I have been infected with the Spyware.Ispynow

View previous topic View next topic Go down

Solved I have been infected with the Spyware.Ispynow

Post by Waywishes on Sat Nov 29, 2008 9:41 am

yes, I too have been infected. Here is the Log Hijackthis came up with. Please tell me where I should go and what I should do from here thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:35:03 AM, on 11/29/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16757)
Boot mode: Normal

Running processes:
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Perfect Defender 2009\pdmonitor.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Users\Spencer\AppData\Roaming\Google\dvvm.exe
C:\Program Files\Perfect Defender 2009\pdfndr.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Windows\System32\mspaint.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O1 - Hosts: ::1 localhost
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ECenter] "C:\Dell\E-Center\EULALauncher.exe"
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\DellTPad\Apoint.exe"
O4 - HKLM\..\Run: [OEM02Mon.exe] "C:\Windows\OEM02Mon.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] "C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe"
O4 - HKLM\..\Run: [IgfxTray] "C:\Windows\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\Windows\system32\hkcmd.exe"
O4 - HKLM\..\Run: [Persistence] "C:\Windows\system32\igfxpers.exe"
O4 - HKLM\..\Run: [Windows Mobile Device Center] "C:\Windows\WindowsMobile\wmdc.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] "C:\Windows\system32\WLTRAY.exe"
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [WindowsWelcomeCenter] "C:\Windows\system32\rundll32.exe" oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [HPsetm] "C:\Users\Spencer\AppData\Roaming\Google\dvvm.exe"
O4 - HKCU\..\Run: [Perfect Defender 2009] "C:\Program Files\Perfect Defender 2009\pdfndr.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O13 - Gopher Prefix:
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. ([You must be registered and logged in to see this link.] - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10914 bytes

Waywishes
Novice
Novice

Posts Posts : 8
Joined Joined : 2008-11-29
OS OS : Windows Vista
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.Ispynow

Post by Belahzur on Sat Nov 29, 2008 1:24 pm

Hello.


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKCU\..\Run: [HPsetm] "C:\Users\Spencer\AppData\Roaming\Google\dvvm.exe"
    O4 - HKCU\..\Run: [Perfect Defender 2009] "C:\Program Files\Perfect Defender 2009\pdfndr.exe"


  • Press "Fix Checked"
  • Close Hijack This.


Delete these files/folder in bold:
C:\Users\Spencer\AppData\Roaming\Google\dvvm.exe <== file
C:\Program Files\Perfect Defender 2009 <== folder


1. Download this file - [You must be registered and logged in to see this link.]
2. Double click combofix.exe & follow the prompts, but select NO when asked about the recovery console.
3. When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.Ispynow

Post by Waywishes on Sat Nov 29, 2008 4:09 pm

My computer will not allow me to delete dvvm.exe it keeps saying I have to have "permission" to delete it. Also, when I run a scan on Hijackthis, it says I have been denied access to the hosts files. please help.

Waywishes
Novice
Novice

Posts Posts : 8
Joined Joined : 2008-11-29
OS OS : Windows Vista
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.Ispynow

Post by Belahzur on Sat Nov 29, 2008 4:11 pm

Right click Hijack This executable > select Run as administrator
Try the fix again.

Can you try to run combofix?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.Ispynow

Post by Waywishes on Sat Nov 29, 2008 11:02 pm

sorry for the delay in responding, I had a meeting. Anyways I ran Hijackthis as administrator clicked to fix it, and then went toC:\Users\Spencer\AppData\Roaming\Google\dvvm.exe and it still tells me I need permission to delete it and it refuses to go away. IT is still stuck.


Last edited by Waywishes on Sat Nov 29, 2008 11:11 pm; edited 1 time in total

Waywishes
Novice
Novice

Posts Posts : 8
Joined Joined : 2008-11-29
OS OS : Windows Vista
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.Ispynow

Post by Belahzur on Sat Nov 29, 2008 11:05 pm

Hello.
Okay, skip HJT.
Could you try to run combofix please?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.Ispynow

Post by Waywishes on Sat Nov 29, 2008 11:13 pm

ok. I have what appers to be combofix running and a blue box has appeared.

Waywishes
Novice
Novice

Posts Posts : 8
Joined Joined : 2008-11-29
OS OS : Windows Vista
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.Ispynow

Post by Belahzur on Sat Nov 29, 2008 11:14 pm

Okay.
I will be waiting.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.Ispynow

Post by Waywishes on Sat Nov 29, 2008 11:23 pm

alright here is the log that combofix has come up with
ComboFix 08-11-29.03 - Spencer 2008-11-29 17:14:57.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.991 [GMT -6:00]
Running from: c:\users\Spencer\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-29 )))))))))))))))))))))))))))))))
.

2008-11-29 04:09 . 2008-11-29 04:09 0 --ah----- c:\users\Default.LOG2
2008-11-29 04:09 . 2008-11-29 04:09 0 --ah----- c:\users\Default.LOG1
2008-11-29 04:09 . 2008-11-29 04:09 0 --ah----- C:\ProgramData.LOG2
2008-11-29 04:09 . 2008-11-29 04:09 0 --ah----- C:\ProgramData.LOG1
2008-11-29 03:34 . 2008-11-29 03:34 d-------- c:\program files\Trend Micro
2008-11-28 19:39 . 2008-11-28 19:39 d-------- c:\users\All Users\SUPERAntiSpyware.com
2008-11-28 19:39 . 2008-11-28 19:39 d-------- c:\programdata\SUPERAntiSpyware.com
2008-11-28 19:38 . 2008-11-28 19:38 d-------- c:\users\Spencer\AppData\Roaming\SUPERAntiSpyware.com
2008-11-28 19:38 . 2008-11-28 19:38 d-------- c:\program files\SUPERAntiSpyware
2008-11-28 19:37 . 2008-11-28 19:37 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-28 15:10 . 2008-11-29 03:52 d-a------ c:\users\All Users\TEMP
2008-11-28 15:10 . 2008-11-29 03:52 d-a------ c:\programdata\TEMP
2008-11-28 07:25 . 2008-11-28 07:25 d-------- C:\Binaries
2008-11-28 07:24 . 2008-11-28 07:24 d-------- c:\program files\AskSBar
2008-11-28 07:18 . 2008-11-28 07:18 164 --a------ C:\install.dat
2008-11-28 06:22 . 2008-11-29 10:17 d-------- c:\program files\Perfect Defender 2009
2008-11-25 18:47 . 2008-10-20 23:16 1,645,568 --a------ c:\windows\System32\connect.dll
2008-11-25 18:47 . 2008-08-27 21:24 712,192 --a------ c:\windows\System32\WindowsCodecs.dll
2008-11-25 18:47 . 2008-08-27 21:24 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll
2008-11-25 18:47 . 2008-08-27 21:24 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll
2008-11-25 18:47 . 2008-10-21 21:43 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2008-11-25 18:47 . 2008-10-21 21:43 160,768 --a------ c:\windows\System32\PortableDeviceTypes.dll
2008-11-25 18:47 . 2008-10-21 21:43 95,232 --a------ c:\windows\System32\PortableDeviceClassExtension.dll
2008-11-13 13:01 . 2008-10-16 15:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-11-13 13:01 . 2008-10-16 14:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-11-13 13:01 . 2008-10-16 15:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-11-13 13:01 . 2008-10-16 15:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-11-13 13:00 . 2008-10-16 15:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-11-13 13:00 . 2008-10-16 14:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-11-13 13:00 . 2008-10-16 15:08 34,328 --a------ c:\windows\System32\wups.dll
2008-11-13 12:59 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-11-13 12:59 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
2008-11-11 23:38 . 2008-09-09 21:25 1,341,440 --a------ c:\windows\System32\msxml6.dll
2008-11-11 23:38 . 2008-09-04 22:48 1,194,496 --a------ c:\windows\System32\msxml3.dll
2008-11-11 23:38 . 2008-08-25 19:11 211,456 --a------ c:\windows\System32\drivers\mrxsmb10.sys
2008-11-11 23:38 . 2008-09-09 21:21 2,048 --a------ c:\windows\System32\msxml6r.dll
2008-11-11 23:38 . 2008-09-04 22:45 2,048 --a------ c:\windows\System32\msxml3r.dll
2008-10-29 01:56 . 2008-08-11 21:29 441,856 --a------ c:\windows\System32\win32spl.dll
2008-10-29 01:56 . 2008-08-11 21:29 37,376 --a------ c:\windows\System32\printcom.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-29 22:58 --------- d-----w c:\users\Spencer\AppData\Roaming\LimeWire
2008-11-27 23:21 --------- d-----w c:\users\Spencer\AppData\Roaming\InstallShield
2008-10-26 01:19 --------- d-----w c:\program files\World of Warcraft
2008-10-26 00:42 --------- d-----w c:\programdata\Blizzard
2008-10-15 08:10 --------- d-----w c:\program files\Windows Mail
2008-10-02 03:49 826,368 ----a-w c:\windows\System32\wininet.dll
2008-10-02 03:49 56,320 ----a-w c:\windows\System32\iesetup.dll
2008-10-02 03:49 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-10-02 03:48 26,624 ----a-w c:\windows\System32\ieUnatt.exe
2008-09-30 22:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-09-18 04:35 3,505,208 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 04:35 3,470,904 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 02:03 2,027,520 ----a-w c:\windows\System32\win32k.sys
2008-07-10 19:43 174 --sha-w c:\program files\desktop.ini
2008-05-09 18:35 858 ----a-w c:\users\Spencer\AppData\Roaming\wklnhst.dat
2008-01-18 22:09 76 --sh--r c:\windows\CT4CET.bin
2008-05-17 08:22 952 --sha-w c:\windows\System32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-11-28 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-11-28 07:24 66912 --a------ c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-18 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-17 1805552]
"HPsetm"="c:\users\Spencer\AppData\Roaming\Google\dvvm.exe" [2008-11-27 107008]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 c:\windows\System32\oobefldr.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-18 1006264]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-07 159744]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-27 36864]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-11-12 405504]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-14 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-14 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-14 133656]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-21 1548288]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-07 29744]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]

c:\users\Spencer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-04-18 147456]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-05-24 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-01-18 50688]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-09-07 1180952]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{8C422A6F-BBD1-4F55-BDEF-5C4D6C06762C}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{706CD5C4-E695-4E57-82A4-00C249C2B8D7}"= c:\program files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{FBAA2A3D-AAA2-44B4-B40F-73C0F093A531}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{A78DA785-6A20-40B3-AEE6-011CF43CF04D}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{48775B5D-5475-48AB-A4F2-8B9F477A6C73}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{368DBEA0-7AB9-499D-A65A-D59F9C614282}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{78A20ACC-6B0F-42D9-8BEE-7E94A435464D}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2008-01-18 73728]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-01-18 111104]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\DRIVERS\OEM02Dev.sys [2008-01-18 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\DRIVERS\OEM02Vfx.sys [2008-01-18 7424]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-18 29744]
S4 iaNvStor;Intel(R) Turbo Memory Controller;c:\windows\system32\drivers\ianvstor.sys [2008-01-18 209408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2008-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run- - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\users\Spencer\AppData\Roaming\Mozilla\Firefox\Profiles\xecjmje7.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-11-29 17:19:40
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4160)
c:\program files\Perfect Defender 2009\pd.dll
.
Completion time: 2008-11-29 17:21:33
ComboFix-quarantined-files.txt 2008-11-29 23:21:28

Pre-Run: 51,810,607,104 bytes free
Post-Run: 51,783,012,352 bytes free

186 --- E O F --- 2008-11-26 09:01:22

Waywishes
Novice
Novice

Posts Posts : 8
Joined Joined : 2008-11-29
OS OS : Windows Vista
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.Ispynow

Post by Belahzur on Sat Nov 29, 2008 11:27 pm

Hello.
This should kill it.

Now open a new notepad file.
Input this into the notepad file:

File::
c:\users\Spencer\AppData\Roaming\Google\dvvm.exe

Folder::
c:\program files\Perfect Defender 2009

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPsetm"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.Ispynow

Post by Waywishes on Sat Nov 29, 2008 11:46 pm

here is the first half

ComboFix 08-11-29.03 - Spencer 2008-11-29 17:30:57.2 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.967 [GMT -6:00]
Running from: c:\users\Spencer\Desktop\ComboFix.exe
Command switches used :: c:\users\Spencer\Desktop\CFscript.txt
* Created a new restore point
* Resident AV is active


FILE ::
c:\users\Spencer\AppData\Roaming\Google\dvvm.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Perfect Defender 2009
c:\program files\Perfect Defender 2009\pd.dll
c:\program files\Perfect Defender 2009\pdmonitor.exe
c:\users\Spencer\AppData\Roaming\Google\dvvm.exe

.
((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-29 )))))))))))))))))))))))))))))))
.

2008-11-29 04:09 . 2008-11-29 04:09 0 --ah----- c:\users\Default.LOG2
2008-11-29 04:09 . 2008-11-29 04:09 0 --ah----- c:\users\Default.LOG1
2008-11-29 04:09 . 2008-11-29 04:09 0 --ah----- C:\ProgramData.LOG2
2008-11-29 04:09 . 2008-11-29 04:09 0 --ah----- C:\ProgramData.LOG1
2008-11-29 03:34 . 2008-11-29 03:34 d-------- c:\program files\Trend Micro
2008-11-28 19:39 . 2008-11-28 19:39 d-------- c:\users\All Users\SUPERAntiSpyware.com
2008-11-28 19:39 . 2008-11-28 19:39 d-------- c:\programdata\SUPERAntiSpyware.com
2008-11-28 19:38 . 2008-11-28 19:38 d-------- c:\users\Spencer\AppData\Roaming\SUPERAntiSpyware.com
2008-11-28 19:38 . 2008-11-28 19:38 d-------- c:\program files\SUPERAntiSpyware
2008-11-28 19:37 . 2008-11-28 19:37 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-28 15:10 . 2008-11-29 03:52 d-a------ c:\users\All Users\TEMP
2008-11-28 15:10 . 2008-11-29 03:52 d-a------ c:\programdata\TEMP
2008-11-28 07:25 . 2008-11-28 07:25 d-------- C:\Binaries
2008-11-28 07:24 . 2008-11-28 07:24 d-------- c:\program files\AskSBar
2008-11-28 07:18 . 2008-11-28 07:18 164 --a------ C:\install.dat
2008-11-25 18:47 . 2008-10-20 23:16 1,645,568 --a------ c:\windows\System32\connect.dll
2008-11-25 18:47 . 2008-08-27 21:24 712,192 --a------ c:\windows\System32\WindowsCodecs.dll
2008-11-25 18:47 . 2008-08-27 21:24 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll
2008-11-25 18:47 . 2008-08-27 21:24 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll
2008-11-25 18:47 . 2008-10-21 21:43 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2008-11-25 18:47 . 2008-10-21 21:43 160,768 --a------ c:\windows\System32\PortableDeviceTypes.dll
2008-11-25 18:47 . 2008-10-21 21:43 95,232 --a------ c:\windows\System32\PortableDeviceClassExtension.dll
2008-11-13 13:01 . 2008-10-16 15:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-11-13 13:01 . 2008-10-16 14:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-11-13 13:01 . 2008-10-16 15:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-11-13 13:01 . 2008-10-16 15:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-11-13 13:00 . 2008-10-16 15:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-11-13 13:00 . 2008-10-16 14:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-11-13 13:00 . 2008-10-16 15:08 34,328 --a------ c:\windows\System32\wups.dll
2008-11-13 12:59 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-11-13 12:59 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
2008-11-11 23:38 . 2008-09-09 21:25 1,341,440 --a------ c:\windows\System32\msxml6.dll
2008-11-11 23:38 . 2008-09-04 22:48 1,194,496 --a------ c:\windows\System32\msxml3.dll
2008-11-11 23:38 . 2008-08-25 19:11 211,456 --a------ c:\windows\System32\drivers\mrxsmb10.sys
2008-11-11 23:38 . 2008-09-09 21:21 2,048 --a------ c:\windows\System32\msxml6r.dll
2008-11-11 23:38 . 2008-09-04 22:45 2,048 --a------ c:\windows\System32\msxml3r.dll
2008-10-29 01:56 . 2008-08-11 21:29 441,856 --a------ c:\windows\System32\win32spl.dll
2008-10-29 01:56 . 2008-08-11 21:29 37,376 --a------ c:\windows\System32\printcom.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-29 22:58 --------- d-----w c:\users\Spencer\AppData\Roaming\LimeWire
2008-11-27 23:21 --------- d-----w c:\users\Spencer\AppData\Roaming\InstallShield
2008-10-26 01:19 --------- d-----w c:\program files\World of Warcraft
2008-10-26 00:42 --------- d-----w c:\programdata\Blizzard
2008-10-15 08:10 --------- d-----w c:\program files\Windows Mail
2008-10-02 03:49 826,368 ----a-w c:\windows\System32\wininet.dll
2008-10-02 03:49 56,320 ----a-w c:\windows\System32\iesetup.dll
2008-10-02 03:49 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-10-02 03:48 26,624 ----a-w c:\windows\System32\ieUnatt.exe
2008-09-30 22:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-09-18 04:35 3,505,208 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 04:35 3,470,904 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 02:03 2,027,520 ----a-w c:\windows\System32\win32k.sys
2008-07-10 19:43 174 --sha-w c:\program files\desktop.ini
2008-05-09 18:35 858 ----a-w c:\users\Spencer\AppData\Roaming\wklnhst.dat
2008-01-18 22:09 76 --sh--r c:\windows\CT4CET.bin
2008-05-17 08:22 952 --sha-w c:\windows\System32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-29 23:19:42 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-11-29 23:36:43 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-11-29 23:19:37 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-11-29 23:36:43 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-11-29 22:59:54 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-11-29 23:34:06 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-11-29 22:59:54 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-29 23:34:06 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-29 22:59:54 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-11-29 23:34:06 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-11-29 22:59:37 8,228 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1998363468-347673385-3037537117-1000_UserData.bin
+ 2008-11-29 23:38:15 8,482 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1998363468-347673385-3037537117-1000_UserData.bin
- 2008-11-29 22:59:35 63,056 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-11-29 23:38:15 63,222 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-11-29 22:59:32 36,630 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-11-29 23:38:11 36,920 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-11-28 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-11-28 07:24 66912 --a------ c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-18 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-17 1805552]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 c:\windows\System32\oobefldr.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-07 159744]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-27 36864]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-11-12 405504]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-14 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-14 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-14 133656]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-21 1548288]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-07 29744]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]

c:\users\Spencer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-04-18 147456]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-05-24 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-01-18 50688]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-09-07 1180952]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

Waywishes
Novice
Novice

Posts Posts : 8
Joined Joined : 2008-11-29
OS OS : Windows Vista
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.Ispynow

Post by Waywishes on Sat Nov 29, 2008 11:48 pm

here is the second half
ComboFix 08-11-29.03 - Spencer 2008-11-29 17:30:57.2 - NTFSx86

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{8C422A6F-BBD1-4F55-BDEF-5C4D6C06762C}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{706CD5C4-E695-4E57-82A4-00C249C2B8D7}"= c:\program files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{FBAA2A3D-AAA2-44B4-B40F-73C0F093A531}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{A78DA785-6A20-40B3-AEE6-011CF43CF04D}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{48775B5D-5475-48AB-A4F2-8B9F477A6C73}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{368DBEA0-7AB9-499D-A65A-D59F9C614282}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{78A20ACC-6B0F-42D9-8BEE-7E94A435464D}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2008-11-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2008-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-Wdf01000.sys



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-11-29 17:36:54
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\BCMWLTRY.EXE
c:\windows\System32\AEstSrv.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\windows\System32\stacsv.exe
c:\windows\System32\drivers\XAudio.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\System32\igfxsrvc.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\hidfind.exe
c:\program files\DellTPad\ApntEx.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\McAfee\VirusScan\mcsysmon.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\program files\McAfee\MSC\mcuimgr.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2008-11-29 17:42:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-29 23:42:25
ComboFix2.txt 2008-11-29 23:21:35

Pre-Run: 53,105,733,632 bytes free
Post-Run: 52,970,885,120 bytes free

223 --- E O F --- 2008-11-26 09:01:22

Waywishes
Novice
Novice

Posts Posts : 8
Joined Joined : 2008-11-29
OS OS : Windows Vista
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.Ispynow

Post by Belahzur on Sat Nov 29, 2008 11:49 pm

Log looks clean, how is the machine running?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.Ispynow

Post by Waywishes on Sat Nov 29, 2008 11:53 pm

the machine is running great now. Thank you for your help, I would have pretty much went insane without it. I really appreciate that you took the time to help me with this. This forum is amazing. thank you so much =)

Waywishes
Novice
Novice

Posts Posts : 8
Joined Joined : 2008-11-29
OS OS : Windows Vista
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.Ispynow

Post by Belahzur on Sat Nov 29, 2008 11:55 pm

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Select the first option where it says "Java SE Runtime Environment (JRE) 6 Update 10".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    - Java 2 Runtime Environment, SE v1.4.2
    - J2SE Runtime Environment 5.0
    - J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe that you downloaded to install the newest version.
Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from [You must be registered and logged in to see this link.]

  • First, unzip it.
  • Then run JavaRa.
  • Select English from the drop down menu and press Select.
  • This will open JavaRa.
  • Press Remove older versions
  • Press yes to the prompt.
  • It will make a log file of what it's removed.
  • Copy and paste the log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.Ispynow

Post by Doctor Inferno on Sat Dec 06, 2008 4:05 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104600
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum