Tech Support Forum - View Single Post - search-daily hijack

mmartin784 · 01-13-2008, 12:16 AM

Files have been submitted of analysis and below is combofix log.

ComboFix 08-01-13.1 - Martin 2008-01-13 1:00:04.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.98 [GMT -6:00]
Running from: C:\Documents and Settings\Martin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Martin\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\SYSTEM32\dhesaybh.dat
C:\WINDOWS\SYSTEM32\duaepeqa.dat
C:\WINDOWS\SYSTEM32\lvuqxizx.dat
C:\WINDOWS\SYSTEM32\mwtmqymy.dat
C:\WINDOWS\SYSTEM32\ygszobyi.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\AppCert
C:\WINDOWS\SYSTEM32\AppCert\filter.drv
C:\WINDOWS\SYSTEM32\AppCert\hb13a.dll
C:\WINDOWS\SYSTEM32\AppCert\options.dat
C:\WINDOWS\SYSTEM32\AppCert\prx97w.dll
C:\WINDOWS\SYSTEM32\AppCert\wsil32.dll
C:\WINDOWS\SYSTEM32\dhesaybh.dat
C:\WINDOWS\SYSTEM32\duaepeqa.dat
C:\WINDOWS\SYSTEM32\lvuqxizx.dat
C:\WINDOWS\SYSTEM32\mwtmqymy.dat
C:\WINDOWS\SYSTEM32\ygszobyi.dat

.
((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-12 22:40 . 2003-07-16 14:44 245,920 -r-hs---- C:\cmldr
2008-01-12 22:40 . 2007-01-15 19:57 211 -rahs---- C:\BOOT.BAK
2008-01-12 21:29 . 2008-01-12 21:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-12 13:57 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SDTHOOK.SYS
2008-01-12 13:33 . 2008-01-12 14:47 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2008-01-12 13:33 . 2008-01-12 13:33 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2008-01-12 13:33 . 2008-01-12 13:33 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-01-12 13:33 . 2008-01-12 13:33 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-01-12 12:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-12 00:17 . 2008-01-12 00:17 <DIR> d-------- C:\Deckard
2008-01-12 00:09 . 2008-01-12 00:12 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-12 00:09 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\SYSTEM32\MSINET.OCX
2008-01-10 20:40 . 2008-01-10 20:40 <DIR> d-------- C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Webroot
2008-01-10 20:13 . 2008-01-10 20:13 <DIR> d-------- C:\Program Files\Webroot
2008-01-10 20:13 . 2008-01-10 20:13 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\Webroot
2008-01-10 20:13 . 2008-01-10 20:13 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-10 20:13 . 2008-01-10 20:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-01-10 20:13 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2008-01-10 20:13 . 2007-10-01 16:24 163,640 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ssidrv.sys
2008-01-10 20:13 . 2007-10-01 16:24 23,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sskbfd.sys
2008-01-10 20:13 . 2007-10-01 16:24 21,816 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sshrmd.sys
2008-01-10 20:13 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SSFS0BB9.sys
2008-01-10 20:12 . 2008-01-10 20:27 164 --a------ C:\install.dat
2008-01-09 21:46 . 2008-01-09 21:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-01-09 21:46 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
2008-01-09 21:46 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-01-09 21:46 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2008-01-07 20:53 . 2008-01-07 20:59 <DIR> d-------- C:\Program Files\XoftSpySE
2008-01-06 14:59 . 2008-01-06 14:59 1,188,375 --a------ C:\WINDOWS\SYSTEM32\libeay32.dll
2008-01-06 14:59 . 2008-01-06 14:59 246,545 --a------ C:\WINDOWS\SYSTEM32\libssl32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 05:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-01-12 20:32 --------- d-----w C:\Program Files\Norton AntiVirus
2008-01-12 20:26 --------- d-----w C:\Program Files\iTunes
2008-01-11 05:59 --------- d-----w C:\Program Files\Family Trees Quick & Easy 5
2007-12-24 05:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-14 06:38 --------- d-----w C:\Program Files\TotalFax 7.0
2007-11-07 04:40 724,984 ----a-w C:\Documents and Settings\Martin\gotomypc_437.exe
2005-07-24 17:22 32 --sha-w C:\WINDOWS\{3E6F4D71-DAD8-40A3-A03E-6BAE2FEC7583}.dat
2005-07-24 17:22 32 --sha-w C:\WINDOWS\SYSTEM32\{9D957D8C-3407-47AA-AA06-4EC784B82DB4}.dat
.

((((((((((((((((((((((((((((( snapshot_2008-01-12_20.42.54.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-13 02:40:47 233,472 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-13 06:59:42 233,472 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-13 02:40:47 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-13 06:59:42 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-13 02:40:47 229,376 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-13 06:59:43 229,376 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-13 02:40:47 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-13 06:59:43 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-13 02:40:47 4,390,912 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-13 06:59:43 4,411,392 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-13 02:40:47 12,288 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-13 06:59:43 12,288 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2001-07-14 23:32:24 69,632 ----a-w C:\WINDOWS\setupupd\temp\wsdueng.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 00:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 00:07 114688]
"BCMSMMSG"="BCMSMMSG.exe" [2003-06-02 05:00 122880 C:\WINDOWS\BCMSMMSG.exe]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 10:27 28672]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 19:47 204800]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 01:01 135264]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2003-10-07 16:21 294912]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-25 23:11 180269]
"ccApp"="-" []
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 21:23 34504]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-06-25 14:02 100056]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 15:59 218240]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 15:55 267064]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40 5367608]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-11 06:28:54 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2005-07-24 17:43:52 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-01-11 02:13:49 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- A:\
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 01:03:56
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-13 1:10:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-13 07:10:08
ComboFix2.txt 2008-01-13 05:16:18
ComboFix3.txt 2008-01-13 03:18:45
ComboFix4.txt 2008-01-13 02:43:32

01-13-2008, 12:16 AM	#23 (permalink)
mmartin784 Registered User Join Date: Jan 2008 Posts: 23 OS: XP Home Edition 2002 service pack 1	Re: search-daily hijack Files have been submitted of analysis and below is combofix log. ComboFix 08-01-13.1 - Martin 2008-01-13 1:00:04.5 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.98 [GMT -6:00] Running from: C:\Documents and Settings\Martin\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Martin\Desktop\CFScript.txt * Created a new restore point FILE C:\WINDOWS\SYSTEM32\dhesaybh.dat C:\WINDOWS\SYSTEM32\duaepeqa.dat C:\WINDOWS\SYSTEM32\lvuqxizx.dat C:\WINDOWS\SYSTEM32\mwtmqymy.dat C:\WINDOWS\SYSTEM32\ygszobyi.dat . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\SYSTEM32\AppCert C:\WINDOWS\SYSTEM32\AppCert\filter.drv C:\WINDOWS\SYSTEM32\AppCert\hb13a.dll C:\WINDOWS\SYSTEM32\AppCert\options.dat C:\WINDOWS\SYSTEM32\AppCert\prx97w.dll C:\WINDOWS\SYSTEM32\AppCert\wsil32.dll C:\WINDOWS\SYSTEM32\dhesaybh.dat C:\WINDOWS\SYSTEM32\duaepeqa.dat C:\WINDOWS\SYSTEM32\lvuqxizx.dat C:\WINDOWS\SYSTEM32\mwtmqymy.dat C:\WINDOWS\SYSTEM32\ygszobyi.dat . ((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 ))))))))))))))))))))))))))))))) . 2008-01-12 22:40 . 2003-07-16 14:44 245,920 -r-hs---- C:\cmldr 2008-01-12 22:40 . 2007-01-15 19:57 211 -rahs---- C:\BOOT.BAK 2008-01-12 21:29 . 2008-01-12 21:29 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-12 13:57 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SDTHOOK.SYS 2008-01-12 13:33 . 2008-01-12 14:47 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan 2008-01-12 13:33 . 2008-01-12 13:33 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico 2008-01-12 13:33 . 2008-01-12 13:33 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico 2008-01-12 13:33 . 2008-01-12 13:33 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico 2008-01-12 12:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-12 00:17 . 2008-01-12 00:17 <DIR> d-------- C:\Deckard 2008-01-12 00:09 . 2008-01-12 00:12 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-01-12 00:09 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\SYSTEM32\MSINET.OCX 2008-01-10 20:40 . 2008-01-10 20:40 <DIR> d-------- C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Webroot 2008-01-10 20:13 . 2008-01-10 20:13 <DIR> d-------- C:\Program Files\Webroot 2008-01-10 20:13 . 2008-01-10 20:13 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\Webroot 2008-01-10 20:13 . 2008-01-10 20:13 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot 2008-01-10 20:13 . 2008-01-10 20:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot 2008-01-10 20:13 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll 2008-01-10 20:13 . 2007-10-01 16:24 163,640 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ssidrv.sys 2008-01-10 20:13 . 2007-10-01 16:24 23,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sskbfd.sys 2008-01-10 20:13 . 2007-10-01 16:24 21,816 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sshrmd.sys 2008-01-10 20:13 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SSFS0BB9.sys 2008-01-10 20:12 . 2008-01-10 20:27 164 --a------ C:\install.dat 2008-01-09 21:46 . 2008-01-09 21:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier 2008-01-09 21:46 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll 2008-01-09 21:46 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe 2008-01-09 21:46 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll 2008-01-07 20:53 . 2008-01-07 20:59 <DIR> d-------- C:\Program Files\XoftSpySE 2008-01-06 14:59 . 2008-01-06 14:59 1,188,375 --a------ C:\WINDOWS\SYSTEM32\libeay32.dll 2008-01-06 14:59 . 2008-01-06 14:59 246,545 --a------ C:\WINDOWS\SYSTEM32\libssl32.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-13 05:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan 2008-01-12 20:32 --------- d-----w C:\Program Files\Norton AntiVirus 2008-01-12 20:26 --------- d-----w C:\Program Files\iTunes 2008-01-11 05:59 --------- d-----w C:\Program Files\Family Trees Quick & Easy 5 2007-12-24 05:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-11-14 06:38 --------- d-----w C:\Program Files\TotalFax 7.0 2007-11-07 04:40 724,984 ----a-w C:\Documents and Settings\Martin\gotomypc_437.exe 2005-07-24 17:22 32 --sha-w C:\WINDOWS\{3E6F4D71-DAD8-40A3-A03E-6BAE2FEC7583}.dat 2005-07-24 17:22 32 --sha-w C:\WINDOWS\SYSTEM32\{9D957D8C-3407-47AA-AA06-4EC784B82DB4}.dat . ((((((((((((((((((((((((((((( snapshot_2008-01-12_20.42.54.39 ))))))))))))))))))))))))))))))))))))))))) . - 2008-01-13 02:40:47 233,472 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT + 2008-01-13 06:59:42 233,472 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT - 2008-01-13 02:40:47 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat + 2008-01-13 06:59:42 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat - 2008-01-13 02:40:47 229,376 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT + 2008-01-13 06:59:43 229,376 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT - 2008-01-13 02:40:47 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat + 2008-01-13 06:59:43 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat - 2008-01-13 02:40:47 4,390,912 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat + 2008-01-13 06:59:43 4,411,392 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat - 2008-01-13 02:40:47 12,288 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat + 2008-01-13 06:59:43 12,288 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat + 2001-07-14 23:32:24 69,632 ----a-w C:\WINDOWS\setupupd\temp\wsdueng.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sonic RecordNow!"="" [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 00:19 155648] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 00:07 114688] "BCMSMMSG"="BCMSMMSG.exe" [2003-06-02 05:00 122880 C:\WINDOWS\BCMSMMSG.exe] "DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 10:27 28672] "PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 19:47 204800] "diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 01:01 135264] "UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720] "DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2003-10-07 16:21 294912] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-25 23:11 180269] "ccApp"="-" [] "ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 21:23 34504] "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-06-25 14:02 100056] "SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 15:59 218240] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 15:55 267064] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016] "SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40 5367608] . Contents of the 'Scheduled Tasks' folder "2008-01-11 06:28:54 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job" - C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca "2005-07-24 17:43:52 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE "2008-01-11 02:13:49 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job" - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex - A:\ . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-13 01:03:56 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-01-13 1:10:13 - machine was rebooted ComboFix-quarantined-files.txt 2008-01-13 07:10:08 ComboFix2.txt 2008-01-13 05:16:18 ComboFix3.txt 2008-01-13 03:18:45 ComboFix4.txt 2008-01-13 02:43:32