DaveI
Members-
Posts
5 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by DaveI
-
Mieke, All seems well now. Thank you for the great support. DaveI
-
Thanks, it looks like we are chasing out tails. As soon as we get rid of one another pops up. Should I keep the computer disconnected from the internet? ---------------------------------------------------------------------------------------------------------------------------- ComboFix 09-05-13.01 - Jackie 05/14/2009 13:16.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1024.591 [GMT -7:00] Running from: c:\documents and settings\Jackie\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Jackie\Desktop\cfscript.txt FILE :: c:\windows\system32\drivers\yrtxovkt.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\drivers\yrtxovkt.sys . ((((((((((((((((((((((((( Files Created from 2009-04-14 to 2009-05-14 ))))))))))))))))))))))))))))))) . 2009-05-12 21:50 . 2009-05-12 21:50 -------- d-----w c:\program files\Trend Micro 2009-05-12 20:51 . 2009-05-12 20:51 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-05-11 03:53 . 2009-05-11 03:53 -------- d-sh--w c:\documents and settings\Administrator\IETldCache 2009-05-05 07:13 . 2009-05-05 07:13 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache 2009-05-05 07:11 . 2009-05-05 07:11 -------- d-sh--w c:\documents and settings\Jackie\PrivacIE 2009-05-05 07:09 . 2009-05-05 07:09 -------- d-sh--w c:\documents and settings\Jackie\IETldCache 2009-05-05 06:53 . 2009-05-05 06:53 -------- d-----w c:\windows\ie8updates 2009-05-05 06:51 . 2009-05-05 06:52 -------- dc-h--w c:\windows\ie8 2009-05-05 06:50 . 2009-05-05 06:54 -------- d--h--w c:\windows\msdownld.tmp 2009-05-05 06:47 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll 2009-04-15 03:46 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll 2009-04-15 03:46 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe 2009-04-15 03:46 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll 2009-04-15 03:46 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe 2009-04-15 03:46 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll 2009-04-15 03:46 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-15 03:46 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-15 03:46 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll 2009-04-15 03:46 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll 2009-04-15 03:46 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll 2009-04-15 03:45 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll 2009-04-15 03:45 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-14 04:51 . 2004-11-18 05:09 -------- d-----w c:\program files\Common Files\Symantec Shared 2009-05-14 04:50 . 2004-11-18 05:09 -------- d-----w c:\program files\Symantec 2009-05-13 21:56 . 2001-12-14 22:45 -------- d-----w c:\program files\Yahoo! 2009-05-13 20:13 . 2009-01-11 20:51 1632 ----a-w c:\windows\system32\d3d8caps.dat 2009-05-11 04:49 . 2001-12-14 21:11 -------- d-----w c:\program files\Sony 2009-05-11 04:47 . 2005-09-18 17:06 -------- d-----w c:\program files\Hewlett-Packard 2009-05-11 04:12 . 2006-12-22 04:27 1744 ----a-w c:\windows\system32\d3d9caps.dat 2009-05-11 02:56 . 2009-01-07 08:13 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-06 22:32 . 2009-01-07 08:13 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-06 22:32 . 2009-01-07 08:13 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-03-19 16:12 . 2007-01-03 08:01 -------- d-----w c:\program files\DesignPro 2009-03-08 11:34 . 2004-01-08 23:23 914944 ----a-w c:\windows\system32\wininet.dll 2009-03-08 11:34 . 2001-12-14 19:25 43008 ----a-w c:\windows\system32\licmgr10.dll 2009-03-08 11:33 . 2001-12-14 19:25 18944 ----a-w c:\windows\system32\corpol.dll 2009-03-08 11:33 . 2001-12-14 19:26 420352 ----a-w c:\windows\system32\vbscript.dll 2009-03-08 11:32 . 2001-12-14 19:25 72704 ----a-w c:\windows\system32\admparse.dll 2009-03-08 11:32 . 2001-12-14 19:25 71680 ----a-w c:\windows\system32\iesetup.dll 2009-03-08 11:31 . 2001-12-14 19:25 34816 ----a-w c:\windows\system32\imgutil.dll 2009-03-08 11:31 . 2001-12-14 19:25 48128 ----a-w c:\windows\system32\mshtmler.dll 2009-03-08 11:31 . 2001-12-14 19:25 45568 ----a-w c:\windows\system32\mshta.exe 2009-03-08 11:22 . 2001-12-14 19:25 156160 ----a-w c:\windows\system32\msls31.dll 2009-03-06 14:22 . 2001-12-14 19:25 284160 ----a-w c:\windows\system32\pdh.dll 2005-09-16 01:26 . 2004-11-18 02:02 41573 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2005-09-16 01:26 . 2004-11-18 02:02 48223 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2005-09-16 01:26 . 2004-11-18 02:02 160871 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll . ((((((((((((((((((((((((((((( SnapShot@2009-05-13_22.30.19 ))))))))))))))))))))))))))))))))))))))))) . + 2005-05-11 10:00 . 2009-05-07 07:16 24699336 c:\windows\system32\MRT.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 307200] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="NvQTwk" [X] "ZTgServerSwitch"="c:\program files\support.com\client\lserver\server.vbs" [2001-04-26 2220] "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975] "Norton Ghost 9.0"="c:\program files\Symantec\Norton Ghost\Agent\GhostTray.exe" [2004-11-23 1126400] "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-17 113664] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2005-5-17 462848] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-1-22 815104] VAIO Action Setup (Server).lnk - c:\program files\Sony\VAIO Action Setup\VAServ.exe [2001-12-19 40960] HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32 "wave1"= serwvdrv.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [7/29/2004 4:33 AM 138801] R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [7/29/2004 5:13 AM 46800] R2 SonyFKC;FAN and Keyboard Control Service;c:\windows\system32\drivers\SonyFKC.sys [12/14/2001 1:53 PM 12032] R2 V7;V7;c:\windows\system32\drivers\V7.SYS [11/17/2004 4:46 PM 7196] R2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [11/9/2008 1:48 PM 602392] S0 AluriaFilter;AluriaFilter;c:\windows\system32\DRIVERS\AlurFltr.sys --> c:\windows\system32\DRIVERS\AlurFltr.sys [?] S3 AL_ADSFilter;AL_ADSFilter - (Aluria Filter Driver);c:\windows\system32\DRIVERS\AL_ADSFilter.sys --> c:\windows\system32\DRIVERS\AL_ADSFilter.sys [?] S3 BCM42XX;Broadcom iLine10 Network Adapter Driver;c:\windows\system32\drivers\bcm42xx5.sys [12/14/2001 5:55 PM 54271] S3 SMBE;Sony MPEG2 Encoder Board (WDM);c:\windows\system32\drivers\Smbe.sys [12/14/2001 12:26 PM 593000] --- Other Services/Drivers In Memory --- *NewlyCreated* - FTYLNKTU [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}] c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12 . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8 uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: aol.com\free DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Jackie\Application Data\Mozilla\Firefox\Profiles\x63txie9.default\ FF - prefs.js: browser.search.selectedEngine - Dictionary.com FF - prefs.js: browser.startup.homepage - hxxp://www.rhythmicmom.com/forum/|http://www.usa-gymnastics.org/|http://rhythmicregion1.proboards28.com/ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromString", "noAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromStream", "noAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN_show_punycode", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version", c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id", c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub", c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-14 13:20 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT] "ImagePath"="-" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc] "ImagePath"="-" . Completion time: 2009-05-14 13:23 ComboFix-quarantined-files.txt 2009-05-14 20:22 ComboFix2.txt 2009-05-14 05:07 ComboFix3.txt 2009-05-13 22:33 Pre-Run: 196,996,857,856 bytes free Post-Run: 197,013,016,576 bytes free 210 --- E O F --- 2009-05-14 10:02
-
Hi Mieke, Here is the latest log. I decided to remove Norton Anti Virus before installing this latest fix. Hope that was okay to do so. Thanks for all of your help. ComboFix 09-05-13.01 - Jackie 05/13/2009 21:54.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1024.687 [GMT -7:00] Running from: c:\documents and settings\Jackie\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Jackie\Desktop\CFscript.txt FILE :: c:\windows\system32\drivers\ftylnktu.sys c:\windows\system32\olwpjuc.dll c:\windows\Tasks\At1.job . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\drivers\ftylnktu.sys c:\windows\system32\olwpjuc.dll c:\windows\Tasks\At1.job . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_FTYLNKTU -------\Service_ftylnktu -------\Service_zhydexfn ((((((((((((((((((((((((( Files Created from 2009-04-14 to 2009-05-14 ))))))))))))))))))))))))))))))) . 2009-05-12 21:50 . 2009-05-12 21:50 -------- d-----w c:\program files\Trend Micro 2009-05-12 20:51 . 2009-05-12 20:51 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-05-11 03:53 . 2009-05-11 03:53 -------- d-sh--w c:\documents and settings\Administrator\IETldCache 2009-05-11 02:46 . 2009-05-11 03:20 -------- d-----w c:\windows\system32\199638 2009-05-05 07:13 . 2009-05-05 07:13 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache 2009-05-05 07:11 . 2009-05-05 07:11 -------- d-sh--w c:\documents and settings\Jackie\PrivacIE 2009-05-05 07:09 . 2009-05-05 07:09 -------- d-sh--w c:\documents and settings\Jackie\IETldCache 2009-05-05 06:53 . 2009-05-05 06:53 -------- d-----w c:\windows\ie8updates 2009-05-05 06:51 . 2009-05-05 06:52 -------- dc-h--w c:\windows\ie8 2009-05-05 06:50 . 2009-05-05 06:54 -------- d--h--w c:\windows\msdownld.tmp 2009-05-05 06:47 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll 2009-04-15 03:46 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll 2009-04-15 03:46 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe 2009-04-15 03:46 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll 2009-04-15 03:46 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe 2009-04-15 03:46 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll 2009-04-15 03:46 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-15 03:46 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-15 03:46 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll 2009-04-15 03:46 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll 2009-04-15 03:46 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll 2009-04-15 03:45 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll 2009-04-15 03:45 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-14 04:55 . 2001-12-14 19:25 23424 ----a-w c:\windows\system32\drivers\yrtxovkt.sys 2009-05-14 04:51 . 2004-11-18 05:09 -------- d-----w c:\program files\Common Files\Symantec Shared 2009-05-14 04:50 . 2004-11-18 05:09 -------- d-----w c:\program files\Symantec 2009-05-13 21:56 . 2001-12-14 22:45 -------- d-----w c:\program files\Yahoo! 2009-05-13 20:13 . 2009-01-11 20:51 1632 ----a-w c:\windows\system32\d3d8caps.dat 2009-05-11 04:49 . 2001-12-14 21:11 -------- d-----w c:\program files\Sony 2009-05-11 04:47 . 2005-09-18 17:06 -------- d-----w c:\program files\Hewlett-Packard 2009-05-11 04:12 . 2006-12-22 04:27 1744 ----a-w c:\windows\system32\d3d9caps.dat 2009-05-11 02:56 . 2009-01-07 08:13 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-06 22:32 . 2009-01-07 08:13 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-06 22:32 . 2009-01-07 08:13 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-03-19 16:12 . 2007-01-03 08:01 -------- d-----w c:\program files\DesignPro 2009-03-08 11:34 . 2004-01-08 23:23 914944 ----a-w c:\windows\system32\wininet.dll 2009-03-08 11:34 . 2001-12-14 19:25 43008 ----a-w c:\windows\system32\licmgr10.dll 2009-03-08 11:33 . 2001-12-14 19:25 18944 ----a-w c:\windows\system32\corpol.dll 2009-03-08 11:33 . 2001-12-14 19:26 420352 ----a-w c:\windows\system32\vbscript.dll 2009-03-08 11:32 . 2001-12-14 19:25 72704 ----a-w c:\windows\system32\admparse.dll 2009-03-08 11:32 . 2001-12-14 19:25 71680 ----a-w c:\windows\system32\iesetup.dll 2009-03-08 11:31 . 2001-12-14 19:25 34816 ----a-w c:\windows\system32\imgutil.dll 2009-03-08 11:31 . 2001-12-14 19:25 48128 ----a-w c:\windows\system32\mshtmler.dll 2009-03-08 11:31 . 2001-12-14 19:25 45568 ----a-w c:\windows\system32\mshta.exe 2009-03-08 11:22 . 2001-12-14 19:25 156160 ----a-w c:\windows\system32\msls31.dll 2009-03-06 14:22 . 2001-12-14 19:25 284160 ----a-w c:\windows\system32\pdh.dll 2005-09-16 01:26 . 2004-11-18 02:02 41573 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2005-09-16 01:26 . 2004-11-18 02:02 48223 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2005-09-16 01:26 . 2004-11-18 02:02 160871 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 307200] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="NvQTwk" [X] "ZTgServerSwitch"="c:\program files\support.com\client\lserver\server.vbs" [2001-04-26 2220] "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975] "Norton Ghost 9.0"="c:\program files\Symantec\Norton Ghost\Agent\GhostTray.exe" [2004-11-23 1126400] "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-17 113664] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2005-5-17 462848] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-1-22 815104] VAIO Action Setup (Server).lnk - c:\program files\Sony\VAIO Action Setup\VAServ.exe [2001-12-19 40960] HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32 "wave1"= serwvdrv.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [7/29/2004 4:33 AM 138801] R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [7/29/2004 5:13 AM 46800] R2 SonyFKC;FAN and Keyboard Control Service;c:\windows\system32\drivers\SonyFKC.sys [12/14/2001 1:53 PM 12032] R2 V7;V7;c:\windows\system32\drivers\V7.SYS [11/17/2004 4:46 PM 7196] R2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [11/9/2008 1:48 PM 602392] S0 AluriaFilter;AluriaFilter;c:\windows\system32\DRIVERS\AlurFltr.sys --> c:\windows\system32\DRIVERS\AlurFltr.sys [?] S3 AL_ADSFilter;AL_ADSFilter - (Aluria Filter Driver);c:\windows\system32\DRIVERS\AL_ADSFilter.sys --> c:\windows\system32\DRIVERS\AL_ADSFilter.sys [?] S3 BCM42XX;Broadcom iLine10 Network Adapter Driver;c:\windows\system32\drivers\bcm42xx5.sys [12/14/2001 5:55 PM 54271] S3 SMBE;Sony MPEG2 Encoder Board (WDM);c:\windows\system32\drivers\Smbe.sys [12/14/2001 12:26 PM 593000] --- Other Services/Drivers In Memory --- *NewlyCreated* - FTYLNKTU [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}] c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12 . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8 uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: aol.com\free DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Jackie\Application Data\Mozilla\Firefox\Profiles\x63txie9.default\ FF - prefs.js: browser.search.selectedEngine - Dictionary.com FF - prefs.js: browser.startup.homepage - hxxp://www.rhythmicmom.com/forum/|http://www.usa-gymnastics.org/|http://rhythmicregion1.proboards28.com/ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromString", "noAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromStream", "noAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN_show_punycode", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version", c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id", c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub", c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-13 22:01 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT] "ImagePath"="-" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc] "ImagePath"="-" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3112) c:\windows\system32\ieframe.dll c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTJBNS2.dll c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTIntrfc.dll c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTConfig.DLL c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\JBNSRES.DLL c:\windows\system32\OneX.DLL c:\windows\system32\eappprxy.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\CTSVCCDA.EXE c:\program files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe c:\windows\system32\nvsvc32.exe c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\wscntfy.exe c:\windows\system32\wscript.exe c:\program files\iPod\bin\iPodService.exe c:\progra~1\support.com\client\bin\tgcmd.exe . ************************************************************************** . Completion time: 2009-05-14 22:07 - machine was rebooted ComboFix-quarantined-files.txt 2009-05-14 05:06 ComboFix2.txt 2009-05-13 22:33 Pre-Run: 197,063,475,200 bytes free Post-Run: 196,985,106,432 bytes free 246 --- E O F --- 2009-04-15 10:05
-
Here is the log, I am not sure I completely disabled Norton Protection Center. If I need to I will remove it completely. ComboFix 09-05-13.01 - Jackie 05/13/2009 15:24.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1024.600 [GMT -7:00] Running from: c:\documents and settings\Jackie\Desktop\ComboFix.exe AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\bszip.dll . ((((((((((((((((((((((((( Files Created from 2009-04-13 to 2009-05-13 ))))))))))))))))))))))))))))))) . 2009-05-12 21:50 . 2009-05-12 21:50 -------- d-----w c:\program files\Trend Micro 2009-05-12 20:51 . 2009-05-12 20:51 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-05-11 03:53 . 2009-05-11 03:53 -------- d-sh--w c:\documents and settings\Administrator\IETldCache 2009-05-11 02:46 . 2009-05-11 03:20 -------- d-----w c:\windows\system32\199638 2009-05-05 07:13 . 2009-05-05 07:13 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache 2009-05-05 07:11 . 2009-05-05 07:11 -------- d-sh--w c:\documents and settings\Jackie\PrivacIE 2009-05-05 07:09 . 2009-05-05 07:09 -------- d-sh--w c:\documents and settings\Jackie\IETldCache 2009-05-05 06:53 . 2009-05-05 06:53 -------- d-----w c:\windows\ie8updates 2009-05-05 06:51 . 2009-05-05 06:52 -------- dc-h--w c:\windows\ie8 2009-05-05 06:50 . 2009-05-05 06:54 -------- d--h--w c:\windows\msdownld.tmp 2009-05-05 06:47 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll 2009-04-15 03:46 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll 2009-04-15 03:46 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe 2009-04-15 03:46 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll 2009-04-15 03:46 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe 2009-04-15 03:46 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll 2009-04-15 03:46 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-15 03:46 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-15 03:46 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll 2009-04-15 03:46 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll 2009-04-15 03:46 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll 2009-04-15 03:45 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll 2009-04-15 03:45 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-13 21:56 . 2001-12-14 22:45 -------- d-----w c:\program files\Yahoo! 2009-05-13 20:13 . 2009-01-11 20:51 1632 ----a-w c:\windows\system32\d3d8caps.dat 2009-05-11 04:49 . 2001-12-14 21:11 -------- d-----w c:\program files\Sony 2009-05-11 04:47 . 2005-09-18 17:06 -------- d-----w c:\program files\Hewlett-Packard 2009-05-11 04:12 . 2006-12-22 04:27 1744 ----a-w c:\windows\system32\d3d9caps.dat 2009-05-11 02:56 . 2009-01-07 08:13 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-06 22:32 . 2009-01-07 08:13 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-06 22:32 . 2009-01-07 08:13 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-03-31 14:30 . 2004-11-18 05:09 -------- d-----w c:\program files\Common Files\Symantec Shared 2009-03-19 16:12 . 2007-01-03 08:01 -------- d-----w c:\program files\DesignPro 2009-03-08 11:34 . 2004-01-08 23:23 914944 ----a-w c:\windows\system32\wininet.dll 2009-03-08 11:34 . 2001-12-14 19:25 43008 ----a-w c:\windows\system32\licmgr10.dll 2009-03-08 11:33 . 2001-12-14 19:25 18944 ----a-w c:\windows\system32\corpol.dll 2009-03-08 11:33 . 2001-12-14 19:26 420352 ----a-w c:\windows\system32\vbscript.dll 2009-03-08 11:32 . 2001-12-14 19:25 72704 ----a-w c:\windows\system32\admparse.dll 2009-03-08 11:32 . 2001-12-14 19:25 71680 ----a-w c:\windows\system32\iesetup.dll 2009-03-08 11:31 . 2001-12-14 19:25 34816 ----a-w c:\windows\system32\imgutil.dll 2009-03-08 11:31 . 2001-12-14 19:25 48128 ----a-w c:\windows\system32\mshtmler.dll 2009-03-08 11:31 . 2001-12-14 19:25 45568 ----a-w c:\windows\system32\mshta.exe 2009-03-08 11:22 . 2001-12-14 19:25 156160 ----a-w c:\windows\system32\msls31.dll 2009-03-06 14:22 . 2001-12-14 19:25 284160 ----a-w c:\windows\system32\pdh.dll 2005-09-16 01:26 . 2004-11-18 02:02 41573 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2005-09-16 01:26 . 2004-11-18 02:02 48223 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2005-09-16 01:26 . 2004-11-18 02:02 160871 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F9AF30D-8F1B-4705-B47C-27FB9E03955F}] 2001-08-18 12:00 103936 ----a-w c:\windows\system32\olwpjuc.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 307200] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="NvQTwk" [X] "ZTgServerSwitch"="c:\program files\support.com\client\lserver\server.vbs" [2001-04-26 2220] "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975] "Norton Ghost 9.0"="c:\program files\Symantec\Norton Ghost\Agent\GhostTray.exe" [2004-11-23 1126400] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816] "osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2007-01-14 771704] "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-17 113664] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2005-5-17 462848] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-1-22 815104] VAIO Action Setup (Server).lnk - c:\program files\Sony\VAIO Action Setup\VAServ.exe [2001-12-19 40960] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gbbghzjr] 2001-08-18 12:00 103936 ----a-w c:\windows\system32\olwpjuc.dll HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32 "wave1"= serwvdrv.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= R0 ftylnktu;ftylnktu;c:\windows\system32\drivers\ftylnktu.sys [12/14/2001 12:25 PM 23424] R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [7/29/2004 4:33 AM 138801] R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [7/29/2004 5:13 AM 46800] R2 SonyFKC;FAN and Keyboard Control Service;c:\windows\system32\drivers\SonyFKC.sys [12/14/2001 1:53 PM 12032] R2 V7;V7;c:\windows\system32\drivers\V7.SYS [11/17/2004 4:46 PM 7196] R2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [11/9/2008 1:48 PM 602392] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/25/2009 4:11 PM 101936] S0 AluriaFilter;AluriaFilter;c:\windows\system32\DRIVERS\AlurFltr.sys --> c:\windows\system32\DRIVERS\AlurFltr.sys [?] S0 zhydexfn;zhydexfn;c:\windows\system32\drivers\mpupghz.sys --> c:\windows\system32\drivers\mpupghz.sys [?] S3 AL_ADSFilter;AL_ADSFilter - (Aluria Filter Driver);c:\windows\system32\DRIVERS\AL_ADSFilter.sys --> c:\windows\system32\DRIVERS\AL_ADSFilter.sys [?] S3 BCM42XX;Broadcom iLine10 Network Adapter Driver;c:\windows\system32\drivers\bcm42xx5.sys [12/14/2001 5:55 PM 54271] S3 SMBE;Sony MPEG2 Encoder Board (WDM);c:\windows\system32\drivers\Smbe.sys [12/14/2001 12:26 PM 593000] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs lzqegxoj [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}] c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12 . Contents of the 'Scheduled Tasks' folder 2009-05-13 c:\windows\Tasks\At1.job - c:\windows\system32\olwpjuc.dll [2001-12-14 12:00] 2009-05-09 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Jackie.job - c:\program files\Norton AntiVirus\Navw32.exe [2007-01-14 09:09] . - - - - ORPHANS REMOVED - - - - HKLM-Run-CleanupProgram - c:\sonysys\cleanup.exe HKLM-Run-QuickTime Task - c:\program files\QuickTime\QTTask.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8 uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: aol.com\free DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Jackie\Application Data\Mozilla\Firefox\Profiles\x63txie9.default\ FF - prefs.js: browser.search.selectedEngine - Dictionary.com FF - prefs.js: browser.startup.homepage - hxxp://www.rhythmicmom.com/forum/|http://www.usa-gymnastics.org/|http://rhythmicregion1.proboards28.com/ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromString", "noAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromStream", "noAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN_show_punycode", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version", c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id", c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub", c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-13 15:30 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccEvtMgr] "ImagePath"="-" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT] "ImagePath"="-" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc] "ImagePath"="-" . Completion time: 2009-05-13 15:33 ComboFix-quarantined-files.txt 2009-05-13 22:32 Pre-Run: 193,692,172,288 bytes free Post-Run: 196,890,730,496 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn 232 --- E O F --- 2009-04-15 10:05
-
Hi, MBAM finds this spyware but is unable to remove it. Please help. The two files attached are the HiJack files and the MBAM log files. TIA, Dave jackies_pc_2009_05_12.txt mbam_log_2009_05_12__14_15_11_.txt jackies_pc_2009_05_12.txt mbam_log_2009_05_12__14_15_11_.txt