38A.tmp"
Mon 9 Jun 2008 1,430,726 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA2E420F3-2B52-49AE-BE8C-E2DE31C9F74E.tmp"
Mon 9 Jun 2008 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA4AA6A3C-8792-42E1-9763-D47A297D0F8F.tmp"
Mon 9 Jun 2008 160 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA92E7C91-26B8-48F9-B49F-FA0FF02A1B0D.tmp"
Mon 9 Jun 2008 102 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSAD2DE667-2561-45F9-B486-6C85B2BC00A8.tmp"
Mon 9 Jun 2008 204 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB530CA13-D05D-44C8-989A-31E0004503B5.tmp"
Mon 9 Jun 2008 1,744,767 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBA036869-BBB1-4979-919E-737E8B3BC24B.tmp"
Mon 9 Jun 2008 48 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBC049152-0147-4958-AA33-4F15FF744598.tmp"
Mon 9 Jun 2008 30 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBD4B5082-44DB-4B5C-AE4F-3862F239E5B5.tmp"
Mon 9 Jun 2008 121,016 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBE3F6E7B-D405-4A83-A97D-9FE2BF46D58E.tmp"
Mon 9 Jun 2008 652 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC089BCD9-FB56-4DF7-BFE3-F1CAC11C3EF6.tmp"
Mon 9 Jun 2008 27,287 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSCAE684FF-FD8A-4CC2-9BB9-56764E015EDC.tmp"
Mon 9 Jun 2008 2,565 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSCA982F1F-CB49-492B-8218-D78FBC2AE621.tmp"
Mon 9 Jun 2008 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSCC60D5D9-0890-456A-8A3A-E5836C61DEDF.tmp"
Mon 9 Jun 2008 169 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSCD503617-417B-4D50-97F3-78AD88F3F0D1.tmp"
Mon 9 Jun 2008 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSCEEB8AB5-E538-48CB-B5A4-5C5207950687.tmp"
Mon 9 Jun 2008 502 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSCE48C9FD-156A-408E-A23F-3786C91AADAA.tmp"
Mon 9 Jun 2008 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSCF4FFAE9-87C9-422F-BBDC-EEBBC132517F.tmp"
Mon 9 Jun 2008 100 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD55ACF47-4E93-420E-99E7-CE9FC5E423E7.tmp"
Mon 9 Jun 2008 100 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD88B7986-4A3C-42D8-B841-18DAD7C204A3.tmp"
Mon 9 Jun 2008 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDBA87F29-6A26-4EBA-8058-AE20FEAD0426.tmp"
Mon 9 Jun 2008 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDE13878D-EEAF-44EC-AA77-170435A85EC3.tmp"
Mon 9 Jun 2008 50 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDF78A8EF-200E-4667-B878-BD76862A1CDF.tmp"
Mon 9 Jun 2008 432 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDF8EC964-8250-4A38-BDB2-DD2BD251503F.tmp"
Mon 9 Jun 2008 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE0B57DAC-0F28-4413-9052-62E70DDB18DC.tmp"
Mon 9 Jun 2008 124 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE8B04CD5-D112-4DC9-8051-F2C16EB896AD.tmp"
Mon 9 Jun 2008 642 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE905F36F-4BA8-48A7-AABD-4A64FB2CBA71.tmp"
Mon 9 Jun 2008 50 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE91A625D-30D6-41A1-A10D-4B974D89EF4E.tmp"
Mon 9 Jun 2008 100 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSEF2812F7-3345-452A-88A7-68BFD90D1BCC.tmp"
Mon 9 Jun 2008 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF015D2E7-12A4-4835-B04E-6D0338C4C909.tmp"
Mon 9 Jun 2008 21,296 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF46ADDCD-8029-4B8B-8952-46582E4DF8BC.tmp"
Mon 9 Jun 2008 136 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF4999A69-F88C-4D1E-8494-C9B039638B04.tmp"
Mon 9 Jun 2008 8 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF77E94BF-7E0F-4F52-974B-8BA0B2A91B6F.tmp"
Mon 9 Jun 2008 910 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF9CA9F72-C150-4E25-AD6C-EC46FAC8E54B.tmp"
Mon 9 Jun 2008 120 A..H. --- "C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFC3F6ED1-D40C-488A-86A3-91B94BCB742C.tmp"
Thu 15 Aug 2002 65,088 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c556 Packet\3C556.COM"
Thu 15 Aug 2002 12,732 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c509 Packet\3C5X9PD.COM"
Thu 15 Aug 2002 26,424 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c59x Packet\3C59XPD.COM"
Thu 15 Aug 2002 28,062 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207F Packet\EN5251PD.COM"
Thu 15 Aug 2002 10,710 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207C Packet\PCIPD.COM"
Thu 15 Aug 2002 10,083 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207D Packet\ACCPKT.COM"
Thu 15 Aug 2002 10,257 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207TX Packet\PCIPD.COM"
Thu 15 Aug 2002 29,499 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1203 Packet\PCIPD.COM"
Thu 15 Aug 2002 12,660 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1204 Packet\VLNWPD.COM"
Thu 15 Aug 2002 11,031 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207 Packet\PCIPD.COM"
Thu 15 Aug 2002 17,952 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1200 Packet\EC32PD.COM"
Thu 15 Aug 2002 9,424 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1208 Packet\1208PD.COM"
Thu 15 Aug 2002 7,825 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1650 Packet\NWPD.COM"
Thu 15 Aug 2002 13,673 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1640 Packet\NWPD.COM"
Thu 15 Aug 2002 14,438 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1658 Packet\NWPD.COM"
Thu 15 Aug 2002 7,825 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN166X Packet\NWPD.COM"
Thu 15 Aug 2002 7,825 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1651 Packet\NWPD.COM"
Thu 15 Aug 2002 7,825 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1652 Packet\NWPD.COM"
Thu 15 Aug 2002 7,243 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1653 Packet\NE2PD.COM"
Thu 15 Aug 2002 24,767 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2216 Packet\PCMPD.COM"
Thu 15 Aug 2002 7,463 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1625 Packet\NEPD.COM"
Thu 15 Aug 2002 7,825 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1656 Packet\NWPD.COM"
Thu 15 Aug 2002 10,286 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2228 Packet\PCMPD.COM"
Thu 15 Aug 2002 25,460 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2218 Packet\PCMPD.COM"
Thu 15 Aug 2002 28,866 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2320 Packet\EN5251PD.COM"
Thu 15 Aug 2002 14,438 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1657 Packet\NWPD.COM"
Thu 15 Aug 2002 8,544 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\CATC USB Ethernet\Elndis.sys"
Thu 15 Aug 2002 33,149 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\CATC USB Ethernet\Usbd.sys"
Thu 15 Aug 2002 47,826 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI1394.SYS"
Thu 15 Aug 2002 35,340 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI2DOS.SYS"
Thu 15 Aug 2002 14,378 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI4DOS.SYS"
Thu 15 Aug 2002 37,984 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI8DOS.SYS"
Thu 15 Aug 2002 44,828 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI8U2.SYS"
Thu 15 Aug 2002 29,628 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPICD.SYS"
Thu 15 Aug 2002 49,750 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIEHCI.SYS"
Thu 15 Aug 2002 49,242 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIOHCI.SYS"
Thu 15 Aug 2002 50,606 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIUHCI.SYS"
Thu 15 Aug 2002 161,792 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BOOTSRV.SYS"
Thu 15 Aug 2002 174,080 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\bootsrv16.sys"
Thu 15 Aug 2002 21,971 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BTCDROM.SYS"
Thu 15 Aug 2002 30,955 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BTDOSM.SYS"
Thu 15 Aug 2002 202,517 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\CMDS.EXE"
Thu 15 Aug 2002 374,038 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\CMDS16.EXE"
Thu 15 Aug 2002 22,158 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\COUNTRY.SYS"
Thu 15 Aug 2002 1,608 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DEVICE.COM"
Thu 15 Aug 2002 15,345 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DISPLAY.SYS"
Thu 15 Aug 2002 7,840 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DLSHELP.SYS"
Thu 15 Aug 2002 56,821 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\E.EXE"
Thu 15 Aug 2002 64,425 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\FLASHPT.SYS"
Thu 15 Aug 2002 32,396 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\GUEST.EXE"
Thu 15 Aug 2002 14,160 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\HIMEM.SYS"
Thu 15 Aug 2002 10,898 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\KEYB.COM"
Thu 15 Aug 2002 53,556 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\KEYBOARD.SYS"
Thu 15 Aug 2002 15,777 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MODE.COM"
Thu 15 Aug 2002 37,681 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MOUSE.COM"
Thu 15 Aug 2002 354,304 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\msbootsrv16.sys"
Thu 15 Aug 2002 21,180 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MSCDEX.EXE"
Thu 15 Aug 2002 354,263 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\Net.exe"
Thu 15 Aug 2002 8,513 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\NETBIND.COM"
Thu 15 Aug 2002 41,302 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\OAKCDROM.SYS"
Thu 15 Aug 2002 129,240 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\OHCI.EXE"
Thu 15 Aug 2002 28,439 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\Paralink.com"
Thu 15 Aug 2002 13,770 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\PROTMAN.EXE"
Thu 15 Aug 2002 130,980 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\UHCI.EXE"
Thu 15 Aug 2002 11,854 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWorks ISA (DE305) Packet\DE305.COM"
Thu 15 Aug 2002 52,715 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWORKS DE450 Packet\DE450.COM"
Thu 15 Aug 2002 62,391 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWORKS DE500 Packet\DE500.COM"
Thu 15 Aug 2002 11,491 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DMF560-TX Packet\Lmpd.com"
Thu 15 Aug 2002 17,791 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DT620 Packet\Dt620pd.com"
Thu 15 Aug 2002 17,043 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DE400 Packet\De400pd.com"
Thu 15 Aug 2002 11,786 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\IBM Crystal LAN Packet\Epktisa.com"
Thu 15 Aug 2002 18,300 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Kingston EtheRx KNE110TX Packet\Ktc110p.com"
Thu 15 Aug 2002 48,224 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD 10-100AL Packet\L100al.com"
Thu 15 Aug 2002 13,360 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD-CDF Packet\Ldcdt.com"
Thu 15 Aug 2002 9,190 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD-PCI2TL Packet\Ldpcil.com"
Thu 15 Aug 2002 12,567 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Melco LPC2-T\Lpchkat2.com"
Thu 15 Aug 2002 44,640 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\FETPKT.COM"
Thu 15 Aug 2002 56,896 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\Rtspkt.com"
Thu 15 Aug 2002 44,640 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FNW9x00T - ENW8300T Packet\fetpkt.com"
Thu 15 Aug 2002 9,692 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\PXE Packet Driver\Undipd.com"
Thu 15 Aug 2002 9,537 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\SN 2000p Packet\PNPPD.COM"
Thu 15 Aug 2002 32,484 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\WaveLAN Packet\Wvlan42.com"
Thu 15 Aug 2002 52,225 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet 10-100 + Modem\Cbendis.exe"
Thu 15 Aug 2002 48,491 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom RE10BT\Ce3ndis.exe"
Thu 15 Aug 2002 50,405 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom RE10 - RE100 Packet\Ce3pd.com"
Thu 15 Aug 2002 33,860 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom PE3-10Bx\Pe3ndis.exe"
Thu 15 Aug 2002 50,175 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Re-100Btx + Ce3B-100Btx\Ce3ndis.exe"
Thu 15 Aug 2002 50,795 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom CBE10-100BTX\Cbendis.exe"
Thu 15 Aug 2002 48,223 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom CBE10-100BTX Packet\Cbepd.com"
Thu 15 Aug 2002 48,641 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet II PS\Xpsndis.exe"
Thu 15 Aug 2002 49,015 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet II PS Packet\Xpspd.com"
Thu 15 Aug 2002 53,786 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\command.com"
Thu 15 Aug 2002 44,240 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\IBMBIO.COM"
Thu 15 Aug 2002 42,550 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\IBMDOS.COM"

Finished!

#5 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 15 June 2008 - 06:42 AM

Copy the text below to notepad and save it to the desktop with the name CFScript

Driver::
dmseroer
krnlsrvc
Poli0yAgent
Winfm42
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Poli0yAgent]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfm42.sys]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##172.17.1.58#MQshare]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b577cdd-06d5-11dd-b654-001b774b22e0}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4cb635b5-0fae-11dd-b668-001b774b22e0}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88337ed5-820f-11dc-b5ef-001b774b22e0}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f1ba12b-8785-11dc-b5f7-001b774b22e0}]

Once saved,drag CFScript.txt on top of ComboFix.exe and this will launch the tool and begin the script.


Once completed,post the new CombFix log.


Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


#6 jfriel

jfriel
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 15 June 2008 - 06:48 AM

Unfortunately at the minute i can't copy & paste, and drag and drop so i dont think that next stage is going to work for me. My IT support guy just fed-ex'd me a replacement hard drive pre-installed with all the software i need to get back and running again and a case to put the old one in and connect via USB so i wont lose any important data.

If things arent well and good after swapping the drive out, i will try to continue with the process. Thanks for the help so far - much appreciated.

#7 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 15 June 2008 - 06:53 AM

You can probably run combofix by itself again and retrieve the use of those item.

Im betting you have several infected flash drives or other external drives,so if you get a new HDD and plug in an infected drive,guess what happens... :thumbsup:

Best idea at this point,is to use the infected machine and plug in every external drive you have and then run subs flash disinfector and combofix.

Flash Disinfector with some idea of what its about
http://experi3nc3.wordpress.com/2007/05/10...fector-by-subs/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users