Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware Protect 2009 - Please Help


  • Please log in to reply
4 replies to this topic

#1 Zombie12

Zombie12

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 13 May 2009 - 12:56 AM

Hi,
I have the spyware protect 2009 malware. I tried to follow the instructions in this website on installing malwarebytes anti malware - but it doesnt run. I disabled norton 360 and tried running in safe mode, it still does not seem to run
Please help....the spyware is now causing firefox and IE to close as well....





DDS (Ver_09-03-16.01) - NTFSx86
Run by Shaji at 0:50:03.25 on Wed 05/13/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.415 [GMT -5:00]

AV: Norton 360 *On-access scanning enabled* (Updated)
FW: Norton 360 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\xtras\mssysmgr.exe
C:\DOCUME~1\Shaji\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\sysguard.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Shaji\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uWindow Title = Windows Internet Explorer provided by Yahoo!
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.dell.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: {18ACB87B-2022-4846-8918-D21375DC0CEE} - No File
BHO: {2C535F8D-7E8C-48D7-A06D-751AB6D65FD1} - No File
BHO: {3111DA81-47F4-492D-B282-0ADE59DA1B85} - No File
BHO: {3B7AAEB1-9F3D-4491-9C06-C7165CA8D058} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.0.0.135\coIEPlg.dll
BHO: {60f999c6-42e5-4005-9a42-53544ce77437} - No File
BHO: {69EB3CE4-2E36-49FB-AFC5-02DEB314B606} - No File
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.0.0.135\IPSBHO.DLL
BHO: {9D6295E2-156E-4C4F-9C46-BFF382E30578} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: {B52F7A9B-E850-4564-9C15-6B416143A246} - No File
BHO: {BCCC611C-0E8C-4D22-8414-81F53BE84278} - No File
BHO: {CD14CF48-3DAD-4F8E-B6D0-7AA4912DDEF5} - No File
BHO: {CFDEF9B6-E27A-4305-A30A-10BA723CB377} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2} - No File
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
BHO: {FE3C898A-9799-42F5-BD20-7B54452BDB61} - No File
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.0.0.135\coIEPlg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\ahead\neroph~1\data\xtras\mssysmgr.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [VirRL2009] "c:\program files\virrl2009\VirRL2009.exe"
uRun: [system tool] c:\windows\sysguard.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC.exe" /tray
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: musicmatch.com\online
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} - hxxp://www.ooxtv.com/livetv.ocx
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.0.0.135\CoIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\shaji\applic~1\mozilla\firefox\profiles\w8dxoaj4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\microsoft research\hdview for firefox\nphdview.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0300000.087\SymEFA.sys [2009-3-27 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0300000.087\BHDrvx86.sys [2009-3-27 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0300000.087\cchpx86.sys [2009-3-27 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090508.002\IDSXpx86.sys [2009-5-8 276344]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.0.0.135\ccSvcHst.exe [2009-3-27 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-3-27 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090512.022\NAVENG.SYS [2009-5-12 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090512.022\NAVEX15.SYS [2009-5-12 876144]

=============== Created Last 30 ================

2009-05-13 00:24 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-13 00:24 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-13 00:23 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-13 00:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-13 00:19 <DIR> --d----- c:\program files\Norton Support
2009-05-12 23:12 6,144 a------- c:\windows\system32\iehelper.dll
2009-05-12 23:02 377,360 a---h--- c:\windows\sysguard.exe
2009-04-20 22:35 <DIR> --d----- c:\program files\FaceMorpher Lite
2009-04-20 22:14 1,496,576 ----h--- c:\windows\system32\wodfamop.dll
2009-04-16 07:48 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-16 07:48 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 07:48 215,552 -------- c:\windows\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-04-16 15:24 130,958 a------- c:\windows\hpoins12.dat
2009-03-27 18:55 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-27 18:55 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-03-27 18:55 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-27 18:55 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-03-27 18:54 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-03-21 09:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 09:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-02 18:04 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-02-20 03:11 3,068,416 -------- c:\windows\system32\dllcache\mshtml.dll
2009-02-20 03:10 666,112 a------- c:\windows\system32\wininet.dll
2009-02-20 03:10 666,112 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-20 03:10 619,520 -------- c:\windows\system32\dllcache\urlmon.dll
2009-02-20 03:10 81,920 a------- c:\windows\system32\ieencode.dll
2009-02-20 03:10 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2009-02-19 19:04 410,984 a------- c:\windows\system32\deploytk.dll
2008-07-04 11:44 81,920 a------- c:\docume~1\shaji\applic~1\ezpinst.exe
2008-07-04 11:44 47,360 a------- c:\docume~1\shaji\applic~1\pcouffin.sys
2008-07-04 08:45 284 a------- c:\docume~1\shaji\applic~1\ViewerApp.dat
2006-11-04 19:25 88 ---shr-- c:\windows\system32\7500BA5090.sys
2006-11-04 19:25 3,350 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 0:51:07.31 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:58 AM

Posted 13 May 2009 - 02:48 AM

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Edited by Rahina, 13 May 2009 - 02:50 AM.

[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#3 Zombie12

Zombie12
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 13 May 2009 - 08:21 AM

Thanks for the help.

Couple of thing (1) I was able to download combofix but it wont run, but I renamed it and then it worked (2) I disabled norton 360 and the firewall but I got a message from Combofix saying Norton was still enabled.....here is the output log file from combofix....





ComboFix 09-05-12.06 - Shaji 05/13/2009 8:11.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.685 [GMT -5:00]
Running from: c:\documents and settings\Shaji\Desktop\ComboFix1.exe
AV: Norton 360 *On-access scanning enabled* (Updated)
FW: Norton 360 *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\sysguard.exe
c:\windows\system32\drivers\UACvbrqoiixrjnkxym.sys
c:\windows\system32\iehelper.dll
c:\windows\system32\UACbseypvoukfoybku.log
c:\windows\system32\UACfcjqppxdnkvghks.dll
c:\windows\system32\UACfusgoqlltentkhw.log
c:\windows\system32\UAChidoiexmqlhtiqj.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\UACmsodksrtffqcvqs.dll
c:\windows\system32\UACpultfaqenvxblaf.dll
c:\windows\system32\UACwipvrgshalxdrme.dll
c:\windows\system32\UACxjpkwgoeirqrqev.dll
c:\windows\system32\UACyuryvoxuplnxnqw.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-04-13 to 2009-05-13 )))))))))))))))))))))))))))))))
.

2009-05-13 05:24 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-13 05:24 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-13 05:23 . 2009-05-13 05:23 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-13 05:23 . 2009-05-13 05:24 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-13 05:19 . 2009-05-13 05:19 -------- d-----w c:\program files\Norton Support
2009-05-13 04:54 . 2009-05-13 04:54 -------- d-----w c:\documents and settings\Shaji\Local Settings\Application Data\Symantec
2009-04-26 15:45 . 2009-04-26 15:45 -------- d-----w c:\documents and settings\Shaji\Application Data\Yahoo!
2009-04-21 03:35 . 2009-04-22 00:12 -------- d-----w c:\program files\FaceMorpher Lite
2009-04-21 03:14 . 2009-04-21 03:34 1496576 ---h--w c:\windows\system32\wodfamop.dll
2009-04-19 01:57 . 2009-04-19 01:57 -------- d-----w c:\documents and settings\Bagya\Local Settings\Application Data\Yahoo
2009-04-19 01:55 . 2009-04-19 01:55 -------- d-----w c:\documents and settings\Bagya\Application Data\Yahoo!
2009-04-19 01:55 . 2009-04-19 01:57 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-04-19 01:54 . 2009-04-19 01:57 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-04-16 12:49 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-16 12:49 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-16 12:49 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 12:49 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-16 12:49 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 12:49 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 12:49 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 12:49 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 12:49 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 12:49 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 12:48 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 12:48 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 23:14 . 2006-10-30 22:44 -------- d-----w c:\program files\Google
2009-04-19 01:55 . 2006-11-07 03:18 -------- d-----w c:\program files\Yahoo!
2009-04-16 20:24 . 2007-08-04 23:38 130958 ----a-w c:\windows\hpoins12.dat
2009-03-27 23:59 . 2006-10-30 22:35 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-27 23:55 . 2009-03-27 23:55 60808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-03-27 23:55 . 2009-03-27 23:55 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-03-27 23:55 . 2009-03-27 23:55 7386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-27 23:55 . 2009-03-27 23:55 124464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-27 23:55 . 2006-10-30 22:35 -------- d-----w c:\program files\Symantec
2009-03-27 23:54 . 2009-03-27 23:55 36400 ----a-r c:\windows\system32\drivers\SymIM.sys
2009-03-27 23:54 . 2009-03-27 23:54 -------- d-----w c:\program files\Norton 360
2009-03-27 23:54 . 2009-03-27 23:54 -------- d-----w c:\program files\Windows Sidebar
2009-03-27 23:54 . 2009-03-27 23:54 -------- d-----w c:\program files\NortonInstaller
2009-03-27 23:53 . 2006-10-30 22:42 -------- d-----w c:\program files\McAfee
2009-03-20 13:44 . 2006-11-02 05:31 73448 ----a-w c:\documents and settings\Shaji\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-06 14:22 . 2004-08-10 18:51 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2004-08-10 18:51 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-10 18:51 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-20 00:04 . 2009-02-20 00:04 410984 ----a-w c:\windows\system32\deploytk.dll
2006-11-05 00:25 . 2006-11-04 13:58 88 --sh--r c:\windows\system32\7500BA5090.sys
2006-11-05 00:25 . 2006-11-04 13:58 3350 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-14 68856]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Ahead\NEROPH~1\data\xtras\mssysmgr.exe" [2004-11-12 212992]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2004-12-23 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-09-19 1159168]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-20 148888]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"MBMon"="CTMBHA.DLL" - c:\windows\system32\CTMBHA.DLL [2005-05-19 1345520]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-30 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Shaji\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0300000.087\SymEFA.sys [3/27/2009 6:54 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0300000.087\BHDrvx86.sys [3/27/2009 6:54 PM 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0300000.087\cchpx86.sys [3/27/2009 6:54 PM 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090508.002\IDSXpx86.sys [5/8/2009 4:52 PM 276344]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe [3/27/2009 6:54 PM 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/27/2009 7:12 PM 101936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-04-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{18ACB87B-2022-4846-8918-D21375DC0CEE} - (no file)
BHO-{2C535F8D-7E8C-48D7-A06D-751AB6D65FD1} - (no file)
BHO-{3111DA81-47F4-492D-B282-0ADE59DA1B85} - (no file)
BHO-{3B7AAEB1-9F3D-4491-9C06-C7165CA8D058} - (no file)
BHO-{60f999c6-42e5-4005-9a42-53544ce77437} - (no file)
BHO-{69EB3CE4-2E36-49FB-AFC5-02DEB314B606} - (no file)
BHO-{9D6295E2-156E-4C4F-9C46-BFF382E30578} - (no file)
BHO-{B52F7A9B-E850-4564-9C15-6B416143A246} - (no file)
BHO-{BCCC611C-0E8C-4D22-8414-81F53BE84278} - (no file)
BHO-{CD14CF48-3DAD-4F8E-B6D0-7AA4912DDEF5} - (no file)
BHO-{CFDEF9B6-E27A-4305-A30A-10BA723CB377} - (no file)
BHO-{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2} - (no file)
BHO-{FE3C898A-9799-42F5-BD20-7B54452BDB61} - (no file)
HKCU-Run-VirRL2009 - c:\program files\VirRL2009\VirRL2009.exe
Notify-byxuvwvs - (no file)
Notify-khffgGWn - (no file)


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.dell.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Shaji\Application Data\Mozilla\Firefox\Profiles\w8dxoaj4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Microsoft Research\HDView for Firefox\nphdview.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-13 08:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.0.0.135\diMaster.dll\" /prefetch:1"
.
Completion time: 2009-05-13 8:16
ComboFix-quarantined-files.txt 2009-05-13 13:16
ComboFix2.txt 2009-02-19 00:14

Pre-Run: 92,200,890,368 bytes free
Post-Run: 92,579,844,096 bytes free

191 --- E O F --- 2009-05-13 06:01

#4 Zombie12

Zombie12
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 16 May 2009 - 05:25 PM

Hi,
After running combofix., my problem seem to be resolved. If you agree after reviewing the combofix log attached above, feel free to close this.

Thanks for your help again. This is the second time this forum has helped me.....

#5 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:58 AM

Posted 17 May 2009 - 09:21 AM

Hi there! Nice to hear that your computer is working better now!

Please do the following:

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Turn off the real time scanner of any existing antivirus program while performing the online scan
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users