Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

XP infected with trojan.dnschanger rootkit.tdss rogue.smartp

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

XP infected with trojan.dnschanger rootkit.tdss rogue.smartp

Unread postby TOML » January 5th, 2010, 12:05 pm

On Jan 2 Mcaffee notified me that a virus was blocked. I ran free superantivirus. Many items were listed. After reboot, system was unstable. could not run malwarebytes or superantivirus. Mcaffee will not initialize. Did get malwarebytes and superantivirus to run in safe mode by using diff. names suggested. Superantivirus shows rogue.smartprotector. Malwarebytes shows trojan.dnschanger and rootkit.tdss. Both programs say they remove the malware but they never get removed. When I boot in normal mode, system ususally locks up. Had to rename Hijackthis to install. Iexplore failures occur in both safe and normal boot.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:28 AM, on 1/5/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Hot Key Kbd Daemon] SKDAEMON.EXE
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [x] C:\documents and settings\rachel longawa\local settings\temp\x.exe
O4 - HKLM\..\Run: [g] C:\documents and settings\rachel longawa\local settings\temp\g.exe
O4 - HKLM\..\Run: [3SAHCS#4MABT@T] C:\WINDOWS\System32\Idk277.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [ToPicks Starter] C:\Program Files\ToPicks\Bin\Idhost.exe
O4 - HKLM\..\Run: [53og36j] uliindev.exe
O4 - HKLM\..\Run: [IBM Warranty Notification] "C:\Program Files\IBM\acp\ERTS0749\ERTS0749.exe /nointro"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ATT-SST_McciTrayApp] "C:\Program Files\ATT-SST\McciTrayApp.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\xcSeMB2uk.exe" /runcleanupscript
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} -
O16 - DPF: {2B4F4FA8-814A-11D7-B31B-0002A500B281} (FASetupStart Control) - http://a1776.ff.fullaudio.com.edgesuite ... /setup.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - https://www-307.ibm.com/pc/support/acce ... ontrol.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12236 bytes
¡En español! Level 3 Take-Home Tutor
ABBYY FineReader 5.0 Sprint Plus
Access IBM
Access IBM Cleanup Utility
Access IBM Message Center
Access IBM Tools
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.4
AnswerWorks 4.0 Runtime - English
AOL Instant Messenger
Apple Software Update
ArcSoft Software Suite
AT&T Self Support Tool
AT&T Yahoo! Applications
BearShare
BUM
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture DC
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Compatibility Pack for the 2007 Office system
Conexant SoftK56 Data Fax
Coupon Printer for Windows
Coupon Printer for Windows
CPA Test Prep
Critical Update for Windows Media Player 11 (KB959772)
EPSON Printer Software
Gleim's CPA Test Prep 4.2
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Customer Participation Program 7.0
HP Document Viewer 7.0
HP Imaging Device Functions 7.0
HP Photosmart Premier Software 6.5
HP Photosmart, Officejet and Deskjet 7.0.A
HP Product Assistant
HP Solution Center 7.0
HP Update
IBM 32-bit SDK for Java 2, v1.4.1
IBM Access Support
IBM Access Support - Local Content Pack
IBM DLA
IBM Rapid Access Keyboard (III, IIIe)
IBM RecordNow!
Intel(R) PRO Network Adapters and Drivers
InterActual Player
InterVideo WinDVD
iPod for Windows 2005-03-23
IrfanView (remove only)
iTunes
Java(TM) 6 Update 16
Junk Mail filter update
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Office Basic Edition 2003
Microsoft Office PowerPoint Viewer 2003
Microsoft Office Visio Viewer 2003 (English)
Microsoft SharedView
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mouse Suite
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Napster
Napster Burn Engine
NTI Shadow
NTI Shadow
OCR Software by I.R.I.S 7.0
PC-Doctor for Windows
QuickTime
SBC Yahoo! DSL Activation
ScanToWeb
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Segoe UI
Snood for Windows version 3.52-W
Sonic Update Manager
SoundMAX
SUPERAntiSpyware Free Edition
Support.com Software
Symantec Technical Support Web Controls
System Update
TaxCut Illinois 2008
TaxCut Indiana 2008
TaxCut Premium + State + Efile 2008
ThinkCentre Wallpaper
ToPicks
TurboTax Deluxe 2007
TurboTax ItsDeductible 2006
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
Yahoo! Photos Easy Upload Tool 1v3
TOML
Regular Member
 
Posts: 15
Joined: January 4th, 2010, 6:22 pm
Advertisement
Register to Remove

Re: XP infected with trojan.dnschanger rootkit.tdss rogue.smartp

Unread postby muppy03 » January 9th, 2010, 10:54 pm

Hello and welcome to Malware Removal Forums

IMPORTANT

Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
To make cleaning this machine easier:-
  • Continue to respond to this thread until I give you the All Clean!
  • Please DO NOT uninstall/install any programs unless asked to. It is more difficult when files/programs appear or disappear from the logs.
  • Please do not run any scans other than those requested and do not post any logs/reports unless specifically requested to do so.
  • Please follow all instructions in the order posted.
  • If you have any questions or do not understand instructions, please ask before continuing.
  • Please reply to this thread. Do not start a new topic.

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

BearShare

I'd like you to read the MRU policy for P2P Programs.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red). Also take note that remnants of the above program/s and any other P2P program found will be removed when cleaning.

While in add/remove programs I recommend also uninstalling the following:-

    Coupon Printer for Windows
    Coupon Printer for Windows
    Viewpoint Manager (Remove Only)
    Viewpoint Media Player

You also appear to have multiple Antivirus running:-

    McAfee
    Symantec


I am guessing the Symantec is leftovers. If this is the case please also uninstall:-

    LiveUpdate 3.2 (Symantec Corporation)
    LiveUpdate Notice (Symantec Corporation)
    Symantec Technical Support Web Controls

Once the above is done please post a NEW HJT, done in normal mode if possible.
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4798
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: XP infected with trojan.dnschanger rootkit.tdss rogue.smartp

Unread postby TOML » January 10th, 2010, 11:16 am

Sorry about the PTP. Didn't remember I had it or what it was! In safe mode I deleted all of the coupon book and some of the other items. Two of the Symantec products could not be removed in safe mode, update notice and tech support. I booted in regular mode which has not worked recently until now. So I deleted these in regular mode. I also hijack from regular mode.
Thanks!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:03:06 AM, on 1/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\FSRremoS.EXE
C:\WINDOWS\system32\SKDAEMON.EXE
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Napster\napster.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Hot Key Kbd Daemon] SKDAEMON.EXE
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [x] C:\documents and settings\rachel longawa\local settings\temp\x.exe
O4 - HKLM\..\Run: [g] C:\documents and settings\rachel longawa\local settings\temp\g.exe
O4 - HKLM\..\Run: [3SAHCS#4MABT@T] C:\WINDOWS\System32\Idk277.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [ToPicks Starter] C:\Program Files\ToPicks\Bin\Idhost.exe
O4 - HKLM\..\Run: [53og36j] uliindev.exe
O4 - HKLM\..\Run: [IBM Warranty Notification] "C:\Program Files\IBM\acp\ERTS0749\ERTS0749.exe /nointro"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ATT-SST_McciTrayApp] "C:\Program Files\ATT-SST\McciTrayApp.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\xcSeMB2uk.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} -
O16 - DPF: {2B4F4FA8-814A-11D7-B31B-0002A500B281} (FASetupStart Control) - http://a1776.ff.fullaudio.com.edgesuite ... /setup.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - https://www-307.ibm.com/pc/support/acce ... ontrol.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 13692 bytes
TOML
Regular Member
 
Posts: 15
Joined: January 4th, 2010, 6:22 pm

Re: XP infected with trojan.dnschanger rootkit.tdss rogue.smartp

Unread postby TOML » January 10th, 2010, 11:51 am

I forgot to include the latest uninstall list.
¡En español! Level 3 Take-Home Tutor
ABBYY FineReader 5.0 Sprint Plus
Access IBM
Access IBM Cleanup Utility
Access IBM Message Center
Access IBM Tools
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.4
AnswerWorks 4.0 Runtime - English
AOL Instant Messenger
Apple Software Update
ArcSoft Software Suite
AT&T Self Support Tool
AT&T Yahoo! Applications
BUM
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture DC
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Compatibility Pack for the 2007 Office system
Conexant SoftK56 Data Fax
CPA Test Prep
Critical Update for Windows Media Player 11 (KB959772)
EPSON Printer Software
Gleim's CPA Test Prep 4.2
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Customer Participation Program 7.0
HP Document Viewer 7.0
HP Imaging Device Functions 7.0
HP Photosmart Premier Software 6.5
HP Photosmart, Officejet and Deskjet 7.0.A
HP Product Assistant
HP Solution Center 7.0
HP Update
IBM 32-bit SDK for Java 2, v1.4.1
IBM Access Support
IBM Access Support - Local Content Pack
IBM DLA
IBM Rapid Access Keyboard (III, IIIe)
IBM RecordNow!
Intel(R) PRO Network Adapters and Drivers
InterActual Player
InterVideo WinDVD
iPod for Windows 2005-03-23
IrfanView (remove only)
iTunes
Java(TM) 6 Update 16
Junk Mail filter update
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Office Basic Edition 2003
Microsoft Office PowerPoint Viewer 2003
Microsoft Office Visio Viewer 2003 (English)
Microsoft SharedView
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mouse Suite
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Napster
Napster Burn Engine
NTI Shadow
NTI Shadow
OCR Software by I.R.I.S 7.0
PC-Doctor for Windows
QuickTime
SBC Yahoo! DSL Activation
ScanToWeb
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Segoe UI
Snood for Windows version 3.52-W
Sonic Update Manager
SoundMAX
SUPERAntiSpyware Free Edition
Support.com Software
System Update
TaxCut Illinois 2008
TaxCut Indiana 2008
TaxCut Premium + State + Efile 2008
ThinkCentre Wallpaper
ToPicks
TurboTax Deluxe 2007
TurboTax ItsDeductible 2006
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
Yahoo! Photos Easy Upload Tool 1v3
TOML
Regular Member
 
Posts: 15
Joined: January 4th, 2010, 6:22 pm

Re: XP infected with trojan.dnschanger rootkit.tdss rogue.smartp

Unread postby muppy03 » January 10th, 2010, 5:19 pm

Open Hijack This and select Do a System Scan Only place a check next to the below lines if still present

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html <http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html>
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com <http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com>
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html <http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html>
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com <http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com>
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
    O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
    O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} -
    O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)


Once selected close all windows except HJT an click on Fix Checked

Download and run Combofix
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • If you need help to disable your protection programs see here.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image
Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please reply with:-
  • Combofix log
  • New HJT log
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4798
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: XP infected with trojan.dnschanger rootkit.tdss rogue.smartp

Unread postby TOML » January 11th, 2010, 12:08 am

I found all of the references you wanted checked for the HJT Fix run. The system booted after I executed HJT but locked up. I had to boot in safe mode for ComboFix to run. I had to rename the program to get it to execute. It ran fine but discovered that I did not have Windows Recovery Console installed. It did say it discovered and removed H8SRT components. It then rebooted in regular mode and went through several reboots. I could see my McAffe and SUperantivirus start which didn't work since Jan 2. I was afraid to try and stop these programs after the reboot since ComboFix said to not run any programs. Visibly, the desktop looks like it is back in order. I will resist running anything until you see the logs.
Thank You Very Much!
ComboFix 10-01-04.01 - Thomas Longawa 01/10/2010 21:27:59.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.512 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\momboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Rachel Longawa\My Documents\ZbThumbnail.info
c:\documents and settings\Thomas Longawa\My Documents\ZbThumbnail.info
c:\windows\EventSystem.log
c:\windows\patch.exe
c:\windows\system32\drivers\H8SRTtblogdmrdi.sys
c:\windows\system32\H8SRTijddswvctb.dll
c:\windows\system32\H8SRTqabhihdmqp.dll
c:\windows\system32\H8SRTwemhicdwqn.dll
c:\windows\system32\H8SRTwiovacapqn.dat
c:\windows\system32\uninstall.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys


((((((((((((((((((((((((( Files Created from 2009-12-11 to 2010-01-11 )))))))))))))))))))))))))))))))
.

2010-01-10 14:13 . 2010-01-10 14:13 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-01-07 21:08 . 2010-01-07 21:08 53296 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-05 14:51 . 2010-01-05 14:51 -------- d-----w- c:\program files\Trend Micro
2010-01-05 03:59 . 2010-01-10 14:59 846 ----a-w- c:\windows\system32\krl32mainweq.dll
2010-01-03 17:42 . 2010-01-03 17:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-03 14:58 . 2010-01-03 14:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-01-03 05:05 . 2010-01-03 05:05 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-10 15:00 . 2008-10-07 13:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-10 14:51 . 2004-07-12 04:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-01-10 14:51 . 2004-07-12 04:25 -------- d-----w- c:\program files\Viewpoint
2010-01-05 13:21 . 2010-01-03 22:19 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-05 13:21 . 2010-01-03 14:58 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-05 13:20 . 2009-09-03 17:27 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-03 11:28 . 2009-09-03 16:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-03 05:24 . 2010-01-03 05:24 696832 ----a-w- c:\windows\isRS-000.tmp
2010-01-02 22:52 . 2009-12-20 01:03 52224 ----a-w- c:\documents and settings\Thomas Longawa\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-02 22:52 . 2009-09-03 17:30 117760 ----a-w- c:\documents and settings\Thomas Longawa\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-30 20:55 . 2009-09-03 16:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 20:54 . 2009-09-03 16:09 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-19 01:40 . 2008-07-26 17:15 -------- d-----w- c:\documents and settings\Thomas Longawa\Application Data\ZoomBrowser EX
2009-12-10 20:07 . 2009-11-30 19:05 127325 ----a-w- c:\documents and settings\Thomas Longawa\Application Data\Move Networks\uninstall.exe
2009-12-10 20:07 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Thomas Longawa\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-12-10 20:07 . 2007-05-17 01:08 -------- d--h--w- c:\documents and settings\Thomas Longawa\Application Data\Move Networks
2009-12-03 12:48 . 2009-12-03 12:48 79488 ----a-w- c:\documents and settings\Thomas Longawa\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-19 12:53 . 2009-04-01 00:59 -------- d-----w- c:\program files\McAfee
2009-11-12 05:12 . 2009-09-02 21:16 -------- d-----w- c:\documents and settings\Thomas Longawa\Application Data\HpUpdate
2009-10-29 07:45 . 2004-02-07 01:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 1980-01-01 07:00 270336 ----a-w- c:\windows\system32\oakley.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]
"ibmmessages"="c:\program files\IBM\Messages By IBM\ibmmessages.exe" [2004-01-16 581632]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-03 2002160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-11-17 3022848]
"BluetoothAuthenticationAgent"="irprops.cpl" [2008-04-14 380416]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2002-11-08 98304]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-09-05 114741]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Mouse Suite 98 Daemon"="ICO.EXE" [2003-11-20 57344]
"Hot Key Kbd Daemon"="SKDAEMON.EXE" [2002-07-01 40960]
"ibmmessages"="c:\program files\IBM\Messages By IBM\\ibmmessages.exe" [2004-01-16 581632]
"EPSON Stylus CX5400"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE" [2003-05-26 99840]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"IPInSightMonitor 01"="c:\program files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 98304]
"IBM Warranty Notification"="c:\program files\IBM\acp\ERTS0749\ERTS0749.exe" [2004-03-13 106496]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-03-28 503808]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-15 257088]
"NapsterShell"="c:\program files\Napster\napster.exe" [2007-12-10 323216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-26 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\xcSeMB2uk.exe" [2010-01-03 1389904]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-11 11:13 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IBM\\Java141\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 3:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 3:06 PM 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [3/31/2009 7:04 PM 203280]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 3:06 PM 7408]
S0 epjeqg;epjeqg;c:\windows\system32\drivers\uixe.sys --> c:\windows\system32\drivers\uixe.sys [?]
S0 jemlesr;jemlesr;c:\windows\system32\drivers\fkxq.sys --> c:\windows\system32\drivers\fkxq.sys [?]
S0 ydyqo;ydyqo;c:\windows\system32\drivers\udyfy.sys --> c:\windows\system32\drivers\udyfy.sys [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon

NETSVCS REQUIRES REPAIRS - current entries shown

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

.
Contents of the 'Scheduled Tasks' folder

2009-07-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-01 17:22]

2009-05-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-01 17:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: 0.0.0.0
Trusted Zone: motive.com\patttbc.att
Trusted Zone: turbotax.com
DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA}
DPF: {2B4F4FA8-814A-11D7-B31B-0002A500B281} - hxxp://a1776.ff.fullaudio.com.edgesuite ... /setup.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-tgcmd - (no file)
HKLM-Run-nwiz - nwiz.exe
HKLM-Run-tgcmd - (no file)
HKLM-Run-3SAHCS#4MABT@T - c:\windows\System32\Idk277.exe
HKLM-Run-Dsi - c:\windows\System32\dp-him.exe
HKLM-Run-ToPicks Starter - c:\program files\ToPicks\Bin\Idhost.exe
HKLM-Run-53og36j - uliindev.exe
SafeBoot-mfehidk
SafeBoot-mferkdk
SafeBoot-mfetdik
SafeBoot-mfetdik.sys
AddRemove-SBC Yahoo! UMUninstaller - c:\program files\SBC Yahoo!\umuninst.exe
AddRemove-ToPicks - c:\program files\Topicks\Bin\IdmUn.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-10 21:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ToPicks Starter = c:\program files\ToPicks\Bin\Idhost.exe????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\*¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\*¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\ *¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\ *¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\@*¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\@*¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\d*¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\d*¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\l*¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\l*¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\P*¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\P*¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\t*¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\t*¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\X*¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\X*¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\ *¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\ *¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\¨*¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\¨*¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\¼*¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\¼*¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\S¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\S¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\ ¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\ ¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\¬ ¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\¬ ¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
DUMPHIVE0.003 (REGF)

[HKEY_LOCAL_MACHINE\software\Microsoft\Code Store Database\Distribution Units\{00000EF1-0786-4633-87C6-1AA7A44296DA}\Contains]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Code Store Database\Distribution Units\{00000EF1-0786-4633-87C6-1AA7A44296DA}\DownloadInformation]
@DACL=(02 0000)
"CODEBASE"="http://www.originalicons.com/members/arrtv.cab"
"INF"="c:\\WINDOWS\\Downloaded Program Files\\ATPartners.inf"

[HKEY_LOCAL_MACHINE\software\Microsoft\Code Store Database\Distribution Units\{00000EF1-0786-4633-87C6-1AA7A44296DA}\InstalledVersion]
@DACL=(02 0000)
@="3,0,0,1"
"LastModified"="Tue, 30 Mar 2004 23:43 GMT"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2128)
c:\windows\system32\WININET.dll
c:\windows\system32\SKHOOKS.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\SKUsbKbd.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\pelscrll.dll
c:\windows\system32\PELCOMM.dll
c:\windows\system32\PELHOOKS.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\System32\nvsvc32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\ICO.EXE
c:\windows\system32\SKDAEMON.EXE
c:\windows\system32\Pelmiced.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-01-10 22:03:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-11 04:03

Pre-Run: 39,939,297,280 bytes free
Post-Run: 41,228,173,312 bytes free

- - End Of File - - 581C89EBA3B139B95E567BC1324C0D71
TOML
Regular Member
 
Posts: 15
Joined: January 4th, 2010, 6:22 pm

Re: XP infected with trojan.dnschanger rootkit.tdss rogue.smartp

Unread postby muppy03 » January 11th, 2010, 3:55 am

I will resist running anything until you see the logs.

Please resist strongly :)



With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Go to Microsoft's website => http://support.microsoft.com/kb/310994
  • Scroll down to Step 1 (where it says: Step 1: Download the Setup disk program), & select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.
    Note: If you have SP3, use the SP2 package.
  • Save the file to the desktop of your computer
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    Image
  • Drag the setup package onto ComboFix.exe and drop it
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console
    Image
  • At the next prompt, click No to exit

Please let me know if the Recovery Console was installed in your next post

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
     :reg
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost /s 

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Please reply with:-
  • New HJT log
  • System look txt
  • and if Recovery console was installed
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4798
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: XP infected with trojan.dnschanger rootkit.tdss rogue.smartp

Unread postby TOML » January 11th, 2010, 12:10 pm

FYI, McAffee downloaded a new version of code when I booted. It must have been out of sync. The install went O.K. I downloaded the recovery console code and ran ComboFix. It installed the recovery console and scanned the system. No errors popped up. I installed SystemLook. It ran very fast. Here is the HJT log and System look txt.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:04:45 AM, on 1/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\SKDAEMON.EXE
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Hot Key Kbd Daemon] SKDAEMON.EXE
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [IBM Warranty Notification] "C:\Program Files\IBM\acp\ERTS0749\ERTS0749.exe /nointro"
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ATT-SST_McciTrayApp] "C:\Program Files\ATT-SST\McciTrayApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\xcSeMB2uk.exe" /runcleanupscript
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} -
O16 - DPF: {2B4F4FA8-814A-11D7-B31B-0002A500B281} (FASetupStart Control) - http://a1776.ff.fullaudio.com.edgesuite ... /setup.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - https://www-307.ibm.com/pc/support/acce ... ontrol.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: McAfee Application Installer Cleanup (0191521263221494) (0191521263221494mcinstcleanup) - Unknown owner - C:\DOCUME~1\THOMAS~1\LOCALS~1\Temp\019152~1.EXE (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 12057 bytes
SystemLook v1.0 by jpshortstuff (10.01.10)
Log created at 10:01 on 11/01/2010 by Thomas Longawa (Administrator - Elevation successful)

========== reg ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
"DcomLaunch"="DcomLaunch TermService"
"dot3svc"="dot3svc"
"eapsvcs"="eaphost"
"HTTPFilter"="HTTPFilter"
"imgsvc"="StiSvc"
"LocalService"="Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV"
"netsvcs"="6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc EventSystem FastUserSwitchingCompatibility HidServ Ias Iprip Irmon LanmanServer LanmanWorkstation Messenger Netman Nla Ntmssvc NWCWorkstation Nwsapagent Rasauto Rasman Remoteaccess Schedule Seclogon SENS Sharedaccess SRService Tapisrv Themes TrkWks W32Time WZCSVC Wmi WmdmPmSp winmgmt TermService wuauserv BITS ShellHWDetection helpsvc WmdmPmSN xmlprov wscsvc napagent hkmsvc"
"NetworkService"="DnsCache"
"rpcss"="RpcSs"
"termsvcs"="TermService"
"WudfServiceGroup"="WUDFSvc"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\DComLaunch]
"CoInitializeSecurityParam"= 0x0000000001 (1)
"DefaultRpcStackSize"= 0x0000000008 (8)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\dot3svc]
"AuthenticationCapabilities"= 0x0000003020 (12320)
"CoInitializeSecurityParam"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\eapsvcs]
"AuthenticationCapabilities"= 0x0000003020 (12320)
"CoInitializeSecurityParam"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\HTTPFilter]
"CoInitializeSecurityParam"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\LocalService]
"AuthenticationCapabilities"= 0x0000002000 (8192)
"CoInitializeSecurityParam"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs]
"AuthenticationCapabilities"= 0x0000003020 (12320)
"CoInitializeSecurityParam"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\PCHealth]
"AuthenticationCapabilities"= 0x0000000040 (64)
"CoInitializeSecurityParam"= 0x0000000002 (2)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\termsvcs]
"CoInitializeSecurityParam"= 0x0000000001 (1)
"DefaultRpcStackSize"= 0x0000000008 (8)


-=End Of File=-
TOML
Regular Member
 
Posts: 15
Joined: January 4th, 2010, 6:22 pm

Re: XP infected with trojan.dnschanger rootkit.tdss rogue.smartp

Unread postby muppy03 » January 11th, 2010, 5:01 pm

I downloaded the recovery console code and ran ComboFix.


I did not need Combofix to run, but since it did can you post the log it created please. It can be found in C:\Combofix.
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4798
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: XP infected with trojan.dnschanger rootkit.tdss rogue.smartp

Unread postby TOML » January 11th, 2010, 5:55 pm

I believe ComboFix ran on its own when I dropped the recovery console code on top of ComboFix.

ComboFix 10-01-04.01 - Thomas Longawa 01/11/2010 9:49.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.349 [GMT -6:00]
Running from: E:\ComboFix.exe
Command switches used :: c:\documents and settings\Thomas Longawa\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2009-12-11 to 2010-01-11 )))))))))))))))))))))))))))))))
.

2010-01-11 14:51 . 2009-07-16 18:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-01-11 14:50 . 2010-01-11 14:51 -------- d-----w- c:\program files\Common Files\McAfee
2010-01-11 14:50 . 2010-01-11 14:51 -------- d-----w- c:\program files\McAfee.com
2010-01-11 14:50 . 2010-01-11 14:50 -------- d-----w- c:\windows\LastGood
2010-01-11 14:50 . 2010-01-11 14:54 -------- d-----w- c:\program files\McAfee
2010-01-10 14:13 . 2010-01-10 14:13 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-01-07 21:08 . 2010-01-07 21:08 53296 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-05 14:51 . 2010-01-05 14:51 -------- d-----w- c:\program files\Trend Micro
2010-01-05 03:59 . 2010-01-10 14:59 846 ----a-w- c:\windows\system32\krl32mainweq.dll
2010-01-03 22:19 . 2010-01-05 13:21 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-03 17:42 . 2010-01-03 17:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-03 14:58 . 2010-01-05 13:21 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-03 14:58 . 2010-01-03 14:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-01-03 05:05 . 2010-01-03 05:05 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-12-20 01:03 . 2010-01-02 22:52 52224 ----a-w- c:\documents and settings\Thomas Longawa\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-11 14:57 . 2009-04-01 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-01-10 15:00 . 2008-10-07 13:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-10 14:51 . 2004-07-12 04:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-01-10 14:51 . 2004-07-12 04:25 -------- d-----w- c:\program files\Viewpoint
2010-01-05 13:20 . 2009-09-03 17:27 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-03 11:28 . 2009-09-03 16:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-03 05:24 . 2010-01-03 05:24 696832 ----a-w- c:\windows\isRS-000.tmp
2010-01-02 22:52 . 2009-09-03 17:30 117760 ----a-w- c:\documents and settings\Thomas Longawa\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-30 20:55 . 2009-09-03 16:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 20:54 . 2009-09-03 16:09 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-19 01:40 . 2008-07-26 17:15 -------- d-----w- c:\documents and settings\Thomas Longawa\Application Data\ZoomBrowser EX
2009-12-10 20:07 . 2009-11-30 19:05 127325 ----a-w- c:\documents and settings\Thomas Longawa\Application Data\Move Networks\uninstall.exe
2009-12-10 20:07 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Thomas Longawa\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-12-10 20:07 . 2007-05-17 01:08 -------- d--h--w- c:\documents and settings\Thomas Longawa\Application Data\Move Networks
2009-12-03 12:48 . 2009-12-03 12:48 79488 ----a-w- c:\documents and settings\Thomas Longawa\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-04 22:54 . 2009-04-01 01:00 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-11-04 22:54 . 2009-04-01 01:00 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-11-04 22:54 . 2009-04-01 01:00 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-11-04 22:54 . 2009-04-01 01:00 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-10-29 07:45 . 2004-02-07 01:05 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]
"ibmmessages"="c:\program files\IBM\Messages By IBM\ibmmessages.exe" [2004-01-16 581632]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-03 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-11-17 3022848]
"BluetoothAuthenticationAgent"="irprops.cpl" [2008-04-14 380416]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2002-11-08 98304]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-09-05 114741]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Mouse Suite 98 Daemon"="ICO.EXE" [2003-11-20 57344]
"Hot Key Kbd Daemon"="SKDAEMON.EXE" [2002-07-01 40960]
"ibmmessages"="c:\program files\IBM\Messages By IBM\\ibmmessages.exe" [2004-01-16 581632]
"EPSON Stylus CX5400"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE" [2003-05-26 99840]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"IPInSightMonitor 01"="c:\program files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 98304]
"IBM Warranty Notification"="c:\program files\IBM\acp\ERTS0749\ERTS0749.exe" [2004-03-13 106496]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-03-28 503808]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-15 257088]
"NapsterShell"="c:\program files\Napster\napster.exe" [2007-12-10 323216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-26 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\xcSeMB2uk.exe" [2010-01-03 1389904]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-11 11:13 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IBM\\Java141\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 3:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 3:06 PM 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [1/11/2010 8:54 AM 203280]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 3:06 PM 7408]
S0 epjeqg;epjeqg;c:\windows\system32\drivers\uixe.sys --> c:\windows\system32\drivers\uixe.sys [?]
S0 jemlesr;jemlesr;c:\windows\system32\drivers\fkxq.sys --> c:\windows\system32\drivers\fkxq.sys [?]
S0 ydyqo;ydyqo;c:\windows\system32\drivers\udyfy.sys --> c:\windows\system32\drivers\udyfy.sys [?]
S2 0191521263221494mcinstcleanup;McAfee Application Installer Cleanup (0191521263221494);c:\docume~1\THOMAS~1\LOCALS~1\Temp\019152~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\THOMAS~1\LOCALS~1\Temp\019152~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MCAFEE_SITEADVISOR_SERVICE
*NewlyCreated* - MCMSCSVC
*NewlyCreated* - MCNASVC
*NewlyCreated* - MCPROXY
*NewlyCreated* - MCSHIELD
*NewlyCreated* - MCSYSMON
*NewlyCreated* - MPFSERVICE
*Deregistered* - IPVNMon
.
Contents of the 'Scheduled Tasks' folder

2010-01-11 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-11 18:22]

2010-01-11 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-11 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: 0.0.0.0
Trusted Zone: motive.com\patttbc.att
Trusted Zone: turbotax.com
DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA}
DPF: {2B4F4FA8-814A-11D7-B31B-0002A500B281} - hxxp://a1776.ff.fullaudio.com.edgesuite ... /setup.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-11 09:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\*¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\*¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\ *¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\ *¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\@*¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\@*¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\d*¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\d*¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\l*¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\l*¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\P*¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\P*¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\t*¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\t*¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\X*¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\X*¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\ *¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\ *¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\¨*¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\¨*¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\¼*¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\¼*¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\S¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\S¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\ ¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\ ¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\¬ ¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\¬ ¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
DUMPHIVE0.003 (REGF)

[HKEY_LOCAL_MACHINE\software\Microsoft\Code Store Database\Distribution Units\{00000EF1-0786-4633-87C6-1AA7A44296DA}\Contains]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Code Store Database\Distribution Units\{00000EF1-0786-4633-87C6-1AA7A44296DA}\DownloadInformation]
@DACL=(02 0000)
"CODEBASE"="http://www.originalicons.com/members/arrtv.cab"
"INF"="c:\\WINDOWS\\Downloaded Program Files\\ATPartners.inf"

[HKEY_LOCAL_MACHINE\software\Microsoft\Code Store Database\Distribution Units\{00000EF1-0786-4633-87C6-1AA7A44296DA}\InstalledVersion]
@DACL=(02 0000)
@="3,0,0,1"
"LastModified"="Tue, 30 Mar 2004 23:43 GMT"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3928)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\SKHOOKS.dll
c:\windows\system32\SKUsbKbd.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\pelscrll.dll
c:\windows\system32\PELCOMM.dll
c:\windows\system32\PELHOOKS.dll
.
Completion time: 2010-01-11 09:57:26
ComboFix-quarantined-files.txt 2010-01-11 15:57
ComboFix2.txt 2010-01-11 04:03

Pre-Run: 41,350,938,624 bytes free
Post-Run: 41,324,695,552 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 31B86FE94AA426BC4EE8B1FD46FF8A3F
TOML
Regular Member
 
Posts: 15
Joined: January 4th, 2010, 6:22 pm

Re: XP infected with trojan.dnschanger rootkit.tdss rogue.smartp

Unread postby muppy03 » January 11th, 2010, 11:22 pm

Please update me on issues after doing the following :)

COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File::
    c:\windows\system32\krl32mainweq.dll
    c:\windows\isRS-000.tmp
     
    Folder::
    c:\documents and settings\All Users\Application Data\Symantec
    c:\documents and settings\All Users\Application Data\Viewpoint
    c:\program files\Viewpoint
    
    DDS::
    Trusted Zone: 0.0.0.0
    Trusted Zone: motive.com\patttbc.att
    Trusted Zone: turbotax.com
    DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA}
    DPF: {2B4F4FA8-814A-11D7-B31B-0002A500B281} - hxxp://a1776.ff.fullaudio.com.edgesuite ... /setup.cab
    
    Driver::
    epjeqg
    ydyqo 
    
    Regnull::
    [HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\ *¬ 4*]
    
    [HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\ *¬ 5*]
    
    [HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\ *¬ 4*]
    
    [HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\ *¬ 5*]
    
    [HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\@*¬ 4*]
    
    [HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\@*¬ 5*]
    
    [HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\d*¬ 4*]
    
    [HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\d*¬ 5*]
    
    [HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\l*¬ 4*]
    
    [HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\l*¬ 5*]
    
    [HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\P*¬ 4*]
    
    [HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\P*¬ 5*]
    
    [HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\t*¬ 4*]
    
    [HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\t*¬ 5*]
    
    [HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\X*¬ 4*]
    
    [HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\X*¬ 5*]
    
    [HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\ *¬ 4*]
    
    [HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\ *¬ 5*]
    
    [HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\¨*¬ 4*]
    
    [HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\¨*¬ 5*]
    
    [HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\¼*¬ 4*]
    
    [HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\¼*¬ 5*]
    
    [HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\S ¬ 4*]
    
    [HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\S ¬ 5*]
    
    [HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\  ¬ 4*]
    
    [HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\  ¬ 5*]
    
    [HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\¬ ¬ 4*]
    
    [HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\¬ ¬ 5*]
    
    Reglock::
    [HKEY_LOCAL_MACHINE\software\Microsoft\Code Store Database\Distribution Units\{00000EF1-0786-4633-87C6-1AA7A44296DA}\Contains]
    
    [HKEY_LOCAL_MACHINE\software\Microsoft\Code Store Database\Distribution Units\{00000EF1-0786-4633-87C6-1AA7A44296DA}\DownloadInformation]
    
    [HKEY_LOCAL_MACHINE\software\Microsoft\Code Store Database\Distribution Units\{00000EF1-0786-4633-87C6-1AA7A44296DA}\InstalledVersion]
    
    
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Please reply with:-
  • Combofix log
  • New HJT log
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4798
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: XP infected with trojan.dnschanger rootkit.tdss rogue.smartp

Unread postby TOML » January 12th, 2010, 1:29 am

Here is the ComboFix Log and HJT.
Thanks!
ComboFix 10-01-11.03 - Thomas Longawa 01/11/2010 22:54:09.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.406 [GMT -6:00]
Running from: E:\ComboFix.exe
Command switches used :: c:\documents and settings\Thomas Longawa\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\isRS-000.tmp"
"c:\windows\system32\krl32mainweq.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Symantec
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\1.Product.Inventory.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\1.Settings.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\10.Product.Inventory.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\10.Settings.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\2.Product.Inventory.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\2.Settings.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\2009-03-18_Log.ALUSchedulerSvc.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\2009-03-19_Log.ALUSchedulerSvc.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\2009-03-20_Log.ALUSchedulerSvc.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\2009-03-21_Log.ALUSchedulerSvc.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\2009-03-22_Log.ALUSchedulerSvc.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\2009-03-23_Log.ALUSchedulerSvc.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\2009-03-24_Log.ALUSchedulerSvc.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\2009-03-25_Log.ALUSchedulerSvc.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\2009-03-26_Log.ALUSchedulerSvc.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\2009-03-27_Log.ALUSchedulerSvc.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\2009-03-28_Log.ALUSchedulerSvc.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\2009-03-29_Log.ALUSchedulerSvc.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\2009-03-30_Log.ALUSchedulerSvc.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\2009-03-31_Log.ALUSchedulerSvc.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\3.Product.Inventory.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\3.Settings.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\4.Product.Inventory.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\4.Settings.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\5.Product.Inventory.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\5.Settings.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\6.Product.Inventory.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\6.Settings.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\7.Product.Inventory.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\7.Settings.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\8.Product.Inventory.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\8.Settings.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\9.Product.Inventory.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\9.Settings.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Configuration.Log.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1173735233jtun_coh6061.rar.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1175028871jtun_enid0314.x00.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1177008682jtun_syknapps_engine.zip.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1179854937jtun_ecfw0509.x04.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1182386808jtun_allbb332-003-0514.x00.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1185988839jtun_ecfw0709.x03.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1191865398jtun_xale0920.x00.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1194300122jtun_lu32update.zip.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1196828001jtun_enap1201.x00.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1200939859jtun_ecfw0726.x01.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1200939859jtun_ecfw0906.x08.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1202162353jtun_enpc0720.x04.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1203515784jtun_the_updecabi.zip.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1205173331jtun_enis0305.x02.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1208230618jtun_pif145.x00.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1209776195jtun_hbpatch07.x00.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1211248484jtun_the_scd.zip.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1212203017jtun_ensi0529.x00.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1216071802jtun_firstexpirationpif.x00.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1217267862jtun_symltcom.x00.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1217886103jtun_coh32.rar.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1217886497jtun_cohdata.rar.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1218481624jtun_systemrestore.x00.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1221748907jtun_nav2k7ennful25.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1222720686jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1222720686jtun_nisenidfull25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1222722077jtun_the_syknapps_engine.zip.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1223011776jtun_npc.x00.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1223302829jtun_nav2k7enncur25.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1223360614jtun_the_81006056.zip.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1223384391jtun_enfwcful.380.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1223388702jtun_nav2k7en81006006.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1223392405jtun_81006056.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1223475165jtun_nav2k7en81007003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1223481309jtun_81007018.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1223561222jtun_nav2k7en81008003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1223567659jtun_81008021.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1223583797jtun_nisenid09md25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1223583797jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1223598855jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1223651165jtun_nav2k7en81009003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1223694652jtun_81009021.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1223735723jtun_nav2k7en81010004.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1223820413jtun_nav2k7en81011003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1223906682jtun_nav2k7en81012001.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1223916189jtun_81010037.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1223963553jtun_ensr1003.x00.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1223981007jtun_nav2k7en81013003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1223995662jtun_81013020.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1224021736jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1224080095jtun_nav2k7en81014002.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1224087420jtun_81014017.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1224144706jtun_enfwc380.382.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1224166060jtun_nav2k7en81015003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1224172286jtun_81015019.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1224255178jtun_nav2k7en81016004.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1224339422jtun_nav2k7en81017003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1224425422jtun_nav2k7en81018004.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1224512805jtun_nav2k7en81019003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1224515323jtun_81016019.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1224599347jtun_nav2k7en81020003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1224603957jtun_81020019.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1224684340jtun_nav2k7en81021003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1224690479jtun_81021019.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1224776425jtun_nav2k7en81022006.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1224780309jtun_81022018.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1224821767jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1224839192jtun_nav2k7en81023003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1224870216jtun_nav2k7en81023041.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1224945749jtun_nav2k7en81024006.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1225034527jtun_nav2k7en81025003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1225116417jtun_nav2k7en81026007.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1225120512jtun_81023018.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1225202825jtun_nav2k7en81027003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1225208737jtun_81027020.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1225225886jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1225288270jtun_nav2k7en81028004.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1225295007jtun_81028020.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1225334608jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1225376589jtun_nav2k7en81029003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1225380824jtun_81029018.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1225464212jtun_nav2k7en81030003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1225467373jtun_81030019.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1225475124jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1225549201jtun_nav2k7en81031007.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1225640192jtun_nav2k7en81101003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1225688937jtun_enfwc382.383.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1225724352jtun_nav2k7en81102004.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1225728366jtun_81031019.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1225812689jtun_nav2k7en81103003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1225816682jtun_81103020.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1225849700jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1225865360jtun_enfwc383.384.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1225898972jtun_nav2k7en81104003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1225903280jtun_81104018.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1225982698jtun_nav2k7en81105004.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1225988878jtun_81105019.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1226022501jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1226075366jtun_nav2k7en81106004.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1226082065jtun_81106020.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1226124750jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1226156829jtun_nav2k7en81107008.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1226244431jtun_nav2k7en81108004.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1226329067jtun_nav2k7en81109003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1226337508jtun_81107021.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1226429049jtun_81110021.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1226449447jtun_nav2k7en81110003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1226467687jtun_enfwc384.385.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1226501972jtun_nav2k7en81111019.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1226514560jtun_81111017.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1226591633jtun_nav2k7en81112003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1226594432jtun_81112034.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1226614113jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1226671213jtun_nav2k7en81113004.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1226686107jtun_81113018.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1226713858jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1226761082jtun_nav2k7en81114004.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1226846897jtun_nav2k7en81115003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1226914087jtun_enfwc385.386.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1226933928jtun_nav2k7en81116003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1226941187jtun_81114021.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1226972793jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1227020703jtun_nav2k7en81117002.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1227026441jtun_81117020.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1227053909jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1227121829jtun_81118019.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1227134177jtun_nav2k7en81118002.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1227191019jtun_nav2k7en81119017.m25
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1227200537jtun_81119025.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1227221669jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1227279706jtun_nav2k7en81120003.m25
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1227288319jtun_81120021.skn
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1227366619jtun_nav2k7en81121003.m25
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1227450660jtun_nav2k7en81122003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1227537409jtun_nav2k7en81123004.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1227541870jtun_81121020.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1227583588jtun_nisenid10md25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1227583588jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1227624510jtun_nav2k7en81124003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1227636278jtun_81124019.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1227659194jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1227709747jtun_nav2k7en81125004.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1227718014jtun_81125020.skn
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1227800217jtun_81126019.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1227804288jtun_nav2k7en81126003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1227893533jtun_81127020.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1227918513jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1227921609jtun_nav2k7en81126003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1227970650jtun_nav2k7en81128033.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1228056574jtun_nav2k7en81129002.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1228109763jtun_enfwc386.387.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1228142617jtun_nav2k7en81130004.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1228150212jtun_81128017.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1228229250jtun_nav2k7en81201006.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1228234012jtun_81201020.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1228262435jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1228315164jtun_81202018.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1228318712jtun_nav2k7en81202004.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1228361374jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1228400626jtun_nav2k7en81203004.m25
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1228404281jtun_81203018.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1228492291jtun_81204009.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1228495207jtun_nav2k7en81204003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1228574244jtun_nav2k7en81205008.m25
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1228592798jtun_nisenid11md25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1228592798jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1228661740jtun_nav2k7en81206003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1228747908jtun_nav2k7en81207005.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1228752439jtun_81205017.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1228833259jtun_nav2k7en81208003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1228837225jtun_81208018.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1228882783jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1228922466jtun_81209018.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1228924236jtun_nav2k7en81209003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1228939878jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1228964980jtun_81210020.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1229017651jtun_81210053.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1229054550jtun_nav2k7en81210009.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1229095795jtun_nav2k7en81211048.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1229099474jtun_81211020.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1229179365jtun_nav2k7en81212004.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1229267381jtun_nav2k7en81213002.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1229294348jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1229325369jtun_enfwc387.388.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1229352266jtun_nav2k7en81214003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1229437425jtun_nav2k7en81215004.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1229441557jtun_81212019.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1229524388jtun_nav2k7en81216003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1229529122jtun_81216018.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1229610582jtun_nav2k7en81217003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1229690345jtun_enfwc388.389.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1229706868jtun_nav2k7en81218007.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1229709047jtun_81217019.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1229786860jtun_nav2k7en81219005.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1229870990jtun_nav2k7en81220003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1229958137jtun_nav2k7en81221020.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1229965717jtun_81219023.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1230054641jtun_nav2k7en81222005.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1230057468jtun_81222021.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1230129176jtun_nav2k7en81223020.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1230134602jtun_81223024.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1230215021jtun_nav2k7en81224002.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1230220516jtun_81224019.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1230303956jtun_nav2k7en81225002.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1230307437jtun_81225021.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1230394198jtun_nav2k7en81226002.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1230477021jtun_nav2k7en81227002.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1230562267jtun_nav2k7en81228003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1230590743jtun_81226020.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1230648653jtun_nav2k7en81229003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1230655045jtun_81229037.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1230717823jtun_enfwc389.390.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1230736790jtun_81230020.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1230738653jtun_nav2k7en81230004.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1230819017jtun_81231018.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1230821112jtun_nav2k7en81231003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1230907763jtun_nav2k7en90101005.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1230911718jtun_90101016.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1230998984jtun_nav2k7en90102006.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1231080288jtun_nav2k7en90103003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1231166171jtun_nav2k7en90104003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1231168858jtun_90102018.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1231194267jtun_ensi0820.x00.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1231209252jtun_nisenid12md25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1231209252jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1231253316jtun_nav2k7en90105009.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1231256575jtun_90105020.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1231338615jtun_nav2k7en90106004.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1231345725jtun_90106021.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1231429965jtun_nav2k7en90107002.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1231434148jtun_90107019.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1231513325jtun_nav2k7en90108007.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1231517359jtun_90108018.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1231597865jtun_nav2k7en90109003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1231685369jtun_nav2k7en90110003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1231772066jtun_nav2k7en90111004.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1231776191jtun_90109017.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1231865141jtun_90112017.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1231882339jtun_nav2k7en90112003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1231950480jtun_90113020.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1231951809jtun_nav2k7en90113024.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1232016651jtun_enfwc390.391.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1232035141jtun_nav2k7en90114017.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1232046914jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1232065846jtun_90114019.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1232124255jtun_nav2k7en90115004.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1232127655jtun_90115020.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1232207399jtun_nav2k7en90116004.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1232289203jtun_nav2k7en90117006.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1232378491jtun_nav2k7en90118003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1232383256jtun_90116020.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1232457954jtun_enfwc391.392.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1232461848jtun_nav2k7en90119004.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1232467746jtun_90119021.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1232550379jtun_nav2k7en90120003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1232557017jtun_90120020.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1232643269jtun_nav2k7en90121003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1232650490jtun_90121021.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1232724176jtun_90122037.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1232727389jtun_nav2k7en90122020.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1232742192jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1232807906jtun_nav2k7en90123003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1232894758jtun_nav2k7en90124006.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1232982810jtun_nav2k7en90125005.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1232988936jtun_90123019.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1233066476jtun_nav2k7en90126004.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1233070781jtun_90126019.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1233152639jtun_nav2k7en90127004.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1233159447jtun_90127019.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1233239063jtun_nav2k7en90128003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1233247205jtun_90128021.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1233306455jtun_enfwc392.393.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1233329656jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1233333704jtun_nav2k7en90129003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1233336944jtun_90129020.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1233413292jtun_nav2k7en90130003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1233498741jtun_nav2k7en90131003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1233585766jtun_nav2k7en90201003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1233592624jtun_90130020.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1233671095jtun_nav2k7en90202007.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1233675239jtun_90202019.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1233773337jtun_90203019.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1233775455jtun_nav2k7en90203003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1233841375jtun_nav2k7en90204021.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1233844787jtun_90204025.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1233935438jtun_nav2k7en90205007.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1233938560jtun_90205022.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1234020916jtun_nav2k7en90206007.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1234108147jtun_nav2k7en90207003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1234217328jtun_90206017.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1234224992jtun_nav2k7en90208016.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1234280350jtun_nav2k7en90209036.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1234284404jtun_90209038.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1234371480jtun_nav2k7en90210003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1234377178jtun_90210020.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1234447762jtun_nav2k7en90211004.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1234453125jtun_90211018.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1234536708jtun_nav2k7en90212003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1234539171jtun_90212022.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1234540480jtun_enfwc393.394.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1234627839jtun_nav2k7en90213003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1234711924jtun_nav2k7en90214003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1234795443jtun_nav2k7en90215002.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1234800881jtun_90213017.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1234881337jtun_nav2k7en90216005.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1234884482jtun_90216019.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1234898977jtun_nisenid01md25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1234898977jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1234970386jtun_nav2k7en90217002.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1235055305jtun_nav2k7en90218003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1235057778jtun_90217020.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1235072134jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1235139994jtun_nav2k7en90219003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1235145697jtun_90219017.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1235226941jtun_nav2k7en90220004.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1235312730jtun_nav2k7en90221004.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1235399764jtun_nav2k7en90222003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1235403472jtun_90220018.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1235493724jtun_nav2k7en90223002.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1235496368jtun_90223017.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1235581279jtun_90224020.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1235595320jtun_nav2k7en90224017.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1235659211jtun_nav2k7en90225021.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1235675541jtun_90225023.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1235713043jtun_enfwc394.395.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1235720880jtun_nav2k7en90226003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1235745225jtun_nav2k7en90226055.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1235747485jtun_90226024.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1235834995jtun_nav2k7en90227004.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1235924251jtun_nav2k7en90228003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1236002752jtun_nav2k7en90301005.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1236008179jtun_90227020.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1236090118jtun_nav2k7en90302002.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1236094622jtun_90302020.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1236185986jtun_nav2k7en90303003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1236188713jtun_90303018.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1236263017jtun_nav2k7en90304017.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1236266299jtun_90304021.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1236353766jtun_90305018.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1236355978jtun_nav2k7en90305002.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1236367490jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1236406281jtun_nav2k7en90306004.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1236439859jtun_nav2k7en90306057.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1236519302jtun_nav2k7en90307003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1236605878jtun_nav2k7en90308003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1236609046jtun_90306019.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1236692144jtun_nav2k7en90309003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1236695946jtun_90309020.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1236776983jtun_nav2k7en90310017.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1236780183jtun_90310023.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1236879025jtun_nav2k7en90311003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1236882121jtun_90311017.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1236883913jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1236955637jtun_nav2k7en90312019.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1236957786jtun_90312020.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1237036870jtun_nav2k7en90313007.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1237124301jtun_nav2k7en90314003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1237194536jtun_enfwc395.396.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1237209462jtun_nav2k7en90315003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1237215728jtun_90313021.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1237326853jtun_nav2k7en90316002.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1237330619jtun_90316019.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1237382463jtun_nav2k7en90317006.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1237391274jtun_90317018.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1237478446jtun_nav2k7en90318006.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1237481505jtun_90318021.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1237559103jtun_nav2k7en90319017.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1237567212jtun_90319022.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1237647673jtun_nav2k7en90320003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1237728925jtun_nav2k7en90321002.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1237814899jtun_nav2k7en90322005.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1237820118jtun_90320018.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1237902018jtun_nav2k7en90323003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1237905104jtun_90323017.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1237992775jtun_90324018.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1238000505jtun_nav2k7en90324003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1238075925jtun_nav2k7en90325002.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1238079512jtun_90325018.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1238164211jtun_nav2k7en90326007.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1238165754jtun_90326020.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1238252719jtun_nav2k7en90327005.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1238333282jtun_nav2k7en90328003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1238423631jtun_nav2k7en90329003.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1238429192jtun_90327016.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1238482074jtun_nav2k7en90330002.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1238487243jtun_enfwc396.397.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1238524217jtun_nav2k7en90330049.m25.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1238527075jtun_nisenid02md25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1238527075jtun_nisenidcurd25.x86.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1238529961jtun_90330018.skn.full.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\antivirus_1.2.00_english_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\appcore_1.1.1_english_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\automatic$20liveupdate_3.2.0.41_english_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\avenge$20microdefs25$20nav2007_microdefsb.curdefs_symalllanguages_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\avenge$20microdefs25$20nav2007_microdefsb.old_symalllanguages_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\avenge$20microdefs25$20nav2007_microdefsb.sep_symalllanguages_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\ccpd$5fretail$5flicensing$5ftechnology_6.0_english_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\coh$20data$20update_6.1.0_symalllanguages_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\coh$20update_6.0.0_symalllanguages_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\coh$20update_6.1.0_symalllanguages_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\decomposer_1.0.0_symalllanguages_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\firewall_2.2.0_english_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\firewall_2.3.0_english_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\firewall_2.3.1_english_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\firewall_2.3.2_english_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\ids$20$2d$20consumer_7.2.0_symalllanguages_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\ids$20defs$202007.2$20microdefs25_microdefsb.curdefs_symalllanguages_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\ids$20defs$202007.2$20microdefs25_microdefsb.dec_symalllanguages_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\ids$20defs$202007.2$20microdefs25_microdefsb.feb_symalllanguages_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\ids$20defs$202007.2$20microdefs25_microdefsb.jan_symalllanguages_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\ids$20defs$202007.2$20microdefs25_microdefsb.nov_symalllanguages_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\ids$20defs$202007.2$20microdefs25_microdefsb.oct_symalllanguages_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\ids$20defs$202007.2$20microdefs25_microdefsb.old_symalllanguages_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\ids$20defs$202007.2$20microdefs25_microdefsb.sep_symalllanguages_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\liveupdate$20notice_1.4.5.83_symalllanguages_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\liveupdate$20notice_1.4.5.91_symalllanguages_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\minitri.flg
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\navnt$202007$20resource_14.2.0.29_english_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\norton$20internet$20security$20other_2.0_english_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\norton$20internet$20security$20resource_10.2.0_english_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\norton$20internet$20security_10.2.0_english_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\nortonprotectioncenter_2007.2.00_english_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\nortonprotectioncenter_2007.4.00_english_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\spbbc_3.2.0.21_symalllanguages_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\srtsp$20consumer_10.1.4_symalllanguages_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\submission$20engine$20data_1.0_symalllanguages_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\symantec$20known$20application$20system_1.0.0_symalllanguages_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\symantec$20known$20application$20system_1.5.0_symalllanguages_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\symantec$20security$20content$20a_microdefsb.curdefs_symalllanguages_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\symantec$20trusted$20application$20list_2.0_english_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\symantec$20trusted$20application$20list_2.1_english_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\symevent$20installer$20$2d$20consumer_12.3_symalllanguages_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\symevent$20installer$20$2d$20consumer_12.5_symalllanguages_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\symnet$20consumer_7.2.0_symalllanguages_livetri.zip
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Log.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\LUInstall.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Product.Inventory.LastGood.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Product.Inventory.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Settings.LiveUpdate
c:\documents and settings\All Users\Application Data\Viewpoint
c:\program files\Viewpoint
c:\windows\$NtUninstallKB922582$
c:\windows\$NtUninstallKB922582$\fltlib.dll
c:\windows\$NtUninstallKB922582$\fltmc.exe
c:\windows\$NtUninstallKB922582$\fltmgr.sys
c:\windows\$NtUninstallKB922582$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB922582$\spuninst\spuninst.inf
c:\windows\$NtUninstallKB922582$\spuninst\spuninst.txt
c:\windows\$NtUninstallKB922582$\spuninst\updspapi.dll
c:\windows\isRS-000.tmp
c:\windows\system32\krl32mainweq.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_epjeqg
-------\Service_ydyqo


((((((((((((((((((((((((( Files Created from 2009-12-12 to 2010-01-12 )))))))))))))))))))))))))))))))
.

2010-01-11 14:51 . 2009-07-16 18:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-01-11 14:50 . 2010-01-11 14:51 -------- d-----w- c:\program files\Common Files\McAfee
2010-01-11 14:50 . 2010-01-11 14:51 -------- d-----w- c:\program files\McAfee.com
2010-01-11 14:50 . 2010-01-11 14:54 -------- d-----w- c:\program files\McAfee
2010-01-10 14:13 . 2010-01-10 14:13 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-01-07 21:08 . 2010-01-07 21:08 53296 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-05 14:51 . 2010-01-05 14:51 -------- d-----w- c:\program files\Trend Micro
2010-01-03 17:42 . 2010-01-03 17:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-03 14:58 . 2010-01-03 14:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-01-03 05:05 . 2010-01-03 05:05 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-11 14:57 . 2009-04-01 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-01-05 13:21 . 2010-01-03 22:19 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-05 13:21 . 2010-01-03 14:58 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-05 13:20 . 2009-09-03 17:27 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-03 11:28 . 2009-09-03 16:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-02 22:52 . 2009-12-20 01:03 52224 ----a-w- c:\documents and settings\Thomas Longawa\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-02 22:52 . 2009-09-03 17:30 117760 ----a-w- c:\documents and settings\Thomas Longawa\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-30 23:31 . 2009-04-01 14:03 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-12-30 20:55 . 2009-09-03 16:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 20:54 . 2009-09-03 16:09 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-19 01:40 . 2008-07-26 17:15 -------- d-----w- c:\documents and settings\Thomas Longawa\Application Data\ZoomBrowser EX
2009-12-10 20:07 . 2009-11-30 19:05 127325 ----a-w- c:\documents and settings\Thomas Longawa\Application Data\Move Networks\uninstall.exe
2009-12-10 20:07 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Thomas Longawa\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-12-10 20:07 . 2007-05-17 01:08 -------- d--h--w- c:\documents and settings\Thomas Longawa\Application Data\Move Networks
2009-12-03 12:48 . 2009-12-03 12:48 79488 ----a-w- c:\documents and settings\Thomas Longawa\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-04 22:54 . 2009-04-01 01:00 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-11-04 22:54 . 2009-04-01 01:00 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-11-04 22:54 . 2009-04-01 01:00 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-11-04 22:54 . 2009-04-01 01:00 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-10-29 07:45 . 2004-02-07 01:05 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]
"ibmmessages"="c:\program files\IBM\Messages By IBM\ibmmessages.exe" [2004-01-16 581632]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-03 2002160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-11-17 3022848]
"BluetoothAuthenticationAgent"="irprops.cpl" [2008-04-14 380416]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2002-11-08 98304]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-09-05 114741]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Mouse Suite 98 Daemon"="ICO.EXE" [2003-11-20 57344]
"Hot Key Kbd Daemon"="SKDAEMON.EXE" [2002-07-01 40960]
"ibmmessages"="c:\program files\IBM\Messages By IBM\\ibmmessages.exe" [2004-01-16 581632]
"EPSON Stylus CX5400"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE" [2003-05-26 99840]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"IPInSightMonitor 01"="c:\program files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 98304]
"IBM Warranty Notification"="c:\program files\IBM\acp\ERTS0749\ERTS0749.exe" [2004-03-13 106496]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-03-28 503808]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-15 257088]
"NapsterShell"="c:\program files\Napster\napster.exe" [2007-12-10 323216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-26 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\xcSeMB2uk.exe" [2010-01-03 1389904]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-11 11:13 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IBM\\Java141\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 3:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 3:06 PM 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [1/11/2010 8:54 AM 203280]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 3:06 PM 7408]
S0 jemlesr;jemlesr;c:\windows\system32\drivers\fkxq.sys --> c:\windows\system32\drivers\fkxq.sys [?]
S2 0191521263221494mcinstcleanup;McAfee Application Installer Cleanup (0191521263221494);c:\docume~1\THOMAS~1\LOCALS~1\Temp\019152~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\THOMAS~1\LOCALS~1\Temp\019152~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
.
Contents of the 'Scheduled Tasks' folder

2010-01-11 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-11 18:22]

2010-01-11 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-11 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-11 23:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\*¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\*¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\ *¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\ *¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\@*¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\@*¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\d*¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\d*¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\l*¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\l*¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\P*¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\P*¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\t*¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\t*¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\X*¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\X*¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\ *¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\ *¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\¨*¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\¨*¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\¼*¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\¼*¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\S¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\S¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\ ¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\ ¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\¬ ¬ 4*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-427570669-2413698841-9543774-1007\¬ ¬ 5*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
DUMPHIVE0.003 (REGF)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1516)
c:\windows\system32\WININET.dll
c:\windows\system32\SKHOOKS.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\SKUsbKbd.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\pelscrll.dll
c:\windows\system32\PELCOMM.dll
c:\windows\system32\PELHOOKS.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\System32\nvsvc32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\ICO.EXE
c:\windows\system32\SKDAEMON.EXE
c:\windows\system32\Pelmiced.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\Java\jre6\bin\jucheck.exe
c:\windows\system32\HPZipm12.exe
.
**************************************************************************
.
Completion time: 2010-01-11 23:17:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-12 05:17
ComboFix2.txt 2010-01-11 15:57
ComboFix3.txt 2010-01-11 04:03

Pre-Run: 41,303,576,576 bytes free
Post-Run: 41,290,588,160 bytes free

- - End Of File - - BA4B996127F04D8871D63B1E732EF8FB
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:57 PM, on 1/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\SKDAEMON.EXE
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Hot Key Kbd Daemon] SKDAEMON.EXE
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [IBM Warranty Notification] "C:\Program Files\IBM\acp\ERTS0749\ERTS0749.exe /nointro"
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ATT-SST_McciTrayApp] "C:\Program Files\ATT-SST\McciTrayApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\xcSeMB2uk.exe" /runcleanupscript
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - https://www-307.ibm.com/pc/support/acce ... ontrol.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: McAfee Application Installer Cleanup (0191521263221494) (0191521263221494mcinstcleanup) - Unknown owner - C:\DOCUME~1\THOMAS~1\LOCALS~1\Temp\019152~1.EXE (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 11842 bytes
TOML
Regular Member
 
Posts: 15
Joined: January 4th, 2010, 6:22 pm

Re: XP infected with trojan.dnschanger rootkit.tdss rogue.smartp

Unread postby muppy03 » January 12th, 2010, 3:35 am

Please update me on issues after doing the following :)


You should Download and Install the newest version of Adobe Reader for reading pdf files, due to the vulnerabilities in earlier versions.
All versions numbered lower than 9.2 are vulnerable.
  • Go HERE and click on AdbeRdr920_en_US.exe to download the latest version of Adobe Acrobat Reader.
  • Save this file to your desktop and run it to install the latest version of Adobe Reader.


Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 17.
  • Go to Java Site
  • Click to Download Java SE Runtime Environment (JRE) 6 Update 17
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u17-windows-i586.exe" and save the downloaded file to your desktop.
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE) listed below in the code box.
    Code: Select all
    Java(TM) 6 Update 16 
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!


Please reply with:-
  • ESET log
  • New HJT log
  • Update in how computer is running
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4798
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: XP infected with trojan.dnschanger rootkit.tdss rogue.smartp

Unread postby TOML » January 12th, 2010, 10:55 am

Last night after running ComboFix, the system rebooted. I activated McAfee and I collected and sent you the logs. I then put the system into suspend mode. This morning I resumed the system and logged onto Yahoo to check my mail for any updates. I received a popup that my system was infected and I needed to download an antivirus program. This is similar to what happened to me on Jan 2. I brought up the system task manager and immediately ended the two tasks that were active and shutdown the system. I had an appointment and will be away from the machine until late tonight. Should I still perform the mentioned tasks? I do not know what will happen when I boot the system.
TOML
Regular Member
 
Posts: 15
Joined: January 4th, 2010, 6:22 pm

Re: XP infected with trojan.dnschanger rootkit.tdss rogue.smartp

Unread postby muppy03 » January 12th, 2010, 5:32 pm

Do the following instead.

1. I see by your Uninstall List that you have Malwarebytes' Anti-Malware installed on your computer.

Please do a Malwarebytes' Anti-Malware scan using these settings:
    · Open Malwarebytes' Anti-Malware
    · Select the Update tab
    · Click Check for Updates
    · After the update have been completed, Select the Scanner tab.
    · Make sure the "Perform full scan" option is selected.
    · Then click on the Scan button.
    · If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button
    · The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
    · When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    · Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

    · Click on the Show Results button to see a list of any malware that was found.
    · Make sure that everything is checked, and click Remove Selected.
    · When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
    · The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    · The log can also be found here:

    · C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

    · Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

2. Re-run RSIT and post the one log is produces.

Please reply with:-
  • MBAM log
  • RSIT log
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4798
Joined: December 4th, 2007, 5:30 am
Location: Australia
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 501 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware