Jump to content

Vundo


Recommended Posts

  • Staff

Hi,

Please don't attach your logs, but copy and paste them in the thread instead.

I see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player

Then * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

Here is the log, I am not sure I completely disabled Norton Protection Center. If I need to I will remove it completely.

ComboFix 09-05-13.01 - Jackie 05/13/2009 15:24.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1024.600 [GMT -7:00]

Running from: c:\documents and settings\Jackie\Desktop\ComboFix.exe

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\bszip.dll

.

((((((((((((((((((((((((( Files Created from 2009-04-13 to 2009-05-13 )))))))))))))))))))))))))))))))

.

2009-05-12 21:50 . 2009-05-12 21:50 -------- d-----w c:\program files\Trend Micro

2009-05-12 20:51 . 2009-05-12 20:51 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-05-11 03:53 . 2009-05-11 03:53 -------- d-sh--w c:\documents and settings\Administrator\IETldCache

2009-05-11 02:46 . 2009-05-11 03:20 -------- d-----w c:\windows\system32\199638

2009-05-05 07:13 . 2009-05-05 07:13 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache

2009-05-05 07:11 . 2009-05-05 07:11 -------- d-sh--w c:\documents and settings\Jackie\PrivacIE

2009-05-05 07:09 . 2009-05-05 07:09 -------- d-sh--w c:\documents and settings\Jackie\IETldCache

2009-05-05 06:53 . 2009-05-05 06:53 -------- d-----w c:\windows\ie8updates

2009-05-05 06:51 . 2009-05-05 06:52 -------- dc-h--w c:\windows\ie8

2009-05-05 06:50 . 2009-05-05 06:54 -------- d--h--w c:\windows\msdownld.tmp

2009-05-05 06:47 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll

2009-04-15 03:46 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll

2009-04-15 03:46 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe

2009-04-15 03:46 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll

2009-04-15 03:46 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe

2009-04-15 03:46 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll

2009-04-15 03:46 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe

2009-04-15 03:46 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll

2009-04-15 03:46 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll

2009-04-15 03:46 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll

2009-04-15 03:46 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll

2009-04-15 03:45 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll

2009-04-15 03:45 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-13 21:56 . 2001-12-14 22:45 -------- d-----w c:\program files\Yahoo!

2009-05-13 20:13 . 2009-01-11 20:51 1632 ----a-w c:\windows\system32\d3d8caps.dat

2009-05-11 04:49 . 2001-12-14 21:11 -------- d-----w c:\program files\Sony

2009-05-11 04:47 . 2005-09-18 17:06 -------- d-----w c:\program files\Hewlett-Packard

2009-05-11 04:12 . 2006-12-22 04:27 1744 ----a-w c:\windows\system32\d3d9caps.dat

2009-05-11 02:56 . 2009-01-07 08:13 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-04-06 22:32 . 2009-01-07 08:13 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-06 22:32 . 2009-01-07 08:13 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-03-31 14:30 . 2004-11-18 05:09 -------- d-----w c:\program files\Common Files\Symantec Shared

2009-03-19 16:12 . 2007-01-03 08:01 -------- d-----w c:\program files\DesignPro

2009-03-08 11:34 . 2004-01-08 23:23 914944 ----a-w c:\windows\system32\wininet.dll

2009-03-08 11:34 . 2001-12-14 19:25 43008 ----a-w c:\windows\system32\licmgr10.dll

2009-03-08 11:33 . 2001-12-14 19:25 18944 ----a-w c:\windows\system32\corpol.dll

2009-03-08 11:33 . 2001-12-14 19:26 420352 ----a-w c:\windows\system32\vbscript.dll

2009-03-08 11:32 . 2001-12-14 19:25 72704 ----a-w c:\windows\system32\admparse.dll

2009-03-08 11:32 . 2001-12-14 19:25 71680 ----a-w c:\windows\system32\iesetup.dll

2009-03-08 11:31 . 2001-12-14 19:25 34816 ----a-w c:\windows\system32\imgutil.dll

2009-03-08 11:31 . 2001-12-14 19:25 48128 ----a-w c:\windows\system32\mshtmler.dll

2009-03-08 11:31 . 2001-12-14 19:25 45568 ----a-w c:\windows\system32\mshta.exe

2009-03-08 11:22 . 2001-12-14 19:25 156160 ----a-w c:\windows\system32\msls31.dll

2009-03-06 14:22 . 2001-12-14 19:25 284160 ----a-w c:\windows\system32\pdh.dll

2005-09-16 01:26 . 2004-11-18 02:02 41573 ----a-w c:\program files\mozilla firefox\components\jar50.dll

2005-09-16 01:26 . 2004-11-18 02:02 48223 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

2005-09-16 01:26 . 2004-11-18 02:02 160871 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F9AF30D-8F1B-4705-B47C-27FB9E03955F}]

2001-08-18 12:00 103936 ----a-w c:\windows\system32\olwpjuc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 307200]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="NvQTwk" [X]

"ZTgServerSwitch"="c:\program files\support.com\client\lserver\server.vbs" [2001-04-26 2220]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"Norton Ghost 9.0"="c:\program files\Symantec\Norton Ghost\Agent\GhostTray.exe" [2004-11-23 1126400]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]

"osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2007-01-14 771704]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-17 113664]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2005-5-17 462848]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-1-22 815104]

VAIO Action Setup (Server).lnk - c:\program files\Sony\VAIO Action Setup\VAServ.exe [2001-12-19 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gbbghzjr]

2001-08-18 12:00 103936 ----a-w c:\windows\system32\olwpjuc.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

R0 ftylnktu;ftylnktu;c:\windows\system32\drivers\ftylnktu.sys [12/14/2001 12:25 PM 23424]

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [7/29/2004 4:33 AM 138801]

R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [7/29/2004 5:13 AM 46800]

R2 SonyFKC;FAN and Keyboard Control Service;c:\windows\system32\drivers\SonyFKC.sys [12/14/2001 1:53 PM 12032]

R2 V7;V7;c:\windows\system32\drivers\V7.SYS [11/17/2004 4:46 PM 7196]

R2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [11/9/2008 1:48 PM 602392]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/25/2009 4:11 PM 101936]

S0 AluriaFilter;AluriaFilter;c:\windows\system32\DRIVERS\AlurFltr.sys --> c:\windows\system32\DRIVERS\AlurFltr.sys [?]

S0 zhydexfn;zhydexfn;c:\windows\system32\drivers\mpupghz.sys --> c:\windows\system32\drivers\mpupghz.sys [?]

S3 AL_ADSFilter;AL_ADSFilter - (Aluria Filter Driver);c:\windows\system32\DRIVERS\AL_ADSFilter.sys --> c:\windows\system32\DRIVERS\AL_ADSFilter.sys [?]

S3 BCM42XX;Broadcom iLine10 Network Adapter Driver;c:\windows\system32\drivers\bcm42xx5.sys [12/14/2001 5:55 PM 54271]

S3 SMBE;Sony MPEG2 Encoder Board (WDM);c:\windows\system32\drivers\Smbe.sys [12/14/2001 12:26 PM 593000]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

lzqegxoj

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12

.

Contents of the 'Scheduled Tasks' folder

2009-05-13 c:\windows\Tasks\At1.job

- c:\windows\system32\olwpjuc.dll [2001-12-14 12:00]

2009-05-09 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Jackie.job

- c:\program files\Norton AntiVirus\Navw32.exe [2007-01-14 09:09]

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-CleanupProgram - c:\sonysys\cleanup.exe

HKLM-Run-QuickTime Task - c:\program files\QuickTime\QTTask.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: aol.com\free

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Jackie\Application Data\Mozilla\Firefox\Profiles\x63txie9.default\

FF - prefs.js: browser.search.selectedEngine - Dictionary.com

FF - prefs.js: browser.startup.homepage - hxxp://www.rhythmicmom.com/forum/|http://www.usa-gymnastics.org/|http://rhythmicregion1.proboards28.com/

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromString", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromStream", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN_show_punycode", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version",

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id",

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub",

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-13 15:30

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccEvtMgr]

"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT]

"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]

"ImagePath"="-"

.

Completion time: 2009-05-13 15:33

ComboFix-quarantined-files.txt 2009-05-13 22:32

Pre-Run: 193,692,172,288 bytes free

Post-Run: 196,890,730,496 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

232 --- E O F --- 2009-04-15 10:05

Link to post
Share on other sites

  • Staff

Hi,

I think it should work with Norton partially disabled as well..

Detection for this variant will be added to next malwarebytes database update. In a meanwhile, let's tackle it with Combofix and a script.

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

File::

c:\windows\Tasks\At1.job

c:\windows\system32\olwpjuc.dll

c:\windows\system32\drivers\ftylnktu.sys

NetSvc::

lzqegxoj

Driver::

zhydexfn

ftylnktu

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F9AF30D-8F1B-4705-B47C-27FB9E03955F}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gbbghzjr]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

Hi Mieke,

Here is the latest log. I decided to remove Norton Anti Virus before installing this latest fix. Hope that was okay to do so.

Thanks for all of your help.

ComboFix 09-05-13.01 - Jackie 05/13/2009 21:54.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1024.687 [GMT -7:00]

Running from: c:\documents and settings\Jackie\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Jackie\Desktop\CFscript.txt

FILE ::

c:\windows\system32\drivers\ftylnktu.sys

c:\windows\system32\olwpjuc.dll

c:\windows\Tasks\At1.job

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\ftylnktu.sys

c:\windows\system32\olwpjuc.dll

c:\windows\Tasks\At1.job

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_FTYLNKTU

-------\Service_ftylnktu

-------\Service_zhydexfn

((((((((((((((((((((((((( Files Created from 2009-04-14 to 2009-05-14 )))))))))))))))))))))))))))))))

.

2009-05-12 21:50 . 2009-05-12 21:50 -------- d-----w c:\program files\Trend Micro

2009-05-12 20:51 . 2009-05-12 20:51 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-05-11 03:53 . 2009-05-11 03:53 -------- d-sh--w c:\documents and settings\Administrator\IETldCache

2009-05-11 02:46 . 2009-05-11 03:20 -------- d-----w c:\windows\system32\199638

2009-05-05 07:13 . 2009-05-05 07:13 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache

2009-05-05 07:11 . 2009-05-05 07:11 -------- d-sh--w c:\documents and settings\Jackie\PrivacIE

2009-05-05 07:09 . 2009-05-05 07:09 -------- d-sh--w c:\documents and settings\Jackie\IETldCache

2009-05-05 06:53 . 2009-05-05 06:53 -------- d-----w c:\windows\ie8updates

2009-05-05 06:51 . 2009-05-05 06:52 -------- dc-h--w c:\windows\ie8

2009-05-05 06:50 . 2009-05-05 06:54 -------- d--h--w c:\windows\msdownld.tmp

2009-05-05 06:47 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll

2009-04-15 03:46 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll

2009-04-15 03:46 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe

2009-04-15 03:46 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll

2009-04-15 03:46 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe

2009-04-15 03:46 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll

2009-04-15 03:46 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe

2009-04-15 03:46 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll

2009-04-15 03:46 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll

2009-04-15 03:46 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll

2009-04-15 03:46 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll

2009-04-15 03:45 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll

2009-04-15 03:45 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-14 04:55 . 2001-12-14 19:25 23424 ----a-w c:\windows\system32\drivers\yrtxovkt.sys

2009-05-14 04:51 . 2004-11-18 05:09 -------- d-----w c:\program files\Common Files\Symantec Shared

2009-05-14 04:50 . 2004-11-18 05:09 -------- d-----w c:\program files\Symantec

2009-05-13 21:56 . 2001-12-14 22:45 -------- d-----w c:\program files\Yahoo!

2009-05-13 20:13 . 2009-01-11 20:51 1632 ----a-w c:\windows\system32\d3d8caps.dat

2009-05-11 04:49 . 2001-12-14 21:11 -------- d-----w c:\program files\Sony

2009-05-11 04:47 . 2005-09-18 17:06 -------- d-----w c:\program files\Hewlett-Packard

2009-05-11 04:12 . 2006-12-22 04:27 1744 ----a-w c:\windows\system32\d3d9caps.dat

2009-05-11 02:56 . 2009-01-07 08:13 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-04-06 22:32 . 2009-01-07 08:13 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-06 22:32 . 2009-01-07 08:13 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-03-19 16:12 . 2007-01-03 08:01 -------- d-----w c:\program files\DesignPro

2009-03-08 11:34 . 2004-01-08 23:23 914944 ----a-w c:\windows\system32\wininet.dll

2009-03-08 11:34 . 2001-12-14 19:25 43008 ----a-w c:\windows\system32\licmgr10.dll

2009-03-08 11:33 . 2001-12-14 19:25 18944 ----a-w c:\windows\system32\corpol.dll

2009-03-08 11:33 . 2001-12-14 19:26 420352 ----a-w c:\windows\system32\vbscript.dll

2009-03-08 11:32 . 2001-12-14 19:25 72704 ----a-w c:\windows\system32\admparse.dll

2009-03-08 11:32 . 2001-12-14 19:25 71680 ----a-w c:\windows\system32\iesetup.dll

2009-03-08 11:31 . 2001-12-14 19:25 34816 ----a-w c:\windows\system32\imgutil.dll

2009-03-08 11:31 . 2001-12-14 19:25 48128 ----a-w c:\windows\system32\mshtmler.dll

2009-03-08 11:31 . 2001-12-14 19:25 45568 ----a-w c:\windows\system32\mshta.exe

2009-03-08 11:22 . 2001-12-14 19:25 156160 ----a-w c:\windows\system32\msls31.dll

2009-03-06 14:22 . 2001-12-14 19:25 284160 ----a-w c:\windows\system32\pdh.dll

2005-09-16 01:26 . 2004-11-18 02:02 41573 ----a-w c:\program files\mozilla firefox\components\jar50.dll

2005-09-16 01:26 . 2004-11-18 02:02 48223 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

2005-09-16 01:26 . 2004-11-18 02:02 160871 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 307200]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="NvQTwk" [X]

"ZTgServerSwitch"="c:\program files\support.com\client\lserver\server.vbs" [2001-04-26 2220]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"Norton Ghost 9.0"="c:\program files\Symantec\Norton Ghost\Agent\GhostTray.exe" [2004-11-23 1126400]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-17 113664]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2005-5-17 462848]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-1-22 815104]

VAIO Action Setup (Server).lnk - c:\program files\Sony\VAIO Action Setup\VAServ.exe [2001-12-19 40960]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [7/29/2004 4:33 AM 138801]

R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [7/29/2004 5:13 AM 46800]

R2 SonyFKC;FAN and Keyboard Control Service;c:\windows\system32\drivers\SonyFKC.sys [12/14/2001 1:53 PM 12032]

R2 V7;V7;c:\windows\system32\drivers\V7.SYS [11/17/2004 4:46 PM 7196]

R2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [11/9/2008 1:48 PM 602392]

S0 AluriaFilter;AluriaFilter;c:\windows\system32\DRIVERS\AlurFltr.sys --> c:\windows\system32\DRIVERS\AlurFltr.sys [?]

S3 AL_ADSFilter;AL_ADSFilter - (Aluria Filter Driver);c:\windows\system32\DRIVERS\AL_ADSFilter.sys --> c:\windows\system32\DRIVERS\AL_ADSFilter.sys [?]

S3 BCM42XX;Broadcom iLine10 Network Adapter Driver;c:\windows\system32\drivers\bcm42xx5.sys [12/14/2001 5:55 PM 54271]

S3 SMBE;Sony MPEG2 Encoder Board (WDM);c:\windows\system32\drivers\Smbe.sys [12/14/2001 12:26 PM 593000]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - FTYLNKTU

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: aol.com\free

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Jackie\Application Data\Mozilla\Firefox\Profiles\x63txie9.default\

FF - prefs.js: browser.search.selectedEngine - Dictionary.com

FF - prefs.js: browser.startup.homepage - hxxp://www.rhythmicmom.com/forum/|http://www.usa-gymnastics.org/|http://rhythmicregion1.proboards28.com/

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromString", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromStream", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN_show_punycode", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version",

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id",

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub",

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-13 22:01

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT]

"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]

"ImagePath"="-"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3112)

c:\windows\system32\ieframe.dll

c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTJBNS2.dll

c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTIntrfc.dll

c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTConfig.DLL

c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\JBNSRES.DLL

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\CTSVCCDA.EXE

c:\program files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

c:\windows\system32\nvsvc32.exe

c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\wscript.exe

c:\program files\iPod\bin\iPodService.exe

c:\progra~1\support.com\client\bin\tgcmd.exe

.

**************************************************************************

.

Completion time: 2009-05-14 22:07 - machine was rebooted

ComboFix-quarantined-files.txt 2009-05-14 05:06

ComboFix2.txt 2009-05-13 22:33

Pre-Run: 197,063,475,200 bytes free

Post-Run: 196,985,106,432 bytes free

246 --- E O F --- 2009-04-15 10:05

Link to post
Share on other sites

  • Staff

Hi,

Let's give this another run...

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

File::

c:\windows\system32\drivers\yrtxovkt.sys

Folder::

c:\windows\system32\199638

Driver::

yrtxovkt

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

Thanks, it looks like we are chasing out tails. As soon as we get rid of one another pops up.

Should I keep the computer disconnected from the internet?

----------------------------------------------------------------------------------------------------------------------------

ComboFix 09-05-13.01 - Jackie 05/14/2009 13:16.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1024.591 [GMT -7:00]

Running from: c:\documents and settings\Jackie\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Jackie\Desktop\cfscript.txt

FILE ::

c:\windows\system32\drivers\yrtxovkt.sys

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\yrtxovkt.sys

.

((((((((((((((((((((((((( Files Created from 2009-04-14 to 2009-05-14 )))))))))))))))))))))))))))))))

.

2009-05-12 21:50 . 2009-05-12 21:50 -------- d-----w c:\program files\Trend Micro

2009-05-12 20:51 . 2009-05-12 20:51 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-05-11 03:53 . 2009-05-11 03:53 -------- d-sh--w c:\documents and settings\Administrator\IETldCache

2009-05-05 07:13 . 2009-05-05 07:13 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache

2009-05-05 07:11 . 2009-05-05 07:11 -------- d-sh--w c:\documents and settings\Jackie\PrivacIE

2009-05-05 07:09 . 2009-05-05 07:09 -------- d-sh--w c:\documents and settings\Jackie\IETldCache

2009-05-05 06:53 . 2009-05-05 06:53 -------- d-----w c:\windows\ie8updates

2009-05-05 06:51 . 2009-05-05 06:52 -------- dc-h--w c:\windows\ie8

2009-05-05 06:50 . 2009-05-05 06:54 -------- d--h--w c:\windows\msdownld.tmp

2009-05-05 06:47 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll

2009-04-15 03:46 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll

2009-04-15 03:46 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe

2009-04-15 03:46 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll

2009-04-15 03:46 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe

2009-04-15 03:46 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll

2009-04-15 03:46 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe

2009-04-15 03:46 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll

2009-04-15 03:46 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll

2009-04-15 03:46 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll

2009-04-15 03:46 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll

2009-04-15 03:45 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll

2009-04-15 03:45 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-14 04:51 . 2004-11-18 05:09 -------- d-----w c:\program files\Common Files\Symantec Shared

2009-05-14 04:50 . 2004-11-18 05:09 -------- d-----w c:\program files\Symantec

2009-05-13 21:56 . 2001-12-14 22:45 -------- d-----w c:\program files\Yahoo!

2009-05-13 20:13 . 2009-01-11 20:51 1632 ----a-w c:\windows\system32\d3d8caps.dat

2009-05-11 04:49 . 2001-12-14 21:11 -------- d-----w c:\program files\Sony

2009-05-11 04:47 . 2005-09-18 17:06 -------- d-----w c:\program files\Hewlett-Packard

2009-05-11 04:12 . 2006-12-22 04:27 1744 ----a-w c:\windows\system32\d3d9caps.dat

2009-05-11 02:56 . 2009-01-07 08:13 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-04-06 22:32 . 2009-01-07 08:13 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-06 22:32 . 2009-01-07 08:13 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-03-19 16:12 . 2007-01-03 08:01 -------- d-----w c:\program files\DesignPro

2009-03-08 11:34 . 2004-01-08 23:23 914944 ----a-w c:\windows\system32\wininet.dll

2009-03-08 11:34 . 2001-12-14 19:25 43008 ----a-w c:\windows\system32\licmgr10.dll

2009-03-08 11:33 . 2001-12-14 19:25 18944 ----a-w c:\windows\system32\corpol.dll

2009-03-08 11:33 . 2001-12-14 19:26 420352 ----a-w c:\windows\system32\vbscript.dll

2009-03-08 11:32 . 2001-12-14 19:25 72704 ----a-w c:\windows\system32\admparse.dll

2009-03-08 11:32 . 2001-12-14 19:25 71680 ----a-w c:\windows\system32\iesetup.dll

2009-03-08 11:31 . 2001-12-14 19:25 34816 ----a-w c:\windows\system32\imgutil.dll

2009-03-08 11:31 . 2001-12-14 19:25 48128 ----a-w c:\windows\system32\mshtmler.dll

2009-03-08 11:31 . 2001-12-14 19:25 45568 ----a-w c:\windows\system32\mshta.exe

2009-03-08 11:22 . 2001-12-14 19:25 156160 ----a-w c:\windows\system32\msls31.dll

2009-03-06 14:22 . 2001-12-14 19:25 284160 ----a-w c:\windows\system32\pdh.dll

2005-09-16 01:26 . 2004-11-18 02:02 41573 ----a-w c:\program files\mozilla firefox\components\jar50.dll

2005-09-16 01:26 . 2004-11-18 02:02 48223 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

2005-09-16 01:26 . 2004-11-18 02:02 160871 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-05-13_22.30.19 )))))))))))))))))))))))))))))))))))))))))

.

+ 2005-05-11 10:00 . 2009-05-07 07:16 24699336 c:\windows\system32\MRT.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 307200]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="NvQTwk" [X]

"ZTgServerSwitch"="c:\program files\support.com\client\lserver\server.vbs" [2001-04-26 2220]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"Norton Ghost 9.0"="c:\program files\Symantec\Norton Ghost\Agent\GhostTray.exe" [2004-11-23 1126400]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-17 113664]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2005-5-17 462848]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-1-22 815104]

VAIO Action Setup (Server).lnk - c:\program files\Sony\VAIO Action Setup\VAServ.exe [2001-12-19 40960]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [7/29/2004 4:33 AM 138801]

R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [7/29/2004 5:13 AM 46800]

R2 SonyFKC;FAN and Keyboard Control Service;c:\windows\system32\drivers\SonyFKC.sys [12/14/2001 1:53 PM 12032]

R2 V7;V7;c:\windows\system32\drivers\V7.SYS [11/17/2004 4:46 PM 7196]

R2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [11/9/2008 1:48 PM 602392]

S0 AluriaFilter;AluriaFilter;c:\windows\system32\DRIVERS\AlurFltr.sys --> c:\windows\system32\DRIVERS\AlurFltr.sys [?]

S3 AL_ADSFilter;AL_ADSFilter - (Aluria Filter Driver);c:\windows\system32\DRIVERS\AL_ADSFilter.sys --> c:\windows\system32\DRIVERS\AL_ADSFilter.sys [?]

S3 BCM42XX;Broadcom iLine10 Network Adapter Driver;c:\windows\system32\drivers\bcm42xx5.sys [12/14/2001 5:55 PM 54271]

S3 SMBE;Sony MPEG2 Encoder Board (WDM);c:\windows\system32\drivers\Smbe.sys [12/14/2001 12:26 PM 593000]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - FTYLNKTU

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: aol.com\free

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Jackie\Application Data\Mozilla\Firefox\Profiles\x63txie9.default\

FF - prefs.js: browser.search.selectedEngine - Dictionary.com

FF - prefs.js: browser.startup.homepage - hxxp://www.rhythmicmom.com/forum/|http://www.usa-gymnastics.org/|http://rhythmicregion1.proboards28.com/

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromString", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromStream", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN_show_punycode", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version",

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id",

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub",

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-14 13:20

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT]

"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]

"ImagePath"="-"

.

Completion time: 2009-05-14 13:23

ComboFix-quarantined-files.txt 2009-05-14 20:22

ComboFix2.txt 2009-05-14 05:07

ComboFix3.txt 2009-05-13 22:33

Pre-Run: 196,996,857,856 bytes free

Post-Run: 197,013,016,576 bytes free

210 --- E O F --- 2009-05-14 10:02

Link to post
Share on other sites

  • Staff

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

  • Staff

Glad I could help. :P

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.