Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware Infection: Multiple, not sure exactly


  • This topic is locked This topic is locked
2 replies to this topic

#1 dew215

dew215

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 03 January 2009 - 01:58 AM

I have a combination of what I would be spyware and viruses on my computer. I am usually pretty good at getting these things off, but this time I'm pretty stumped. Every time I think I make progress the stuff comes right back. HELP!

DDS


DDS (Version 1.1.0) - NTFSx86
Run by Dewain at 1:46:50.90 on Sat 01/03/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1298 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox 3.1 Beta 1\firefox.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Documents and Settings\Dewain\Desktop\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: SFCDisable=-99 (0xffffff9d)
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dewain\applic~1\mozilla\firefox\profiles\k38xr0s8.default\
FF - plugin: c:\program files\mozilla firefox 3.1 beta 1\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\yahoo!\shared\npYState.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;\??\c:\program files\symantec antivirus\savrt.sys [2005-8-26 334984]
R1 SAVRTPEL;SAVRTPEL;\??\c:\program files\symantec antivirus\Savrtpel.sys [2005-8-26 53896]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSetMgr.exe" [2005-10-4 177776]
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\RaInfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\c:\windows\system32\drivers\LMIRfsDriver.sys [2008-11-26 47640]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2008-11-14 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-11-12 99376]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081212.004\naveng.sys [2008-12-12 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081212.004\navex15.sys [2008-12-12 876112]
S3 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccEvtMgr.exe" [2005-10-4 185968]
S3 ccPwdSvc;Symantec Password Validation;"c:\program files\common files\symantec shared\ccPwdSvc.exe" [2005-10-4 83568]
S3 SavRoam;SAVRoam;"c:\program files\symantec antivirus\SavRoam.exe" [2005-11-15 169200]
S3 Symantec AntiVirus;Symantec AntiVirus;"c:\program files\symantec antivirus\Rtvscan.exe" [2005-11-15 1756912]
S4 LMIRfsClientNP;LMIRfsClientNP; []

=============== Created Last 30 ================

2009-01-02 19:09 134,144 a------- c:\windows\system32\fivgma.dll
2009-01-02 19:09 134,144 a------- c:\windows\system32\mabproac.dll
2009-01-02 15:51 50,176 a------- c:\windows\system32\vtUmnOhF.dll
2009-01-01 22:45 <DIR> --d----- c:\program files\Trend Micro
2009-01-01 19:15 50,176 a------- c:\windows\system32\fccDvuvw.dll
2009-01-01 19:09 50,176 a------- c:\windows\system32\nnnliIYr.dll
2009-01-01 19:06 132,608 a------- c:\windows\system32\pupgnxed.dll
2009-01-01 17:04 0 a------- c:\windows\hpqEmlSz.INI
2008-12-29 14:30 107,368 a------- c:\windows\system32\GEARAspi.dll
2008-12-29 14:30 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-29 14:29 <DIR> --d----- c:\program files\iPod
2008-12-29 14:29 <DIR> --d----- c:\program files\iTunes
2008-12-29 14:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-29 14:28 32,000 a------- c:\windows\system32\drivers\usbaapl.sys
2008-12-29 14:15 5,632 a------- c:\windows\system32\ptpusb.dll
2008-12-29 14:15 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys
2008-12-29 14:15 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2008-12-29 14:15 159,232 a------- c:\windows\system32\ptpusd.dll
2008-12-24 11:07 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-24 11:07 73,728 a------- c:\windows\system32\javacpl.cpl
2008-12-21 00:02 <DIR> --d----- c:\docume~1\dewain\applic~1\Malwarebytes
2008-12-21 00:02 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-21 00:02 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-21 00:02 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-21 00:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-20 22:04 441 a------- c:\windows\system32\TDSSierd.dat
2008-12-20 22:03 57,856 a------- c:\windows\system32\wvUnKCVm.dll
2008-12-20 21:57 57,856 a------- c:\windows\system32\ddcCRKby.dll
2008-12-20 21:55 135,168 a------- c:\windows\system32\xuanua.dll
2008-12-20 21:55 135,168 a------- c:\windows\system32\drublyvk.dll
2008-12-13 16:22 <DIR> --d----- c:\program files\Windows Media Connect 2
2008-12-12 14:50 <DIR> --d----- c:\program files\SmartFTP Client
2008-12-12 14:49 <DIR> --d----- c:\program files\SmartFTP Client 3.0 Setup Files
2008-12-12 14:36 <DIR> --d----- c:\windows\system32\NtmsData
2008-12-04 09:07 1,282 a------- c:\documents and settings\dewain\nah_log.dat

==================== Find3M ====================

2008-11-25 17:54 507,904 a------- c:\windows\system32\winlogon.exe
2008-11-25 17:54 295,424 a------- c:\windows\system32\termsrv.dll
2008-11-14 09:52 0 a---h--- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2008-11-14 09:52 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2008-11-14 09:51 0 a---h--- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2008-11-12 11:47 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-11-12 11:47 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-11-12 11:04 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-10 14:12 165,564 a------- c:\windows\hpoins30.dat
2008-11-10 12:27 21,640 a------- c:\windows\system32\emptyregdb.dat
2008-11-10 12:23 243,840 a------- c:\windows\system32\ZuneWlanCfgSvc.exe
2008-11-10 12:23 60,032 a------- c:\windows\system32\ZuneBusEnum.exe
2008-11-10 12:09 73,728 a------- c:\windows\system32\ZuneUsbTransport.dll
2008-11-10 12:09 18,944 a------- c:\windows\system32\ZuneTcp2Udp.dll
2008-11-10 12:09 57,344 a------- c:\windows\system32\ZuneRegUtil.dll
2008-11-10 12:09 12,800 a------- c:\windows\system32\ZunePTDNS.dll
2008-11-10 12:09 310,272 a------- c:\windows\system32\ZuneNetProxy.dll
2008-11-10 12:09 145,920 a------- c:\windows\system32\ZuneMTPZ.dll
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 20:35 83,288 a------- c:\windows\system32\LMIRfsClientNP.dll
2008-10-16 20:35 28,984 a------- c:\windows\system32\LMIport.dll
2008-10-16 20:35 10,040 a------- c:\windows\system32\lmimirr2.dll
2008-10-16 20:35 23,736 a------- c:\windows\system32\lmimirr.dll
2008-10-16 20:35 87,352 a------- c:\windows\system32\LMIinit.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll

============= FINISH: 1:47:25.59 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:52 AM

Posted 05 January 2009 - 05:45 AM

Hello Dew215 and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download ComboFix from one of the locations below, and save it to your Desktop.

Link
Link
Link

Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:52 AM

Posted 03 February 2009 - 05:39 PM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users