Jump to content

DaveI

Members
 View Profile  See their activity

  • Posts

    5

  • Joined

  • Last visited

 Content Type 

Everything posted by DaveI

  1. DaveI
    Mieke, All seems well now. Thank you for the great support. DaveI
  2. DaveI
    Thanks, it looks like we are chasing out tails. As soon as we get rid of one another pops up. Should I keep the computer disconnected from the internet? ---------------------------------------------------------------------------------------------------------------------------- ComboFix 09-05-13.01 - Jackie 05/14/2009 13:16.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1024.591 [GMT -7:00] Running from: c:\documents and settings\Jackie\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Jackie\Desktop\cfscript.txt FILE :: c:\windows\system32\drivers\yrtxovkt.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\drivers\yrtxovkt.sys . ((((((((((((((((((((((((( Files Created from 2009-04-14 to 2009-05-14 ))))))))))))))))))))))))))))))) . 2009-05-12 21:50 . 2009-05-12 21:50 -------- d-----w c:\program files\Trend Micro 2009-05-12 20:51 . 2009-05-12 20:51 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-05-11 03:53 . 2009-05-11 03:53 -------- d-sh--w c:\documents and settings\Administrator\IETldCache 2009-05-05 07:13 . 2009-05-05 07:13 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache 2009-05-05 07:11 . 2009-05-05 07:11 -------- d-sh--w c:\documents and settings\Jackie\PrivacIE 2009-05-05 07:09 . 2009-05-05 07:09 -------- d-sh--w c:\documents and settings\Jackie\IETldCache 2009-05-05 06:53 . 2009-05-05 06:53 -------- d-----w c:\windows\ie8updates 2009-05-05 06:51 . 2009-05-05 06:52 -------- dc-h--w c:\windows\ie8 2009-05-05 06:50 . 2009-05-05 06:54 -------- d--h--w c:\windows\msdownld.tmp 2009-05-05 06:47 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll 2009-04-15 03:46 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll 2009-04-15 03:46 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe 2009-04-15 03:46 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll 2009-04-15 03:46 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe 2009-04-15 03:46 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll 2009-04-15 03:46 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-15 03:46 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-15 03:46 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll 2009-04-15 03:46 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll 2009-04-15 03:46 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll 2009-04-15 03:45 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll 2009-04-15 03:45 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-14 04:51 . 2004-11-18 05:09 -------- d-----w c:\program files\Common Files\Symantec Shared 2009-05-14 04:50 . 2004-11-18 05:09 -------- d-----w c:\program files\Symantec 2009-05-13 21:56 . 2001-12-14 22:45 -------- d-----w c:\program files\Yahoo! 2009-05-13 20:13 . 2009-01-11 20:51 1632 ----a-w c:\windows\system32\d3d8caps.dat 2009-05-11 04:49 . 2001-12-14 21:11 -------- d-----w c:\program files\Sony 2009-05-11 04:47 . 2005-09-18 17:06 -------- d-----w c:\program files\Hewlett-Packard 2009-05-11 04:12 . 2006-12-22 04:27 1744 ----a-w c:\windows\system32\d3d9caps.dat 2009-05-11 02:56 . 2009-01-07 08:13 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-06 22:32 . 2009-01-07 08:13 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-06 22:32 . 2009-01-07 08:13 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-03-19 16:12 . 2007-01-03 08:01 -------- d-----w c:\program files\DesignPro 2009-03-08 11:34 . 2004-01-08 23:23 914944 ----a-w c:\windows\system32\wininet.dll 2009-03-08 11:34 . 2001-12-14 19:25 43008 ----a-w c:\windows\system32\licmgr10.dll 2009-03-08 11:33 . 2001-12-14 19:25 18944 ----a-w c:\windows\system32\corpol.dll 2009-03-08 11:33 . 2001-12-14 19:26 420352 ----a-w c:\windows\system32\vbscript.dll 2009-03-08 11:32 . 2001-12-14 19:25 72704 ----a-w c:\windows\system32\admparse.dll 2009-03-08 11:32 . 2001-12-14 19:25 71680 ----a-w c:\windows\system32\iesetup.dll 2009-03-08 11:31 . 2001-12-14 19:25 34816 ----a-w c:\windows\system32\imgutil.dll 2009-03-08 11:31 . 2001-12-14 19:25 48128 ----a-w c:\windows\system32\mshtmler.dll 2009-03-08 11:31 . 2001-12-14 19:25 45568 ----a-w c:\windows\system32\mshta.exe 2009-03-08 11:22 . 2001-12-14 19:25 156160 ----a-w c:\windows\system32\msls31.dll 2009-03-06 14:22 . 2001-12-14 19:25 284160 ----a-w c:\windows\system32\pdh.dll 2005-09-16 01:26 . 2004-11-18 02:02 41573 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2005-09-16 01:26 . 2004-11-18 02:02 48223 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2005-09-16 01:26 . 2004-11-18 02:02 160871 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll . ((((((((((((((((((((((((((((( SnapShot@2009-05-13_22.30.19 ))))))))))))))))))))))))))))))))))))))))) . + 2005-05-11 10:00 . 2009-05-07 07:16 24699336 c:\windows\system32\MRT.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 307200] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="NvQTwk" [X] "ZTgServerSwitch"="c:\program files\support.com\client\lserver\server.vbs" [2001-04-26 2220] "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975] "Norton Ghost 9.0"="c:\program files\Symantec\Norton Ghost\Agent\GhostTray.exe" [2004-11-23 1126400] "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-17 113664] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2005-5-17 462848] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-1-22 815104] VAIO Action Setup (Server).lnk - c:\program files\Sony\VAIO Action Setup\VAServ.exe [2001-12-19 40960] HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32 "wave1"= serwvdrv.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [7/29/2004 4:33 AM 138801] R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [7/29/2004 5:13 AM 46800] R2 SonyFKC;FAN and Keyboard Control Service;c:\windows\system32\drivers\SonyFKC.sys [12/14/2001 1:53 PM 12032] R2 V7;V7;c:\windows\system32\drivers\V7.SYS [11/17/2004 4:46 PM 7196] R2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [11/9/2008 1:48 PM 602392] S0 AluriaFilter;AluriaFilter;c:\windows\system32\DRIVERS\AlurFltr.sys --> c:\windows\system32\DRIVERS\AlurFltr.sys [?] S3 AL_ADSFilter;AL_ADSFilter - (Aluria Filter Driver);c:\windows\system32\DRIVERS\AL_ADSFilter.sys --> c:\windows\system32\DRIVERS\AL_ADSFilter.sys [?] S3 BCM42XX;Broadcom iLine10 Network Adapter Driver;c:\windows\system32\drivers\bcm42xx5.sys [12/14/2001 5:55 PM 54271] S3 SMBE;Sony MPEG2 Encoder Board (WDM);c:\windows\system32\drivers\Smbe.sys [12/14/2001 12:26 PM 593000] --- Other Services/Drivers In Memory --- *NewlyCreated* - FTYLNKTU [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}] c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12 . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8 uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: aol.com\free DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Jackie\Application Data\Mozilla\Firefox\Profiles\x63txie9.default\ FF - prefs.js: browser.search.selectedEngine - Dictionary.com FF - prefs.js: browser.startup.homepage - hxxp://www.rhythmicmom.com/forum/|http://www.usa-gymnastics.org/|http://rhythmicregion1.proboards28.com/ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromString", "noAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromStream", "noAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN_show_punycode", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version", c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id", c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub", c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-14 13:20 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT] "ImagePath"="-" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc] "ImagePath"="-" . Completion time: 2009-05-14 13:23 ComboFix-quarantined-files.txt 2009-05-14 20:22 ComboFix2.txt 2009-05-14 05:07 ComboFix3.txt 2009-05-13 22:33 Pre-Run: 196,996,857,856 bytes free Post-Run: 197,013,016,576 bytes free 210 --- E O F --- 2009-05-14 10:02
  3. DaveI
    Hi Mieke, Here is the latest log. I decided to remove Norton Anti Virus before installing this latest fix. Hope that was okay to do so. Thanks for all of your help. ComboFix 09-05-13.01 - Jackie 05/13/2009 21:54.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1024.687 [GMT -7:00] Running from: c:\documents and settings\Jackie\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Jackie\Desktop\CFscript.txt FILE :: c:\windows\system32\drivers\ftylnktu.sys c:\windows\system32\olwpjuc.dll c:\windows\Tasks\At1.job . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\drivers\ftylnktu.sys c:\windows\system32\olwpjuc.dll c:\windows\Tasks\At1.job . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_FTYLNKTU -------\Service_ftylnktu -------\Service_zhydexfn ((((((((((((((((((((((((( Files Created from 2009-04-14 to 2009-05-14 ))))))))))))))))))))))))))))))) . 2009-05-12 21:50 . 2009-05-12 21:50 -------- d-----w c:\program files\Trend Micro 2009-05-12 20:51 . 2009-05-12 20:51 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-05-11 03:53 . 2009-05-11 03:53 -------- d-sh--w c:\documents and settings\Administrator\IETldCache 2009-05-11 02:46 . 2009-05-11 03:20 -------- d-----w c:\windows\system32\199638 2009-05-05 07:13 . 2009-05-05 07:13 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache 2009-05-05 07:11 . 2009-05-05 07:11 -------- d-sh--w c:\documents and settings\Jackie\PrivacIE 2009-05-05 07:09 . 2009-05-05 07:09 -------- d-sh--w c:\documents and settings\Jackie\IETldCache 2009-05-05 06:53 . 2009-05-05 06:53 -------- d-----w c:\windows\ie8updates 2009-05-05 06:51 . 2009-05-05 06:52 -------- dc-h--w c:\windows\ie8 2009-05-05 06:50 . 2009-05-05 06:54 -------- d--h--w c:\windows\msdownld.tmp 2009-05-05 06:47 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll 2009-04-15 03:46 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll 2009-04-15 03:46 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe 2009-04-15 03:46 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll 2009-04-15 03:46 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe 2009-04-15 03:46 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll 2009-04-15 03:46 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-15 03:46 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-15 03:46 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll 2009-04-15 03:46 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll 2009-04-15 03:46 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll 2009-04-15 03:45 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll 2009-04-15 03:45 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-14 04:55 . 2001-12-14 19:25 23424 ----a-w c:\windows\system32\drivers\yrtxovkt.sys 2009-05-14 04:51 . 2004-11-18 05:09 -------- d-----w c:\program files\Common Files\Symantec Shared 2009-05-14 04:50 . 2004-11-18 05:09 -------- d-----w c:\program files\Symantec 2009-05-13 21:56 . 2001-12-14 22:45 -------- d-----w c:\program files\Yahoo! 2009-05-13 20:13 . 2009-01-11 20:51 1632 ----a-w c:\windows\system32\d3d8caps.dat 2009-05-11 04:49 . 2001-12-14 21:11 -------- d-----w c:\program files\Sony 2009-05-11 04:47 . 2005-09-18 17:06 -------- d-----w c:\program files\Hewlett-Packard 2009-05-11 04:12 . 2006-12-22 04:27 1744 ----a-w c:\windows\system32\d3d9caps.dat 2009-05-11 02:56 . 2009-01-07 08:13 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-06 22:32 . 2009-01-07 08:13 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-06 22:32 . 2009-01-07 08:13 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-03-19 16:12 . 2007-01-03 08:01 -------- d-----w c:\program files\DesignPro 2009-03-08 11:34 . 2004-01-08 23:23 914944 ----a-w c:\windows\system32\wininet.dll 2009-03-08 11:34 . 2001-12-14 19:25 43008 ----a-w c:\windows\system32\licmgr10.dll 2009-03-08 11:33 . 2001-12-14 19:25 18944 ----a-w c:\windows\system32\corpol.dll 2009-03-08 11:33 . 2001-12-14 19:26 420352 ----a-w c:\windows\system32\vbscript.dll 2009-03-08 11:32 . 2001-12-14 19:25 72704 ----a-w c:\windows\system32\admparse.dll 2009-03-08 11:32 . 2001-12-14 19:25 71680 ----a-w c:\windows\system32\iesetup.dll 2009-03-08 11:31 . 2001-12-14 19:25 34816 ----a-w c:\windows\system32\imgutil.dll 2009-03-08 11:31 . 2001-12-14 19:25 48128 ----a-w c:\windows\system32\mshtmler.dll 2009-03-08 11:31 . 2001-12-14 19:25 45568 ----a-w c:\windows\system32\mshta.exe 2009-03-08 11:22 . 2001-12-14 19:25 156160 ----a-w c:\windows\system32\msls31.dll 2009-03-06 14:22 . 2001-12-14 19:25 284160 ----a-w c:\windows\system32\pdh.dll 2005-09-16 01:26 . 2004-11-18 02:02 41573 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2005-09-16 01:26 . 2004-11-18 02:02 48223 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2005-09-16 01:26 . 2004-11-18 02:02 160871 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 307200] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="NvQTwk" [X] "ZTgServerSwitch"="c:\program files\support.com\client\lserver\server.vbs" [2001-04-26 2220] "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975] "Norton Ghost 9.0"="c:\program files\Symantec\Norton Ghost\Agent\GhostTray.exe" [2004-11-23 1126400] "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-17 113664] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2005-5-17 462848] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-1-22 815104] VAIO Action Setup (Server).lnk - c:\program files\Sony\VAIO Action Setup\VAServ.exe [2001-12-19 40960] HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32 "wave1"= serwvdrv.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [7/29/2004 4:33 AM 138801] R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [7/29/2004 5:13 AM 46800] R2 SonyFKC;FAN and Keyboard Control Service;c:\windows\system32\drivers\SonyFKC.sys [12/14/2001 1:53 PM 12032] R2 V7;V7;c:\windows\system32\drivers\V7.SYS [11/17/2004 4:46 PM 7196] R2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [11/9/2008 1:48 PM 602392] S0 AluriaFilter;AluriaFilter;c:\windows\system32\DRIVERS\AlurFltr.sys --> c:\windows\system32\DRIVERS\AlurFltr.sys [?] S3 AL_ADSFilter;AL_ADSFilter - (Aluria Filter Driver);c:\windows\system32\DRIVERS\AL_ADSFilter.sys --> c:\windows\system32\DRIVERS\AL_ADSFilter.sys [?] S3 BCM42XX;Broadcom iLine10 Network Adapter Driver;c:\windows\system32\drivers\bcm42xx5.sys [12/14/2001 5:55 PM 54271] S3 SMBE;Sony MPEG2 Encoder Board (WDM);c:\windows\system32\drivers\Smbe.sys [12/14/2001 12:26 PM 593000] --- Other Services/Drivers In Memory --- *NewlyCreated* - FTYLNKTU [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}] c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12 . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8 uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: aol.com\free DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Jackie\Application Data\Mozilla\Firefox\Profiles\x63txie9.default\ FF - prefs.js: browser.search.selectedEngine - Dictionary.com FF - prefs.js: browser.startup.homepage - hxxp://www.rhythmicmom.com/forum/|http://www.usa-gymnastics.org/|http://rhythmicregion1.proboards28.com/ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromString", "noAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromStream", "noAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN_show_punycode", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version", c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id", c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub", c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-13 22:01 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT] "ImagePath"="-" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc] "ImagePath"="-" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3112) c:\windows\system32\ieframe.dll c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTJBNS2.dll c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTIntrfc.dll c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTConfig.DLL c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\JBNSRES.DLL c:\windows\system32\OneX.DLL c:\windows\system32\eappprxy.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\CTSVCCDA.EXE c:\program files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe c:\windows\system32\nvsvc32.exe c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\wscntfy.exe c:\windows\system32\wscript.exe c:\program files\iPod\bin\iPodService.exe c:\progra~1\support.com\client\bin\tgcmd.exe . ************************************************************************** . Completion time: 2009-05-14 22:07 - machine was rebooted ComboFix-quarantined-files.txt 2009-05-14 05:06 ComboFix2.txt 2009-05-13 22:33 Pre-Run: 197,063,475,200 bytes free Post-Run: 196,985,106,432 bytes free 246 --- E O F --- 2009-04-15 10:05
  4. DaveI
    Here is the log, I am not sure I completely disabled Norton Protection Center. If I need to I will remove it completely. ComboFix 09-05-13.01 - Jackie 05/13/2009 15:24.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1024.600 [GMT -7:00] Running from: c:\documents and settings\Jackie\Desktop\ComboFix.exe AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\bszip.dll . ((((((((((((((((((((((((( Files Created from 2009-04-13 to 2009-05-13 ))))))))))))))))))))))))))))))) . 2009-05-12 21:50 . 2009-05-12 21:50 -------- d-----w c:\program files\Trend Micro 2009-05-12 20:51 . 2009-05-12 20:51 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-05-11 03:53 . 2009-05-11 03:53 -------- d-sh--w c:\documents and settings\Administrator\IETldCache 2009-05-11 02:46 . 2009-05-11 03:20 -------- d-----w c:\windows\system32\199638 2009-05-05 07:13 . 2009-05-05 07:13 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache 2009-05-05 07:11 . 2009-05-05 07:11 -------- d-sh--w c:\documents and settings\Jackie\PrivacIE 2009-05-05 07:09 . 2009-05-05 07:09 -------- d-sh--w c:\documents and settings\Jackie\IETldCache 2009-05-05 06:53 . 2009-05-05 06:53 -------- d-----w c:\windows\ie8updates 2009-05-05 06:51 . 2009-05-05 06:52 -------- dc-h--w c:\windows\ie8 2009-05-05 06:50 . 2009-05-05 06:54 -------- d--h--w c:\windows\msdownld.tmp 2009-05-05 06:47 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll 2009-04-15 03:46 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll 2009-04-15 03:46 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe 2009-04-15 03:46 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll 2009-04-15 03:46 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe 2009-04-15 03:46 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll 2009-04-15 03:46 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-15 03:46 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-15 03:46 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll 2009-04-15 03:46 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll 2009-04-15 03:46 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll 2009-04-15 03:45 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll 2009-04-15 03:45 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-13 21:56 . 2001-12-14 22:45 -------- d-----w c:\program files\Yahoo! 2009-05-13 20:13 . 2009-01-11 20:51 1632 ----a-w c:\windows\system32\d3d8caps.dat 2009-05-11 04:49 . 2001-12-14 21:11 -------- d-----w c:\program files\Sony 2009-05-11 04:47 . 2005-09-18 17:06 -------- d-----w c:\program files\Hewlett-Packard 2009-05-11 04:12 . 2006-12-22 04:27 1744 ----a-w c:\windows\system32\d3d9caps.dat 2009-05-11 02:56 . 2009-01-07 08:13 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-06 22:32 . 2009-01-07 08:13 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-06 22:32 . 2009-01-07 08:13 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-03-31 14:30 . 2004-11-18 05:09 -------- d-----w c:\program files\Common Files\Symantec Shared 2009-03-19 16:12 . 2007-01-03 08:01 -------- d-----w c:\program files\DesignPro 2009-03-08 11:34 . 2004-01-08 23:23 914944 ----a-w c:\windows\system32\wininet.dll 2009-03-08 11:34 . 2001-12-14 19:25 43008 ----a-w c:\windows\system32\licmgr10.dll 2009-03-08 11:33 . 2001-12-14 19:25 18944 ----a-w c:\windows\system32\corpol.dll 2009-03-08 11:33 . 2001-12-14 19:26 420352 ----a-w c:\windows\system32\vbscript.dll 2009-03-08 11:32 . 2001-12-14 19:25 72704 ----a-w c:\windows\system32\admparse.dll 2009-03-08 11:32 . 2001-12-14 19:25 71680 ----a-w c:\windows\system32\iesetup.dll 2009-03-08 11:31 . 2001-12-14 19:25 34816 ----a-w c:\windows\system32\imgutil.dll 2009-03-08 11:31 . 2001-12-14 19:25 48128 ----a-w c:\windows\system32\mshtmler.dll 2009-03-08 11:31 . 2001-12-14 19:25 45568 ----a-w c:\windows\system32\mshta.exe 2009-03-08 11:22 . 2001-12-14 19:25 156160 ----a-w c:\windows\system32\msls31.dll 2009-03-06 14:22 . 2001-12-14 19:25 284160 ----a-w c:\windows\system32\pdh.dll 2005-09-16 01:26 . 2004-11-18 02:02 41573 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2005-09-16 01:26 . 2004-11-18 02:02 48223 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2005-09-16 01:26 . 2004-11-18 02:02 160871 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F9AF30D-8F1B-4705-B47C-27FB9E03955F}] 2001-08-18 12:00 103936 ----a-w c:\windows\system32\olwpjuc.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 307200] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="NvQTwk" [X] "ZTgServerSwitch"="c:\program files\support.com\client\lserver\server.vbs" [2001-04-26 2220] "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975] "Norton Ghost 9.0"="c:\program files\Symantec\Norton Ghost\Agent\GhostTray.exe" [2004-11-23 1126400] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816] "osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2007-01-14 771704] "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-17 113664] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2005-5-17 462848] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-1-22 815104] VAIO Action Setup (Server).lnk - c:\program files\Sony\VAIO Action Setup\VAServ.exe [2001-12-19 40960] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gbbghzjr] 2001-08-18 12:00 103936 ----a-w c:\windows\system32\olwpjuc.dll HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32 "wave1"= serwvdrv.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= R0 ftylnktu;ftylnktu;c:\windows\system32\drivers\ftylnktu.sys [12/14/2001 12:25 PM 23424] R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [7/29/2004 4:33 AM 138801] R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [7/29/2004 5:13 AM 46800] R2 SonyFKC;FAN and Keyboard Control Service;c:\windows\system32\drivers\SonyFKC.sys [12/14/2001 1:53 PM 12032] R2 V7;V7;c:\windows\system32\drivers\V7.SYS [11/17/2004 4:46 PM 7196] R2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [11/9/2008 1:48 PM 602392] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/25/2009 4:11 PM 101936] S0 AluriaFilter;AluriaFilter;c:\windows\system32\DRIVERS\AlurFltr.sys --> c:\windows\system32\DRIVERS\AlurFltr.sys [?] S0 zhydexfn;zhydexfn;c:\windows\system32\drivers\mpupghz.sys --> c:\windows\system32\drivers\mpupghz.sys [?] S3 AL_ADSFilter;AL_ADSFilter - (Aluria Filter Driver);c:\windows\system32\DRIVERS\AL_ADSFilter.sys --> c:\windows\system32\DRIVERS\AL_ADSFilter.sys [?] S3 BCM42XX;Broadcom iLine10 Network Adapter Driver;c:\windows\system32\drivers\bcm42xx5.sys [12/14/2001 5:55 PM 54271] S3 SMBE;Sony MPEG2 Encoder Board (WDM);c:\windows\system32\drivers\Smbe.sys [12/14/2001 12:26 PM 593000] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs lzqegxoj [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}] c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12 . Contents of the 'Scheduled Tasks' folder 2009-05-13 c:\windows\Tasks\At1.job - c:\windows\system32\olwpjuc.dll [2001-12-14 12:00] 2009-05-09 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Jackie.job - c:\program files\Norton AntiVirus\Navw32.exe [2007-01-14 09:09] . - - - - ORPHANS REMOVED - - - - HKLM-Run-CleanupProgram - c:\sonysys\cleanup.exe HKLM-Run-QuickTime Task - c:\program files\QuickTime\QTTask.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8 uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: aol.com\free DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Jackie\Application Data\Mozilla\Firefox\Profiles\x63txie9.default\ FF - prefs.js: browser.search.selectedEngine - Dictionary.com FF - prefs.js: browser.startup.homepage - hxxp://www.rhythmicmom.com/forum/|http://www.usa-gymnastics.org/|http://rhythmicregion1.proboards28.com/ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromString", "noAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromStream", "noAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN_show_punycode", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version", c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id", c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub", c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-13 15:30 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccEvtMgr] "ImagePath"="-" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT] "ImagePath"="-" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc] "ImagePath"="-" . Completion time: 2009-05-13 15:33 ComboFix-quarantined-files.txt 2009-05-13 22:32 Pre-Run: 193,692,172,288 bytes free Post-Run: 196,890,730,496 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn 232 --- E O F --- 2009-04-15 10:05
  5. DaveI
    Hi, MBAM finds this spyware but is unable to remove it. Please help. The two files attached are the HiJack files and the MBAM log files. TIA, Dave jackies_pc_2009_05_12.txt mbam_log_2009_05_12__14_15_11_.txt jackies_pc_2009_05_12.txt mbam_log_2009_05_12__14_15_11_.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.