Please check these results for Malware

B

Bunnymommy

New member
Please can someone check these results for anything malware related. My internet keeps acting strange. The first time I ran Spybot it found several spyware one was Virtumonde. So I am a little bit paranoid now. Thanks in advance.

DDS (Ver_10-10-21.02) - NTFSx86
Run by Romy (Bunnymommy) at 12:46:54.81 on 26/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.178 [GMT 1:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\Program Files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Romy (Bunnymommy)\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

mSearchAssistant = hxxp://www.google.com/ie
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\4.3.0.5\IPSBHO.DLL
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\romy(b~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0403000.005\symds.sys [2010-10-5 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0403000.005\symefa.sys [2010-10-5 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\bashdefs\20101001.001\BHDrvx86.sys [2010-10-6 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys [2010-10-5 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0403000.005\ironx86.sys [2010-10-5 116784]
R2 N360;Norton 360;c:\program files\norton 360\engine\4.3.0.5\ccsvchst.exe [2010-10-5 126392]
R2 NSL;Norton Safe Web Lite;c:\program files\norton safe web lite\engine\1.0.1.8\ccSvcHst.exe [2010-9-21 126904]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-10-14 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\ipsdefs\20101025.001\IDSXpx86.sys [2010-10-19 341880]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\virusdefs\20101025.040\NAVENG.SYS [2010-10-26 86064]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\virusdefs\20101025.040\NAVEX15.SYS [2010-10-26 1371184]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\romy(b~1\locals~1\temp\onlinescanner\anti-virus\fsgk.sys --> c:\docume~1\romy(b~1\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [?]
S4 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-9-21 30192]

=============== Created Last 30 ================

2010-10-19 15:50:55 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-19 15:50:55 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-19 15:50:55 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-19 15:50:49 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-18 20:04:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-18 20:04:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-10-18 19:43:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2010-10-13 12:04:39 -------- d-----w- c:\docume~1\romy(b~1\locals~1\applic~1\Symantec
2010-10-13 12:04:03 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-10-13 12:04:03 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-10-13 12:04:03 -------- d-----w- c:\program files\Symantec
2010-10-13 12:04:03 -------- d-----w- c:\program files\common files\Symantec Shared
2010-10-13 12:03:29 -------- d-----w- c:\program files\Norton 360
2010-10-13 11:25:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2010-10-13 11:25:49 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-10-13 11:25:40 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-10-13 11:25:40 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-10-13 11:25:21 -------- d-----w- c:\program files\NVIDIA Corporation
2010-10-07 21:08:27 -------- d-----w- c:\docume~1\romy(b~1\locals~1\applic~1\Help
2010-10-05 15:23:59 67603282 ----a-w- C:\regbkp.reg
2010-10-05 15:01:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton VRQ
2010-10-05 13:58:30 -------- d-----w- c:\windows\LMIE.tmp
2010-10-05 13:53:47 -------- d-----w- c:\docume~1\romy(b~1\locals~1\applic~1\NPE
2010-10-05 12:57:36 43696 ----a-w- c:\windows\system32\drivers\n360\0403000.005\srtspx.sys
2010-10-05 12:57:36 361904 ----a-w- c:\windows\system32\drivers\n360\0403000.005\symtdi.sys
2010-10-05 12:57:36 339504 ----a-w- c:\windows\system32\drivers\n360\0403000.005\symtdiv.sys
2010-10-05 12:57:36 328752 ----a-r- c:\windows\system32\drivers\n360\0403000.005\symds.sys
2010-10-05 12:57:36 173104 ----a-w- c:\windows\system32\drivers\n360\0403000.005\symefa.sys
2010-10-05 12:57:35 501888 ----a-w- c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys
2010-10-05 12:57:35 325680 ----a-w- c:\windows\system32\drivers\n360\0403000.005\srtsp.sys
2010-10-05 12:57:35 116784 ----a-w- c:\windows\system32\drivers\n360\0403000.005\ironx86.sys
2010-10-05 12:57:19 -------- d-----w- c:\windows\system32\drivers\n360\0403000.005
2010-10-02 17:46:05 -------- d-----w- c:\program files\iPod
2010-09-29 01:09:47 -------- d-----w- c:\docume~1\romy(b~1\applic~1\Malwarebytes
2010-09-29 01:09:35 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-29 00:26:18 -------- d-----w- c:\program files\PC Tools Security
2010-09-29 00:23:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-09-28 15:27:54 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-28 15:27:54 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-28 15:27:54 423656 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-09-26 22:26:16 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-09-26 22:14:19 215920 ----a-w- c:\windows\system32\muweb.dll
2010-09-26 22:14:19 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-09-26 22:14:18 274288 ----a-w- c:\windows\system32\mucltui.dll

==================== Find3M ====================

2010-09-23 22:31:36 109568 ------w- c:\windows\system32\pxinsi64.exe
2010-09-23 22:31:36 108544 ------w- c:\windows\system32\pxcpyi64.exe
2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 10:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

============= FINISH: 12:47:48.21 ===============
 
Hello and welcome to Safer Networking.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please do the following:


Step # 1 Download and run DDS

Download DDS and save it to your desktop from here or here or here
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop. Post them back to your topic.


Step # 2: Download and Run Gmer

Please download gmer.zip from Gmer and save it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure that the 'Sections' button is ticked and the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.


In your next post/reply, I need to see the following:

1. The two DDS Logs (DDS and Attach.txt)
2. The GMER Log

Use multiple posts if you can't fit everything into one post
 
Thanks for your help. During the DDS my Norton came up twice with a malware warning to stop "MBR.DAT".


DDS (Ver_10-11-03.01) - NTFSx86
Run by Romy (Bunnymommy) at 18:18:45.04 on 03/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.215 [GMT 0:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\Program Files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Romy (Bunnymommy)\My Documents\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

mSearchAssistant = hxxp://www.google.com/ie
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\4.3.0.5\IPSBHO.DLL
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\romy(b~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0403000.005\symds.sys [2010-10-5 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0403000.005\symefa.sys [2010-10-5 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\bashdefs\20101029.001\BHDrvx86.sys [2010-11-2 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys [2010-10-5 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0403000.005\ironx86.sys [2010-10-5 116784]
R2 N360;Norton 360;c:\program files\norton 360\engine\4.3.0.5\ccsvchst.exe [2010-10-5 126392]
R2 NSL;Norton Safe Web Lite;c:\program files\norton safe web lite\engine\1.0.1.8\ccSvcHst.exe [2010-9-21 126904]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-10-14 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\ipsdefs\20101102.001\IDSXpx86.sys [2010-10-19 341880]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\virusdefs\20101103.002\naveng.sys [2010-11-3 86064]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\virusdefs\20101103.002\navex15.sys [2010-11-3 1371184]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\romy(b~1\locals~1\temp\onlinescanner\anti-virus\fsgk.sys --> c:\docume~1\romy(b~1\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [?]
S4 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-9-21 30192]

=============== Created Last 30 ================

2010-10-19 15:50:55 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-19 15:50:55 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-19 15:50:55 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-19 15:50:49 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-18 20:04:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-18 20:04:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-10-18 19:43:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2010-10-13 12:04:39 -------- d-----w- c:\docume~1\romy(b~1\locals~1\applic~1\Symantec
2010-10-13 12:04:03 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-10-13 12:04:03 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-10-13 12:04:03 -------- d-----w- c:\program files\Symantec
2010-10-13 12:04:03 -------- d-----w- c:\program files\common files\Symantec Shared
2010-10-13 12:03:29 -------- d-----w- c:\program files\Norton 360
2010-10-13 11:25:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2010-10-13 11:25:49 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-10-13 11:25:40 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-10-13 11:25:40 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-10-13 11:25:21 -------- d-----w- c:\program files\NVIDIA Corporation
2010-10-07 21:08:27 -------- d-----w- c:\docume~1\romy(b~1\locals~1\applic~1\Help
2010-10-05 15:23:59 67603282 ----a-w- C:\regbkp.reg
2010-10-05 15:01:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton VRQ
2010-10-05 13:58:30 -------- d-----w- c:\windows\LMIE.tmp
2010-10-05 13:53:47 -------- d-----w- c:\docume~1\romy(b~1\locals~1\applic~1\NPE
2010-10-05 12:57:36 43696 ----a-w- c:\windows\system32\drivers\n360\0403000.005\srtspx.sys
2010-10-05 12:57:36 361904 ----a-w- c:\windows\system32\drivers\n360\0403000.005\symtdi.sys
2010-10-05 12:57:36 339504 ----a-w- c:\windows\system32\drivers\n360\0403000.005\symtdiv.sys
2010-10-05 12:57:36 328752 ----a-r- c:\windows\system32\drivers\n360\0403000.005\symds.sys
2010-10-05 12:57:36 173104 ----a-w- c:\windows\system32\drivers\n360\0403000.005\symefa.sys
2010-10-05 12:57:35 501888 ----a-w- c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys
2010-10-05 12:57:35 325680 ----a-w- c:\windows\system32\drivers\n360\0403000.005\srtsp.sys
2010-10-05 12:57:35 116784 ----a-w- c:\windows\system32\drivers\n360\0403000.005\ironx86.sys
2010-10-05 12:57:19 -------- d-----w- c:\windows\system32\drivers\n360\0403000.005

==================== Find3M ====================

2010-09-28 15:27:41 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-28 15:27:41 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-23 22:31:36 109568 ------w- c:\windows\system32\pxinsi64.exe
2010-09-23 22:31:36 108544 ------w- c:\windows\system32\pxcpyi64.exe
2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 10:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

============= FINISH: 18:21:06.50 ===============
 
GMER 1.0.15.15477 - http://www.gmer.net
Rootkit quick scan 2010-11-03 18:30:55
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ROMY(B~1\LOCALS~1\Temp\kwlyakoc.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----
 
During the DDS my Norton came up twice with a malware warning to stop "MBR.DAT".
Click to expand...

MBR.DAT is part of DDS, so its ok. :) When I have you run it again and Norton popups with a warning to stop MBR.DAT, go ahead and tell Norton to let it run/don't stop it.



Step # 1: Disable Teatimer

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

This is a two step process.
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the version 1.5 or 1.6, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.


Step # 2: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

When finished, it shall produce a log for you. Please post C:\ComboFix.txt in your next reply.
 
Last edited:
I'm having problems downloading and running Combofix. The first time I downloaded an error came up saying "CFScript incorrectly spelt". I clicked okay but then it all dissappeared and I couldn't find Combofix again. Second and third time I tried to download and run Combofix I get the error "Cannot rename Combofix as Combofix(2)" but my computer/firefox download is automatically calling it that and there is no option when right-clicking to rename. :confused:
 
Okay I've just managed to find the original combofix download and saved shortcut to my desktop. Tried to run it again but got the same error as before "CFScript incorrectly spelt" and it closes the program.
 
Ok, let's do this.

First, delete ComboFix.exe (and its shortcut) off of your computer.

Then follow the instructions below:


Step # 1: Download and Run ComboFix

Download ComboFix from any of the links below. You must rename it to bunnymommy.exe before saving it. Save it to your Desktop.

Link 1
Link 2

--------------------------------------------------------------------

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on bunnymommy.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please include C:\ComboFix.txt in your next reply so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Be sure that Norton is disabled before you run ComboFix.
 
Just to clarify I mean the error saying "CFScript incorrectly spelt" error message keeps happening again
Click to expand...

Is that all the error message says? Is there more than just "CFScript incorrectly spelt"? If there is, please post the message in its entirety in your next post/reply.

Try booting your computer into Safe Mode (You can go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.) and running ComboFix while in Safe Mode.

If you get a ComboFix Log, please post it in your next post/reply.
 
The error box is headed "CFScript Name Error" and inside the box it says "were you trying to run CFScript? The name, CFScript appears to be incorrectly spelt"

I will now try safe mode
 
Ok, thanks for the info on the CFScript error message.

Let me know how it goes in Safe Mode. :)
 
Have you been just using Firefox to download ComboFix? Let's try downloading it with Internet Explorer and see if that message comes up.

First, delete all instances of ComboFix (bunnymommy.exe) off of your computer.

Then download it using Internet Explorer using one of the two links below:

Link 1
Link 2

No need to rename it and make sure that is saved to your Desktop.


Try running ComboFix and let me know what happens. If you get a ComboFix Log, go ahead and post it. :)
 
Ok, we'll try one more thing and if you still get the "CFScript incorrectly spelt" error, I'm going to ask for some help as I'm running out of ideas.

For this to work, ComboFix.exe must be on your Desktop.

Click the Windows 'Start' button > Select 'Run' - then copy/paste what's below (include the quotation marks) into the run box & click OK:

"%userprofile%\desktop\combofix.exe"
 
Ok.

I'm going to ask for some help on this, I'll be back ASAP. :)
 
Thanks to sUBs for the help. :)

I'd like for you to move ComboFix.exe off of the Desktop and place it in C:\.

Once you have C:\ComboFix.exe, try running ComboFix and let me know what happens and post the log if you get one.
 
You must log in or register to reply here.
Back
Top