View Full Version : Please check these results for Malware
Bunnymommy
2010-10-26, 14:56
Please can someone check these results for anything malware related. My internet keeps acting strange. The first time I ran Spybot it found several spyware one was Virtumonde. So I am a little bit paranoid now. Thanks in advance.
DDS (Ver_10-10-21.02) - NTFSx86
Run by Romy (Bunnymommy) at 12:46:54.81 on 26/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.178 [GMT 1:00]
AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\Program Files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Romy (Bunnymommy)\My Documents\Downloads\dds.scr
============== Pseudo HJT Report ===============
mSearchAssistant = hxxp://www.google.com/ie
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\4.3.0.5\IPSBHO.DLL
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\romy(b~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
================= FIREFOX ===================
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
============= SERVICES / DRIVERS ===============
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0403000.005\symds.sys [2010-10-5 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0403000.005\symefa.sys [2010-10-5 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\bashdefs\20101001.001\BHDrvx86.sys [2010-10-6 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys [2010-10-5 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0403000.005\ironx86.sys [2010-10-5 116784]
R2 N360;Norton 360;c:\program files\norton 360\engine\4.3.0.5\ccsvchst.exe [2010-10-5 126392]
R2 NSL;Norton Safe Web Lite;c:\program files\norton safe web lite\engine\1.0.1.8\ccSvcHst.exe [2010-9-21 126904]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-10-14 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\ipsdefs\20101025.001\IDSXpx86.sys [2010-10-19 341880]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\virusdefs\20101025.040\NAVENG.SYS [2010-10-26 86064]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\virusdefs\20101025.040\NAVEX15.SYS [2010-10-26 1371184]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\romy(b~1\locals~1\temp\onlinescanner\anti-virus\fsgk.sys --> c:\docume~1\romy(b~1\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [?]
S4 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-9-21 30192]
=============== Created Last 30 ================
2010-10-19 15:50:55 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-19 15:50:55 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-19 15:50:55 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-19 15:50:49 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-18 20:04:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-18 20:04:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-10-18 19:43:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2010-10-13 12:04:39 -------- d-----w- c:\docume~1\romy(b~1\locals~1\applic~1\Symantec
2010-10-13 12:04:03 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-10-13 12:04:03 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-10-13 12:04:03 -------- d-----w- c:\program files\Symantec
2010-10-13 12:04:03 -------- d-----w- c:\program files\common files\Symantec Shared
2010-10-13 12:03:29 -------- d-----w- c:\program files\Norton 360
2010-10-13 11:25:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2010-10-13 11:25:49 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-10-13 11:25:40 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-10-13 11:25:40 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-10-13 11:25:21 -------- d-----w- c:\program files\NVIDIA Corporation
2010-10-07 21:08:27 -------- d-----w- c:\docume~1\romy(b~1\locals~1\applic~1\Help
2010-10-05 15:23:59 67603282 ----a-w- C:\regbkp.reg
2010-10-05 15:01:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton VRQ
2010-10-05 13:58:30 -------- d-----w- c:\windows\LMIE.tmp
2010-10-05 13:53:47 -------- d-----w- c:\docume~1\romy(b~1\locals~1\applic~1\NPE
2010-10-05 12:57:36 43696 ----a-w- c:\windows\system32\drivers\n360\0403000.005\srtspx.sys
2010-10-05 12:57:36 361904 ----a-w- c:\windows\system32\drivers\n360\0403000.005\symtdi.sys
2010-10-05 12:57:36 339504 ----a-w- c:\windows\system32\drivers\n360\0403000.005\symtdiv.sys
2010-10-05 12:57:36 328752 ----a-r- c:\windows\system32\drivers\n360\0403000.005\symds.sys
2010-10-05 12:57:36 173104 ----a-w- c:\windows\system32\drivers\n360\0403000.005\symefa.sys
2010-10-05 12:57:35 501888 ----a-w- c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys
2010-10-05 12:57:35 325680 ----a-w- c:\windows\system32\drivers\n360\0403000.005\srtsp.sys
2010-10-05 12:57:35 116784 ----a-w- c:\windows\system32\drivers\n360\0403000.005\ironx86.sys
2010-10-05 12:57:19 -------- d-----w- c:\windows\system32\drivers\n360\0403000.005
2010-10-02 17:46:05 -------- d-----w- c:\program files\iPod
2010-09-29 01:09:47 -------- d-----w- c:\docume~1\romy(b~1\applic~1\Malwarebytes
2010-09-29 01:09:35 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-29 00:26:18 -------- d-----w- c:\program files\PC Tools Security
2010-09-29 00:23:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-09-28 15:27:54 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-28 15:27:54 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-28 15:27:54 423656 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-09-26 22:26:16 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-09-26 22:14:19 215920 ----a-w- c:\windows\system32\muweb.dll
2010-09-26 22:14:19 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-09-26 22:14:18 274288 ----a-w- c:\windows\system32\mucltui.dll
==================== Find3M ====================
2010-09-23 22:31:36 109568 ------w- c:\windows\system32\pxinsi64.exe
2010-09-23 22:31:36 108544 ------w- c:\windows\system32\pxcpyi64.exe
2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 10:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
============= FINISH: 12:47:48.21 ===============
Hello and welcome to Safer Networking.
My name is km2357 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.
Please do not start another thread or topic, I will assist you at this thread until we solve your problems.
Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.
Sorry for the delay in replying, the forum is very busy. If you still need help, please do the following:
Step # 1 Download and run DDS
Download DDS and save it to your desktop from here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.com)
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
Step # 2: Download and Run Gmer
Please download gmer.zip (http://www.gmer.net/gmer.zip) from Gmer and save it to your desktop.
***Please close any open programs ***
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst
If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure that the 'Sections' button is ticked and the 'Show All' button is unticked. Click the Scan button and let the program do its work. GMER will produce a log.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !
Please post the results from the GMER scan in your reply.
In your next post/reply, I need to see the following:
1. The two DDS Logs (DDS and Attach.txt)
2. The GMER Log
Use multiple posts if you can't fit everything into one post
Bunnymommy
2010-11-03, 20:24
Thanks for your help. During the DDS my Norton came up twice with a malware warning to stop "MBR.DAT".
DDS (Ver_10-11-03.01) - NTFSx86
Run by Romy (Bunnymommy) at 18:18:45.04 on 03/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.215 [GMT 0:00]
AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\Program Files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Romy (Bunnymommy)\My Documents\Downloads\dds(2).scr
============== Pseudo HJT Report ===============
mSearchAssistant = hxxp://www.google.com/ie
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\4.3.0.5\IPSBHO.DLL
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\romy(b~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
================= FIREFOX ===================
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
============= SERVICES / DRIVERS ===============
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0403000.005\symds.sys [2010-10-5 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0403000.005\symefa.sys [2010-10-5 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\bashdefs\20101029.001\BHDrvx86.sys [2010-11-2 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys [2010-10-5 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0403000.005\ironx86.sys [2010-10-5 116784]
R2 N360;Norton 360;c:\program files\norton 360\engine\4.3.0.5\ccsvchst.exe [2010-10-5 126392]
R2 NSL;Norton Safe Web Lite;c:\program files\norton safe web lite\engine\1.0.1.8\ccSvcHst.exe [2010-9-21 126904]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-10-14 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\ipsdefs\20101102.001\IDSXpx86.sys [2010-10-19 341880]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\virusdefs\20101103.002\naveng.sys [2010-11-3 86064]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\virusdefs\20101103.002\navex15.sys [2010-11-3 1371184]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\romy(b~1\locals~1\temp\onlinescanner\anti-virus\fsgk.sys --> c:\docume~1\romy(b~1\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [?]
S4 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-9-21 30192]
=============== Created Last 30 ================
2010-10-19 15:50:55 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-19 15:50:55 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-19 15:50:55 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-19 15:50:49 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-18 20:04:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-18 20:04:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-10-18 19:43:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2010-10-13 12:04:39 -------- d-----w- c:\docume~1\romy(b~1\locals~1\applic~1\Symantec
2010-10-13 12:04:03 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-10-13 12:04:03 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-10-13 12:04:03 -------- d-----w- c:\program files\Symantec
2010-10-13 12:04:03 -------- d-----w- c:\program files\common files\Symantec Shared
2010-10-13 12:03:29 -------- d-----w- c:\program files\Norton 360
2010-10-13 11:25:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2010-10-13 11:25:49 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-10-13 11:25:40 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-10-13 11:25:40 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-10-13 11:25:21 -------- d-----w- c:\program files\NVIDIA Corporation
2010-10-07 21:08:27 -------- d-----w- c:\docume~1\romy(b~1\locals~1\applic~1\Help
2010-10-05 15:23:59 67603282 ----a-w- C:\regbkp.reg
2010-10-05 15:01:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton VRQ
2010-10-05 13:58:30 -------- d-----w- c:\windows\LMIE.tmp
2010-10-05 13:53:47 -------- d-----w- c:\docume~1\romy(b~1\locals~1\applic~1\NPE
2010-10-05 12:57:36 43696 ----a-w- c:\windows\system32\drivers\n360\0403000.005\srtspx.sys
2010-10-05 12:57:36 361904 ----a-w- c:\windows\system32\drivers\n360\0403000.005\symtdi.sys
2010-10-05 12:57:36 339504 ----a-w- c:\windows\system32\drivers\n360\0403000.005\symtdiv.sys
2010-10-05 12:57:36 328752 ----a-r- c:\windows\system32\drivers\n360\0403000.005\symds.sys
2010-10-05 12:57:36 173104 ----a-w- c:\windows\system32\drivers\n360\0403000.005\symefa.sys
2010-10-05 12:57:35 501888 ----a-w- c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys
2010-10-05 12:57:35 325680 ----a-w- c:\windows\system32\drivers\n360\0403000.005\srtsp.sys
2010-10-05 12:57:35 116784 ----a-w- c:\windows\system32\drivers\n360\0403000.005\ironx86.sys
2010-10-05 12:57:19 -------- d-----w- c:\windows\system32\drivers\n360\0403000.005
==================== Find3M ====================
2010-09-28 15:27:41 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-28 15:27:41 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-23 22:31:36 109568 ------w- c:\windows\system32\pxinsi64.exe
2010-09-23 22:31:36 108544 ------w- c:\windows\system32\pxcpyi64.exe
2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 10:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
============= FINISH: 18:21:06.50 ===============
Bunnymommy
2010-11-03, 20:33
GMER 1.0.15.15477 - http://www.gmer.net
Rootkit quick scan 2010-11-03 18:30:55
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ROMY(B~1\LOCALS~1\Temp\kwlyakoc.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
---- EOF - GMER 1.0.15 ----
During the DDS my Norton came up twice with a malware warning to stop "MBR.DAT".
MBR.DAT is part of DDS, so its ok. :) When I have you run it again and Norton popups with a warning to stop MBR.DAT, go ahead and tell Norton to let it run/don't stop it.
Step # 1: Disable Teatimer
Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.
This is a two step process.
First step: Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the version 1.5 or 1.6, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version : Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.
Step # 2: Download and Run ComboFix
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
* IMPORTANT !!! Save ComboFix.exe to your Desktop
When finished, it shall produce a log for you. Please post C:\ComboFix.txt in your next reply.
Bunnymommy
2010-11-03, 21:18
I'm having problems downloading and running Combofix. The first time I downloaded an error came up saying "CFScript incorrectly spelt". I clicked okay but then it all dissappeared and I couldn't find Combofix again. Second and third time I tried to download and run Combofix I get the error "Cannot rename Combofix as Combofix(2)" but my computer/firefox download is automatically calling it that and there is no option when right-clicking to rename. :confused:
Bunnymommy
2010-11-03, 21:21
Okay I've just managed to find the original combofix download and saved shortcut to my desktop. Tried to run it again but got the same error as before "CFScript incorrectly spelt" and it closes the program.
Ok, let's do this.
First, delete ComboFix.exe (and its shortcut) off of your computer.
Then follow the instructions below:
Step # 1: Download and Run ComboFix
Download ComboFix from any of the links below. You must rename it to bunnymommy.exe before saving it. Save it to your Desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)
--------------------------------------------------------------------
*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Double click on bunnymommy.exe & follow the prompts.
When finished, it will produce a report for you.
Please include C:\ComboFix.txt in your next reply so we can continue cleaning the system.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Be sure that Norton is disabled before you run ComboFix.
Bunnymommy
2010-11-04, 21:23
The same error happened
Bunnymommy
2010-11-04, 21:58
The same error happened
Just to clarify I mean the error saying "CFScript incorrectly spelt" error message keeps happening again
Just to clarify I mean the error saying "CFScript incorrectly spelt" error message keeps happening again
Is that all the error message says? Is there more than just "CFScript incorrectly spelt"? If there is, please post the message in its entirety in your next post/reply.
Try booting your computer into Safe Mode (You can go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.) and running ComboFix while in Safe Mode.
If you get a ComboFix Log, please post it in your next post/reply.
Bunnymommy
2010-11-05, 20:55
The error box is headed "CFScript Name Error" and inside the box it says "were you trying to run CFScript? The name, CFScript appears to be incorrectly spelt"
I will now try safe mode
Ok, thanks for the info on the CFScript error message.
Let me know how it goes in Safe Mode. :)
Bunnymommy
2010-11-05, 21:04
Hia Just tried it in safe mode and the exact same error message came up. :confused:
Have you been just using Firefox to download ComboFix? Let's try downloading it with Internet Explorer and see if that message comes up.
First, delete all instances of ComboFix (bunnymommy.exe) off of your computer.
Then download it using Internet Explorer using one of the two links below:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)
No need to rename it and make sure that is saved to your Desktop.
Try running ComboFix and let me know what happens. If you get a ComboFix Log, go ahead and post it. :)
Bunnymommy
2010-11-05, 22:14
No same problem happened with both links
Ok, we'll try one more thing and if you still get the "CFScript incorrectly spelt" error, I'm going to ask for some help as I'm running out of ideas.
For this to work, ComboFix.exe must be on your Desktop.
Click the Windows 'Start' button > Select 'Run' - then copy/paste what's below (include the quotation marks) into the run box & click OK:
"%userprofile%\desktop\combofix.exe"
Bunnymommy
2010-11-06, 02:01
No it did it again. :confused: Thanks for your continued help.
Ok.
I'm going to ask for some help on this, I'll be back ASAP. :)
Thanks to sUBs for the help. :)
I'd like for you to move ComboFix.exe off of the Desktop and place it in C:\.
Once you have C:\ComboFix.exe, try running ComboFix and let me know what happens and post the log if you get one.
Bunnymommy
2010-11-06, 20:33
Yay that worked, thanks! Okay here is the log:
ComboFix 10-11-05.05 - Romy (Bunnymommy) 06/11/2010 18:18:19.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.359 [GMT 0:00]
Running from: C:\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\Thumbs.db
.
((((((((((((((((((((((((( Files Created from 2010-10-06 to 2010-11-06 )))))))))))))))))))))))))))))))
.
2010-10-26 11:45 . 2010-10-26 11:45 -------- d-----w- c:\program files\ERUNT
2010-10-19 18:55 . 2010-10-19 18:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-10-19 18:55 . 2010-10-19 18:55 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Apple
2010-10-19 15:50 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-19 15:50 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-19 15:50 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-19 15:50 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-19 15:46 . 2010-10-19 15:46 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-10-19 15:44 . 2010-10-19 15:44 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Apple Computer
2010-10-19 15:44 . 2010-10-19 15:44 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Apple Computer
2010-10-18 20:04 . 2010-10-20 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-10-18 20:04 . 2010-10-20 18:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-18 19:43 . 2010-10-18 19:43 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-10-13 12:04 . 2010-10-13 12:04 -------- d-----w- c:\documents and settings\Romy (Bunnymommy)\Local Settings\Application Data\Symantec
2010-10-13 12:04 . 2010-10-13 12:04 -------- d-----w- c:\program files\Symantec
2010-10-13 12:04 . 2010-10-13 12:04 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-10-13 12:04 . 2010-10-13 12:04 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-10-13 12:04 . 2010-10-05 17:33 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-10-13 12:03 . 2010-10-13 12:03 -------- d-----w- c:\program files\Norton 360
2010-10-13 11:25 . 2010-10-13 11:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-10-13 11:25 . 2010-10-13 11:25 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-10-13 11:25 . 2010-10-13 11:25 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-10-13 11:25 . 2010-10-13 11:25 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-10-13 11:25 . 2010-10-13 11:27 -------- d-----w- c:\program files\NVIDIA Corporation
2010-10-07 21:08 . 2010-10-07 21:08 -------- d-----w- c:\documents and settings\Romy (Bunnymommy)\Local Settings\Application Data\Help
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-05 15:24 . 2010-10-05 15:23 67603282 ----a-w- C:\regbkp.reg
2010-09-28 15:27 . 2010-09-28 15:27 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-28 15:27 . 2010-09-28 15:27 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-23 22:31 . 2010-09-23 22:32 109568 ------w- c:\windows\system32\pxinsi64.exe
2010-09-23 22:31 . 2010-09-23 22:32 108544 ------w- c:\windows\system32\pxcpyi64.exe
2010-09-23 22:31 . 2005-10-26 20:12 20640 ------w- c:\windows\system32\drivers\pxhelp20.sys
2010-09-21 01:30 . 2010-09-21 01:30 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys
2010-09-18 11:23 . 2004-09-10 13:57 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-09-10 13:57 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-09-10 13:57 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2004-09-10 13:57 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-10 05:58 . 2004-09-10 13:57 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-09-10 13:57 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-09-10 13:57 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 10:17 . 2010-09-08 10:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17 . 2010-09-08 10:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51 . 2004-09-10 13:56 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-09-10 13:57 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-09-10 13:57 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-09-10 13:57 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-09-10 13:57 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2010-09-21 23:10 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-09-10 13:56 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-09-10 13:57 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-09-10 13:57 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-07 1753192]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
c:\documents and settings\Romy (Bunnymommy)\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 17:43 69632 ----a-w- c:\windows\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-09-21 23:28 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EULA]
2006-10-26 13:36 18944 ----a-w- c:\apps\PB_TB\EULALauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-09-21 03:11 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-10 13:00 208952 ----a-w- c:\windows\ime\IMJP8_1\imjpmig.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-07-09 15:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-07-09 15:24 110696 ----a-w- c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-10 13:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-10 13:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
2006-03-15 23:07 421888 ----a-w- c:\program files\Picasa2\PicasaMediaDetector.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-05-18 13:27 16207872 ----a-w- c:\windows\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 10:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-09-21 23:05 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UleadBurningHelper"=2 (0x2)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"nvsvc"=2 (0x2)
"NSL"=2 (0x2)
"MDM"=2 (0x2)
"McComponentHostService"=3 (0x3)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"GoogleDesktopManager-051210-111108"=3 (0x3)
"Bonjour Service"=2 (0x2)
"AdobeActiveFileMonitor5.0"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 5.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0403000.005\symds.sys [05/10/2010 12:57 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0403000.005\symefa.sys [05/10/2010 12:57 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20101029.001\BHDrvx86.sys [02/11/2010 19:25 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0403000.005\cchpx86.sys [05/10/2010 12:57 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0403000.005\ironx86.sys [05/10/2010 12:57 116784]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\4.3.0.5\ccsvchst.exe [05/10/2010 12:57 126392]
R2 NSL;Norton Safe Web Lite;c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe [21/09/2010 04:33 126904]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [14/10/2010 18:36 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20101104.004\IDSXpx86.sys [19/10/2010 20:36 341880]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\ROMY(B~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys --> c:\docume~1\ROMY(B~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [?]
S4 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [21/09/2010 01:42 30192]
.
Contents of the 'Scheduled Tasks' folder
2010-11-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]
2010-11-06 c:\windows\Tasks\User_Feed_Synchronization-{DAE7EBDB-22BF-4277-99B5-843AFA703031}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 03:31]
.
.
------- Supplementary Scan -------
.
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
Toolbar-Locked - (no file)
MSConfigStartUp-ISTray - c:\program files\PC Tools Security\pctsGui.exe
MSConfigStartUp-MSKDetectorExe - c:\program files\McAfee\SpamKiller\MSKDetct.exe
MSConfigStartUp-VRQ Uploader - c:\program files\NortonVRQ\Engine\5.0.3.4\VRQUploadFiles.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-06 18:25
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
--
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NSL]
"ImagePath"="\"c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe\" /s \"NSL\" /m \"c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3816)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-11-06 18:28:31 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-06 18:28
Pre-Run: 181,300,920,320 bytes free
Post-Run: 181,154,906,112 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /bootlog
- - End Of File - - 04DCE090211382025BEFD9876FF3A9D8
Step # 1 Update Java
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u22 (http://www.java.com/en/download/manual.jsp).
Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Remove the following old versions of Java:
J2SE Runtime Environment 5.0 Update 2
Java(TM) 6 Update 21
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
From your desktop double-click on the download to install the newest version.
Step # 2: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it.
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Step # 3 Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here (http://www.malwarebytes.org/mbam-download.php).
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
In your next post/reply, I need to see the following:
1. MalwareBytes' Log
2. A fresh DDS Log
Bunnymommy
2010-11-07, 22:13
Here is the mbam log. The weird thing is that there are two previous logs but I don't remember ever using this before!!
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 5067
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
07/11/2010 19:52:30
mbam-log-2010-11-07 (19-52-30).txt
Scan type: Quick scan
Objects scanned: 151444
Time elapsed: 7 minute(s), 35 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
__________________________________________________
I have tried to run DDS twice now and both time I end up with the blue screen error
0x0000008E (0x80000004, 0x805BEA08, 0xB7F09844, 0x00000000)
Do you know what this means? I will try DDS again
Bunnymommy
2010-11-07, 22:18
Okay worked okay that time. Here is the DDS
DDS (Ver_10-10-21.02) - NTFSx86
Run by Romy (Bunnymommy) at 20:13:58.21 on 07/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.402 [GMT 0:00]
AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\Program Files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Romy (Bunnymommy)\My Documents\Downloads\dds.scr
============== Pseudo HJT Report ===============
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\4.3.0.5\IPSBHO.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\romy(b~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
================= FIREFOX ===================
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
============= SERVICES / DRIVERS ===============
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0403000.005\symds.sys [2010-10-5 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0403000.005\symefa.sys [2010-10-5 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\bashdefs\20101029.001\BHDrvx86.sys [2010-11-2 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys [2010-10-5 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0403000.005\ironx86.sys [2010-10-5 116784]
R2 N360;Norton 360;c:\program files\norton 360\engine\4.3.0.5\ccsvchst.exe [2010-10-5 126392]
R2 NSL;Norton Safe Web Lite;c:\program files\norton safe web lite\engine\1.0.1.8\ccSvcHst.exe [2010-9-21 126904]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-10-14 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\ipsdefs\20101104.004\IDSXpx86.sys [2010-10-19 341880]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\virusdefs\20101105.003\naveng.sys [2010-11-6 86064]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\virusdefs\20101105.003\navex15.sys [2010-11-6 1371184]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\romy(b~1\locals~1\temp\onlinescanner\anti-virus\fsgk.sys --> c:\docume~1\romy(b~1\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [?]
S4 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-9-21 30192]
=============== Created Last 30 ================
2010-11-07 19:43:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-07 19:43:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-07 19:43:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-07 19:33:26 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-06 18:16:28 -------- d-sha-r- C:\cmdcons
2010-11-05 23:49:53 3903800 ----a-r- C:\ComboFix.exe
2010-11-03 19:07:40 98816 ----a-w- c:\windows\sed.exe
2010-11-03 19:07:40 88576 ----a-w- c:\windows\MBR.exe
2010-11-03 19:07:40 256512 ----a-w- c:\windows\PEV.exe
2010-11-03 19:07:40 161792 ----a-w- c:\windows\SWREG.exe
2010-10-19 15:50:55 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-19 15:50:55 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-19 15:50:55 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-19 15:50:49 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-18 20:04:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-18 20:04:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-10-18 19:43:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2010-10-13 12:04:39 -------- d-----w- c:\docume~1\romy(b~1\locals~1\applic~1\Symantec
2010-10-13 12:04:03 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-10-13 12:04:03 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-10-13 12:04:03 -------- d-----w- c:\program files\Symantec
2010-10-13 12:04:03 -------- d-----w- c:\program files\common files\Symantec Shared
2010-10-13 12:03:29 -------- d-----w- c:\program files\Norton 360
2010-10-13 11:25:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2010-10-13 11:25:49 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-10-13 11:25:40 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-10-13 11:25:40 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-10-13 11:25:21 -------- d-----w- c:\program files\NVIDIA Corporation
==================== Find3M ====================
2010-11-07 19:33:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-05 15:24:07 67603282 ----a-w- C:\regbkp.reg
2010-09-23 22:31:36 109568 ------w- c:\windows\system32\pxinsi64.exe
2010-09-23 22:31:36 108544 ------w- c:\windows\system32\pxcpyi64.exe
2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 10:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
============= FINISH: 20:14:47.03 ===============
Here is the mbam log. The weird thing is that there are two previous logs but I don't remember ever using this before!!
Are you the only one that uses this computer? Its possible that someone else using the computer downloaded and ran MalwareBytes' in the past and later uninstalled it.
I have tried to run DDS twice now and both time I end up with the blue screen error
0x0000008E (0x80000004, 0x805BEA08, 0xB7F09844, 0x00000000)
Don't know why you got that blue screen when trying to run DDS and why you didn't get it when you ran DDS successfully. Did you get any blue screens from running any other programs/tools I had you download and run?
Your version of Adobe Reader is out of date. Open up Adobe Reader and click Help then Check for Updates. Once Adobe Reader is done checking for updates have it download and install Adobe Reader 9.4.0.
Step # 1: Run Kaspersky Online Scan
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
In your next post/reply, I need to see the following:
1. Kaspersky Log
2. How is your computer doing, any problems?
Bunnymommy
2010-11-08, 22:02
Yes I am the only one that uses and has physical access to this machine. The odd thing is the dates are over the past few days or so. Could one of the other programs used it?
No other program I had you run uses MalwareBytes' or any part of MalwareBytes' except MalwareBytes' itself.
Go ahead and post the other two MalwareBytes' logs that you mentioned: "The weird thing is that there are two previous logs but I don't remember ever using this before!!"
Also post the Kaspersky Log once you've finished with Kaspersky online scanner, if you haven't done it yet. Plus let me know how the computer is doing. :)
Bunnymommy
2010-11-08, 23:04
Okay was downloading the Kaspersky scanner and database thing which was taking ages when my computer closed down again with a blue screen error. i started up again but now every time I try to start the Kapersky download it comes up with this error:
"The program could not be started.The program could not be started. Please close the window of Kaspersky Online Scanner 7.0 and start the program again from the web site of Kaspersky Lab.
[ERROR: java.lang.NullPointerException]"
Bunnymommy
2010-11-08, 23:06
Here are the other two previous Malwarebytes logs:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4713
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
29/09/2010 02:20:09
mbam-log-2010-09-29 (02-20-09).txt
Scan type: Quick scan
Objects scanned: 147633
Time elapsed: 9 minute(s), 14 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
_________________________________________________
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4713
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
02/10/2010 18:50:35
mbam-log-2010-10-02 (18-50-35).txt
Scan type: Quick scan
Objects scanned: 146448
Time elapsed: 22 minute(s), 15 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Regarding the two MBAM Logs you posted, the first one was from September 29th and the 2nd one was from October 2nd. Your first post in this thread is from October 26th.
Did you buy this computer new or did you get it used/secondhand? Did you have this computer before September 29th of this year? If you did buy it used, more likely than not the previous owner(s) downloaded and used MalwareBytes' and then later uninstalled it and the logs from their previous runs stayed behind.
Okay was downloading the Kaspersky scanner and database thing which was taking ages when my computer closed down again with a blue screen error. i started up again but now every time I try to start the Kapersky download it comes up with this error:
"The program could not be started.The program could not be started. Please close the window of Kaspersky Online Scanner 7.0 and start the program again from the web site of Kaspersky Lab.
[ERROR: java.lang.NullPointerException]"
Since Kaspersky isn't working for you, let's try another online scanner in its place:
I'd like us to scan your machine with ESET OnlineScan Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan) Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png to download the ESET Smart Installer. Save it to your desktop. Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop. Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button. Accept any security warnings from your browser. Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png Push the Start button. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Make sure that Remove found threats is unchecked
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button. Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Bunnymommy
2010-11-09, 00:28
That scanner found no threats
That scanner found no threats
That's good to hear. :bigthumb:
How's your computer doing now?
Bunnymommy? How is your computer doing?
Bunnymommy
2010-11-11, 23:52
Hia sorry for delay coming back to you. I really appreciate all your help.
My computer was running really slow and things were popping up on screen that I hadn't wanted. It then crashed and I just started up again. I got an error message from Microsoft saying that I have the malware Spooldr.sys. This is the message:
"Remove possible malware from your computer
Your computer experienced a problem that was caused by spooldr.sys.
This product might be malware.
What is malware?
Malicious software, also known as malware, is designed to deliberately harm your computer or collect information about you (including personally identifiable or other sensitive information). For example, viruses, worms, and Trojan horses are malicious software.
We recommend that you use the free Windows Live OneCare safety scanner to check your computer for malware. The Windows Live OneCare safety scanner will help you decide whether to remove spooldr.sys.
Go to the following website, and then click Full Service Scan:
Windows Live OneCare safety scanner"
I'm a bit nervous now about downloading this safety scanner in case its not real Microsoft. This is the web address of the link:
http://onecare.live.com/site/en-gb/scanner/install.htm?scanner=default&goback=http%3A%2F%2Fonecare.live.com%2Fsite%2Fen-gb%2Fdefault.htm
I'm a bit nervous now about downloading this safety scanner in case its not real Microsoft.
Windows Live Onecare Scanner is safe and it is from Microsoft. Instead of using it let's go ahead and use the tools we already have on the computer and see what they tell us. :)
I'd like to get fresh runs and logs with the most recent versions of ComboFix and DDS.
Do everything in Normal Mode.
First, delete ComboFix.exe off of your computer and download the latest version from one of the links below:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)
Save it to your Desktop and try running it. If ComboFix won't run from the Desktop, then go ahead and move it to C:\ like you did last time and run it from there.
After ComboFix is done, I'd like for you to delete DDS.scr off of your computer and download the latest version of DDS from one of the links below:
here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.infospyware.net/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.com)
Once the download of DDS is complete, run it.
In your next post/reply, I need to see the following:
1. ComboFix Log
2. Both the DDS and Attach.txt Logs
Bunnymommy
2010-11-12, 22:29
Okay here is the combofix log. The first time I ran it I got an error box saying "PEV.cfxxe encountered a problem and had to close" it didn't seem to bother cf at first but then my machine crashed. Second time I ran it, it was fine.
ComboFix 10-11-12.01 - Romy (Bunnymommy) 12/11/2010 20:18:22.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.633 [GMT 0:00]
Running from: C:\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
((((((((((((((((((((((((( Files Created from 2010-10-12 to 2010-11-12 )))))))))))))))))))))))))))))))
.
2010-11-08 20:27 . 2010-11-08 20:27 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2010-11-07 19:43 . 2010-04-29 15:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-07 19:43 . 2010-11-07 19:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-07 19:43 . 2010-04-29 15:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-07 19:33 . 2010-11-07 19:33 -------- d-----w- c:\program files\Common Files\Java
2010-11-07 19:33 . 2010-11-07 19:33 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-26 11:45 . 2010-10-26 11:45 -------- d-----w- c:\program files\ERUNT
2010-10-19 18:55 . 2010-10-19 18:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-10-19 18:55 . 2010-10-19 18:55 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Apple
2010-10-19 15:50 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-19 15:50 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-19 15:50 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-19 15:50 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-19 15:46 . 2010-10-19 15:46 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-10-19 15:44 . 2010-10-19 15:44 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Apple Computer
2010-10-19 15:44 . 2010-10-19 15:44 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Apple Computer
2010-10-18 20:04 . 2010-10-20 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-10-18 20:04 . 2010-10-20 18:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-18 19:43 . 2010-10-18 19:43 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-07 19:33 . 2010-09-28 15:27 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-13 12:04 . 2010-10-13 12:04 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-10-13 12:04 . 2010-10-13 12:04 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-10-05 15:24 . 2010-10-05 15:23 67603282 ----a-w- C:\regbkp.reg
2010-09-23 22:31 . 2010-09-23 22:32 109568 ------w- c:\windows\system32\pxinsi64.exe
2010-09-23 22:31 . 2010-09-23 22:32 108544 ------w- c:\windows\system32\pxcpyi64.exe
2010-09-23 22:31 . 2005-10-26 20:12 20640 ------w- c:\windows\system32\drivers\pxhelp20.sys
2010-09-21 01:30 . 2010-09-21 01:30 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys
2010-09-18 11:23 . 2004-09-10 13:57 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-09-10 13:57 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-09-10 13:57 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2004-09-10 13:57 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-10 05:58 . 2004-09-10 13:57 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-09-10 13:57 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-09-10 13:57 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 10:17 . 2010-09-08 10:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17 . 2010-09-08 10:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51 . 2004-09-10 13:56 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-09-10 13:57 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-09-10 13:57 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-09-10 13:57 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-09-10 13:57 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2010-09-21 23:10 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-09-10 13:56 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-09-10 13:57 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-09-10 13:57 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-11-06_18.26.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-12 20:16 . 2010-11-12 20:16 16384 c:\windows\Temp\Perflib_Perfdata_6d0.dat
+ 2010-11-12 20:15 . 2010-11-12 20:15 16384 c:\windows\Temp\Perflib_Perfdata_69c.dat
- 2010-09-21 01:47 . 2010-11-06 18:24 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-09-21 01:47 . 2010-11-12 20:14 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2010-09-21 01:47 . 2010-11-06 18:24 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-09-21 01:47 . 2010-11-12 20:14 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-09-21 01:47 . 2010-11-06 18:24 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-09-21 01:47 . 2010-11-12 20:14 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2010-09-21 01:41 . 2010-10-19 15:52 45056 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2010-09-21 01:41 . 2010-11-10 01:53 45056 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2010-09-21 01:41 . 2010-11-10 01:53 22528 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2010-09-21 01:41 . 2010-10-19 15:52 22528 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2010-09-21 01:41 . 2010-10-19 15:52 16384 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2010-09-21 01:41 . 2010-11-10 01:53 16384 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2010-09-21 01:41 . 2010-11-10 01:53 34304 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2010-09-21 01:41 . 2010-10-19 15:52 34304 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2010-09-21 01:41 . 2010-11-10 01:53 3584 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2010-09-21 01:41 . 2010-10-19 15:52 3584 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2010-09-21 01:41 . 2010-10-19 15:52 8192 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2010-09-21 01:41 . 2010-11-10 01:53 8192 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2010-09-21 01:41 . 2010-11-10 01:53 2560 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2010-09-21 01:41 . 2010-10-19 15:52 2560 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2010-11-07 19:17 . 2010-11-07 19:17 8192 c:\windows\ERDNT\AutoBackup\07-11-2010\Users\00000002\UsrClass.dat
+ 2010-11-07 19:33 . 2010-11-07 19:33 153376 c:\windows\system32\javaws.exe
- 2010-09-28 15:27 . 2010-09-28 15:27 153376 c:\windows\system32\javaws.exe
- 2010-09-28 15:27 . 2010-09-28 15:27 145184 c:\windows\system32\javaw.exe
+ 2010-11-07 19:33 . 2010-11-07 19:33 145184 c:\windows\system32\javaw.exe
- 2010-09-28 15:27 . 2010-09-28 15:27 145184 c:\windows\system32\java.exe
+ 2010-11-07 19:33 . 2010-11-07 19:33 145184 c:\windows\system32\java.exe
+ 2010-11-07 19:33 . 2010-11-07 19:33 180224 c:\windows\Installer\25a25.msi
+ 2010-11-07 19:33 . 2010-11-07 19:33 677376 c:\windows\Installer\25a20.msi
+ 2010-11-12 20:15 . 2010-11-12 20:15 180224 c:\windows\ERDNT\AutoBackup\12-11-2010\Users\00000002\UsrClass.dat
+ 2010-11-12 20:15 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\12-11-2010\ERDNT.EXE
+ 2010-11-11 20:58 . 2010-11-11 20:58 180224 c:\windows\ERDNT\AutoBackup\11-11-2010\Users\00000002\UsrClass.dat
+ 2010-11-11 20:58 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\11-11-2010\ERDNT.EXE
+ 2010-11-10 01:16 . 2010-11-10 01:16 180224 c:\windows\ERDNT\AutoBackup\10-11-2010\Users\00000002\UsrClass.dat
+ 2010-11-10 01:16 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\10-11-2010\ERDNT.EXE
+ 2010-11-09 20:50 . 2010-11-09 20:50 180224 c:\windows\ERDNT\AutoBackup\09-11-2010\Users\00000002\UsrClass.dat
+ 2010-11-09 20:50 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\09-11-2010\ERDNT.EXE
+ 2010-11-08 19:55 . 2010-11-08 19:55 180224 c:\windows\ERDNT\AutoBackup\08-11-2010\Users\00000002\UsrClass.dat
+ 2010-11-08 19:55 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\08-11-2010\ERDNT.EXE
+ 2010-11-07 19:17 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\07-11-2010\ERDNT.EXE
+ 2006-02-14 08:20 . 2008-03-20 18:06 1480232 c:\windows\system32\LegitCheckControl.dll
+ 2010-10-04 16:00 . 2010-10-04 16:00 7973888 c:\windows\Installer\24b257.msp
+ 2010-11-08 20:28 . 2010-11-08 20:28 3940864 c:\windows\Installer\1e502b.msi
+ 2010-11-12 20:15 . 2010-11-12 20:15 5570560 c:\windows\ERDNT\AutoBackup\12-11-2010\Users\00000001\NTUSER.DAT
+ 2010-11-11 20:58 . 2010-11-11 20:58 5570560 c:\windows\ERDNT\AutoBackup\11-11-2010\Users\00000001\NTUSER.DAT
+ 2010-11-10 01:16 . 2010-11-10 01:16 5570560 c:\windows\ERDNT\AutoBackup\10-11-2010\Users\00000001\NTUSER.DAT
+ 2010-11-09 20:50 . 2010-11-09 20:50 5570560 c:\windows\ERDNT\AutoBackup\09-11-2010\Users\00000001\NTUSER.DAT
+ 2010-11-08 19:55 . 2010-11-08 19:55 5570560 c:\windows\ERDNT\AutoBackup\08-11-2010\Users\00000001\NTUSER.DAT
+ 2010-11-07 19:17 . 2010-11-07 19:17 5304320 c:\windows\ERDNT\AutoBackup\07-11-2010\Users\00000001\NTUSER.DAT
+ 2010-09-21 23:40 . 2010-11-10 01:50 35758536 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-07 1753192]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
c:\documents and settings\Romy (Bunnymommy)\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 17:43 69632 ----a-w- c:\windows\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-09-21 23:28 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EULA]
2006-10-26 13:36 18944 ----a-w- c:\apps\PB_TB\EULALauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-09-21 03:11 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-10 13:00 208952 ----a-w- c:\windows\ime\IMJP8_1\imjpmig.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-07-09 15:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-07-09 15:24 110696 ----a-w- c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-10 13:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-10 13:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
2006-03-15 23:07 421888 ----a-w- c:\program files\Picasa2\PicasaMediaDetector.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-05-18 13:27 16207872 ----a-w- c:\windows\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 11:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-09-21 23:05 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UleadBurningHelper"=2 (0x2)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"nvsvc"=2 (0x2)
"NSL"=2 (0x2)
"MDM"=2 (0x2)
"McComponentHostService"=3 (0x3)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"GoogleDesktopManager-051210-111108"=3 (0x3)
"Bonjour Service"=2 (0x2)
"AdobeActiveFileMonitor5.0"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 5.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0403000.005\symds.sys [05/10/2010 12:57 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0403000.005\symefa.sys [05/10/2010 12:57 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20101104.001\BHDrvx86.sys [04/11/2010 00:07 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0403000.005\cchpx86.sys [05/10/2010 12:57 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0403000.005\ironx86.sys [05/10/2010 12:57 116784]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\4.3.0.5\ccsvchst.exe [05/10/2010 12:57 126392]
R2 NSL;Norton Safe Web Lite;c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe [21/09/2010 04:33 126904]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [14/10/2010 18:36 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20101111.001\IDSXpx86.sys [19/10/2010 20:36 341880]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\ROMY(B~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys --> c:\docume~1\ROMY(B~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [?]
S4 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [21/09/2010 01:42 30192]
.
Contents of the 'Scheduled Tasks' folder
2010-11-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]
2010-11-12 c:\windows\Tasks\User_Feed_Synchronization-{DAE7EBDB-22BF-4277-99B5-843AFA703031}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 03:31]
.
.
------- Supplementary Scan -------
.
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-12 20:22
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
--
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NSL]
"ImagePath"="\"c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe\" /s \"NSL\" /m \"c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3756)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-11-12 20:24:47
ComboFix-quarantined-files.txt 2010-11-12 20:24
Pre-Run: 180,419,411,968 bytes free
Post-Run: 180,405,452,800 bytes free
- - End Of File - - D60B68ED6C62906E66C600A562DB839A
Bunnymommy
2010-11-12, 22:34
Here is the dds
DDS (Ver_10-10-21.02) - NTFSx86
Run by Romy (Bunnymommy) at 20:30:45.82 on 12/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.359 [GMT 0:00]
AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\Program Files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Romy (Bunnymommy)\My Documents\Downloads\dds.scr
============== Pseudo HJT Report ===============
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\4.3.0.5\IPSBHO.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\romy(b~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
================= FIREFOX ===================
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
============= SERVICES / DRIVERS ===============
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0403000.005\symds.sys [2010-10-5 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0403000.005\symefa.sys [2010-10-5 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\bashdefs\20101104.001\BHDrvx86.sys [2010-11-4 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys [2010-10-5 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0403000.005\ironx86.sys [2010-10-5 116784]
R2 N360;Norton 360;c:\program files\norton 360\engine\4.3.0.5\ccsvchst.exe [2010-10-5 126392]
R2 NSL;Norton Safe Web Lite;c:\program files\norton safe web lite\engine\1.0.1.8\ccSvcHst.exe [2010-9-21 126904]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-10-14 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\ipsdefs\20101111.001\IDSXpx86.sys [2010-10-19 341880]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\virusdefs\20101111.002\naveng.sys [2010-11-11 86064]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\virusdefs\20101111.002\navex15.sys [2010-11-11 1371184]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\romy(b~1\locals~1\temp\onlinescanner\anti-virus\fsgk.sys --> c:\docume~1\romy(b~1\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [?]
S4 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-9-21 30192]
=============== Created Last 30 ================
2010-11-12 20:01:43 3908597 ----a-r- C:\ComboFix.exe
2010-11-07 19:43:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-07 19:43:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-07 19:43:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-07 19:33:26 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-06 18:16:28 -------- d-sha-r- C:\cmdcons
2010-11-03 19:07:40 98816 ----a-w- c:\windows\sed.exe
2010-11-03 19:07:40 89088 ----a-w- c:\windows\MBR.exe
2010-11-03 19:07:40 256512 ----a-w- c:\windows\PEV.exe
2010-11-03 19:07:40 161792 ----a-w- c:\windows\SWREG.exe
2010-10-19 15:50:55 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-19 15:50:55 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-19 15:50:55 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-19 15:50:49 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-18 20:04:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-18 20:04:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-10-18 19:43:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
==================== Find3M ====================
2010-11-07 19:33:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-13 12:04:03 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-10-13 11:25:49 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-10-13 11:25:49 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-10-13 11:25:40 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-10-05 15:24:07 67603282 ----a-w- C:\regbkp.reg
2010-09-23 22:31:36 109568 ------w- c:\windows\system32\pxinsi64.exe
2010-09-23 22:31:36 108544 ------w- c:\windows\system32\pxcpyi64.exe
2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 10:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
============= FINISH: 20:31:23.31 ===============
It looks like you're still using an old version of DDS (Ver_10-10-21.02), the latest version is 10-11-10.01.
Delete DDS.scr and download the latest version from here (http://download.bleepingcomputer.com/sUBs/dds.scr) and run DDS again and post just the main DDS Log.
Also, I'd like for you to post the contents of ComboFix-quarantined-files.txt, you can find it the C:\Qoobox folder.
Bunnymommy
2010-11-12, 22:55
here is the cfq
2010-11-06 18:27:42 . 2010-11-06 18:27:42 652 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-VRQ Uploader.reg.dat
2010-11-06 18:27:41 . 2010-11-06 18:27:41 638 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-MSKDetectorExe.reg.dat
2010-11-06 18:27:41 . 2010-11-06 18:27:41 620 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-ISTray.reg.dat
2010-11-06 18:27:30 . 2010-11-06 18:27:30 173 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-Locked.reg.dat
2010-11-06 18:20:25 . 2010-11-12 20:21:34 5,885 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-11-03 19:07:28 . 2010-11-12 20:17:37 1,071 ----a-w- C:\Qoobox\Quarantine\catchme.log
2004-06-09 13:26:16 . 2004-06-09 13:26:16 5,120 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\THUMBS.DB.vir
Bunnymommy
2010-11-12, 22:59
DDS (Ver_10-11-10.01) - NTFSx86
Run by Romy (Bunnymommy) at 20:57:27.62 on 12/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.180 [GMT 0:00]
AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\Program Files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Documents and Settings\Romy (Bunnymommy)\My Documents\Downloads\dds.scr
============== Pseudo HJT Report ===============
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\4.3.0.5\IPSBHO.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\romy(b~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
================= FIREFOX ===================
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
============= SERVICES / DRIVERS ===============
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0403000.005\symds.sys [2010-10-5 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0403000.005\symefa.sys [2010-10-5 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\bashdefs\20101104.001\BHDrvx86.sys [2010-11-4 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys [2010-10-5 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0403000.005\ironx86.sys [2010-10-5 116784]
R2 N360;Norton 360;c:\program files\norton 360\engine\4.3.0.5\ccsvchst.exe [2010-10-5 126392]
R2 NSL;Norton Safe Web Lite;c:\program files\norton safe web lite\engine\1.0.1.8\ccSvcHst.exe [2010-9-21 126904]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-10-14 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\ipsdefs\20101111.001\IDSXpx86.sys [2010-10-19 341880]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\virusdefs\20101111.002\naveng.sys [2010-11-11 86064]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\virusdefs\20101111.002\navex15.sys [2010-11-11 1371184]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\romy(b~1\locals~1\temp\onlinescanner\anti-virus\fsgk.sys --> c:\docume~1\romy(b~1\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [?]
S4 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-9-21 30192]
=============== Created Last 30 ================
2010-11-12 20:01:43 3908597 ----a-r- C:\ComboFix.exe
2010-11-07 19:43:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-07 19:43:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-07 19:43:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-07 19:33:26 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-06 18:16:28 -------- d-sha-r- C:\cmdcons
2010-11-03 19:07:40 98816 ----a-w- c:\windows\sed.exe
2010-11-03 19:07:40 89088 ----a-w- c:\windows\MBR.exe
2010-11-03 19:07:40 256512 ----a-w- c:\windows\PEV.exe
2010-11-03 19:07:40 161792 ----a-w- c:\windows\SWREG.exe
2010-10-19 15:50:55 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-19 15:50:55 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-19 15:50:55 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-19 15:50:49 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-18 20:04:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-18 20:04:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-10-18 19:43:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
==================== Find3M ====================
2010-11-07 19:33:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-13 12:04:03 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-10-13 11:25:49 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-10-13 11:25:49 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-10-13 11:25:40 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-10-05 15:24:07 67603282 ----a-w- C:\regbkp.reg
2010-09-23 22:31:36 109568 ------w- c:\windows\system32\pxinsi64.exe
2010-09-23 22:31:36 108544 ------w- c:\windows\system32\pxcpyi64.exe
2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 10:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
============= FINISH: 20:58:08.65 ===============
Your latest DDS Log looks good. :)
I'd like for you to update MalwareBytes' (the latest database version as I type this is 5104) and run a Quick Scan and post the log in your next post/reply.
Also, are you still getting the message about spooldr.sys?
Bunnymommy
2010-11-13, 19:29
Hia, no I haven't had any more warnings about spooldr. Fingers crossed. Here is the mbabm log and its clear
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 5108
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
13/11/2010 17:28:03
mbam-log-2010-11-13 (17-28-03).txt
Scan type: Quick scan
Objects scanned: 152571
Time elapsed: 9 minute(s), 9 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Good to hear that you're no longer getting any warnings about spooldr.sys :)
How is your computer doing? Also, you mentioned in your very first post in this thread that Spybot found Virtumonde, among other things. Go ahead and run Spybot (be sure to update first) and let me know if it finds anything.
Bunnymommy
2010-11-14, 20:57
It came up clear. My computer seems fine now. Thanks so much for your help :bigthumb:
That's great to hear.
Since you report no more problems, you're good to go. :)
You can delete the following off of your computer:
dds.scr
The two DDS Logs
GMER.zip
GMER.exe
The GMER Log
To remove ComboFix, do the following:
Go to Start > Run - type in ComboFix /Uninstall & click OK
Empty your Recycle Bin.
Please take the time to read my All Clean Post.
Please follow these simple steps in order to keep your computer clean and secure:
This is a good time to clear your existing system restore points and establish a new clean restore point
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created..
Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.
Make your Internet Explorer more secure This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub frames across different domains to Prompt When all these settings have been made, click on the OK button.
If it asks you if you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Set correct settings for files that should be hidden in Windows XP
Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
If unchecked please checkHide protected operating system files (Recommended)
If necessary check "Display content of system folders"
If necessary Uncheck Hide file extensions for known file types.
Click OK
Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates (http://update.microsoft.com/) regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
Computer Safety on line Anti Malware (http://forum.malwareremoval.com/viewtopic.php?p=54#54)
Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file (http://www.mvps.org/winhelp2002/hosts.htm) Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE (http://www.bleepingcomputer.com/forums/tutorial51.html) If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button on the task bar at the bottom of your screen Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then doubleclick it. On the dropdown box, change the setting from automatic to manual. Click ok..
Use an alternative instant messenger program.Trillian (http://www.trillian.cc/) and Miranda IM (http://www.miranda-im.com/) These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Please read Tony Klein's excellent article: How I got Infected in the First Place (http://forums.spybot.info/showthread.php?t=279)
Please read Understanding Spyware, Browser Hijackers, and Dialers (http://www.bleepingcomputer.com/forums/tutorial41.html)
Please read Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/tutorial82.html)
If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox (http://www.mozilla.org/products/firefox) or
Opera (http://www.opera.com/download/).
If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Here's a good website to read about Malware prevention:
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
If your computer is running slow, click here (http://www.malwareremoval.com/tutorials/runningslowly.php) for instructions on how to help speed up your computer.
Good luck!
Please reply one last time so that I know you have read my post and this thread can be closed.
Bunnymommy
2010-11-15, 23:04
Thanks so much for all the info and advice. I'm going through your points now. I am unable to get the spywareblaster link but have found another one through that forum using the search function. Now before I download this please can you confirm that this is the right thing and not a fake (sorry I'm so paranoid!)
http://www.javacoolsoftware.com/spywareblaster.html
thanks :thanks:
Bunnymommy
2010-11-16, 01:01
Okay well I went ahead and downloaded and did all the steps you said. Was feeling very happy and safe. But now my firefox keeps crashing and when I try to load web pages I get this odd little error box
"Alert
The URL is not valid and cannot be loaded."
Even though the page has loaded and can be used. I have no option but to either click in the "ok" box of the "x" to get rid of the alert box or it will stay and stop me doing anything else. I have tried checking my taskmanager box to but I can't see it listed there (unless I'm missing something - quite possible!).
Now before I download this please can you confirm that this is the right thing and not a fake (sorry I'm so paranoid!)
http://www.javacoolsoftware.com/spywareblaster.html
That's the correct link for Spyware Blaster. :)
Okay well I went ahead and downloaded and did all the steps you said. Was feeling very happy and safe. But now my firefox keeps crashing and when I try to load web pages I get this odd little error box
"Alert
The URL is not valid and cannot be loaded."
Even though the page has loaded and can be used. I have no option but to either click in the "ok" box of the "x" to get rid of the alert box or it will stay and stop me doing anything else. I have tried checking my taskmanager box to but I can't see it listed there (unless I'm missing something - quite possible!).
Try disabling all your add-ons in Firefox then enable them one at a time to see which one makes the error box appear. Once you find which add-on it is, uninstall it then re-enable the rest.
Another thing you can try is uninstalling Google Toolbar from your computer. That also seems to solve the problem that you're describing.
Bunnymommy
2010-11-16, 22:12
Thank you again! I removed google toolbar and its working okay now. Thanks for all you help :thanks:
Bunnymommy
2010-11-16, 23:40
Okay sorry about this, but now i keep getting this error message box
"Microsoft Feeds Synchronisation has encountered a problem and needs to close" I have to choose either "send error report" or "don't send" there is no "x" box. Is this something to worry about?
Okay sorry about this, but now i keep getting this error message box
"Microsoft Feeds Synchronisation has encountered a problem and needs to close" I have to choose either "send error report" or "don't send" there is no "x" box. Is this something to worry about?
This message shows up because of an error with Internet Explorer. Go ahead and uninstall then reinstall it. Also make sure to visit Windows Update and be sure that you have the latest version of IE 8 installed.
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.
Note: If it has been three days or more since your last post, and the helper assisting
you posted a response to that post to which you did not reply, your topic will not be
reopened. At that point, if you still require help, please start a new topic and include
a fresh HijackThis log and a link to your previous thread.
If it has been less than three days since your last response and you need the thread
re-opened, please send me or your helper a private message (pm). A valid, working link to
the closed topic is required.