Another victem to Spyware.ispynow

View previous topic View next topic Go down

Solved Another victem to Spyware.ispynow

Post by n8tivemtn on Sun Nov 30, 2008 6:43 pm

Picked this up while "Stumbling" yesterday.
Purchased Intellinet but it cannot remove.
Have Windows XP
Please help
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:32:20 PM, on 11/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\RTHDCPL.EXE
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\Samsung\PanelMgr\ssmmgr.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
c:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINNT\system32\svchost.exe
C:\DOCUME~1\lbuel\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Intelinet\Intelinet.exe
C:\Program Files\Intelinet\intelin2.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {98828DED-A591-462F-83BA-D2F62A68B8B8} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINNT\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [YMailAdvisor] "C:\Program Files\Yahoo!\Common\YMailAdvisor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - [You must be registered and logged in to see this link.]
O9 - Extra button: StumbleUpon - {75C9223A-409A-4795-A3CA-08DE6B075B4B} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Cribbage - [You must be registered and logged in to see this link.]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = iscsecurity.net
O17 - HKLM\Software\..\Telephony: DomainName = iscsecurity.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = iscsecurity.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = iscsecurity.net
O20 - AppInit_DLLs: c:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IntelinetSecure - Unknown owner - C:\Program Files\Intelinet\intelin2.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe

--
End of file - 9378 bytes


Last edited by Belahzur on Mon Dec 01, 2008 12:22 am; edited 2 times in total (Reason for editing : Forgot to add this)

n8tivemtn
Novice
Novice

Posts Posts : 21
Joined Joined : 2008-11-30
Gender Gender : Male
OS OS : xp
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another victem to Spyware.ispynow

Post by n8tivemtn on Sun Nov 30, 2008 6:54 pm

Will the recent fix for other XP users repair this also?

n8tivemtn
Novice
Novice

Posts Posts : 21
Joined Joined : 2008-11-30
Gender Gender : Male
OS OS : xp
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another victem to Spyware.ispynow

Post by Belahzur on Sun Nov 30, 2008 7:04 pm

Hello.
Please do not use a fix that has been posted to others, they may damage your system rather than fix it.
Nothing obvious showing in the log, so lets do this.


  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Another victem to Spyware.ispynow

Post by n8tivemtn on Sun Nov 30, 2008 7:23 pm

I get booted as soon as it downloads
Cannot rename?

n8tivemtn
Novice
Novice

Posts Posts : 21
Joined Joined : 2008-11-30
Gender Gender : Male
OS OS : xp
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another victem to Spyware.ispynow

Post by Belahzur on Sun Nov 30, 2008 7:24 pm

What do you mean by "get booted"?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Another victem to Spyware.ispynow

Post by n8tivemtn on Sun Nov 30, 2008 7:32 pm

Kicks me off internet
Dis a "Search"found 3 recent downloads (15 minutes)

n8tivemtn
Novice
Novice

Posts Posts : 21
Joined Joined : 2008-11-30
Gender Gender : Male
OS OS : xp
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another victem to Spyware.ispynow

Post by Belahzur on Sun Nov 30, 2008 7:35 pm

Okay, lets see if this works.
Note - the log (OTViewIt.txt) created is rather long, so please make sure you have posted it all.

Download [You must be registered and logged in to see this link.] to your desktop.

  • Close all windows and open it
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up called OTViewIt.txt, the other will be saved on your desktop and called Extras. Post both those logs here.
  • You may need to use two posts to get it all on the forum


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved 1st Half

Post by n8tivemtn on Sun Nov 30, 2008 7:45 pm

OTViewIt Extras logfile created on: 11/30/2008 2:41:09 PM - Run
OTViewIt by OldTimer - Version 1.0.20.0 Folder = C:\Documents and Settings\lbuel\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.11 Mb Total Physical Memory | 584.52 Mb Available Physical Memory | 57.64% Memory free
2.89 Gb Paging File | 2.58 Gb Available in Paging File | 89.11% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 54.56 Gb Free Space | 73.21% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LEON-PC
Current User Name: lbuel
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=1
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
"UpdatesDisableNotify"=0
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/13 19:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/05/21 03:37:24 | 12,844,576 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook
File not found -- C:\WINNT\system32\lxbfcoms.exe:*:Enabled:Lexmark Communications System
[2008/04/13 13:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
File not found -- C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:*:Enabled:RoxioUPnPRenderer9
File not found -- C:\Program Files\Roxio\Media Manager 9\MediaManager9.exe:*:Enabled:MediaManager9 Module
[2007/04/05 17:00:36 | 00,602,162 | R--- | M] () -- C:\Program Files\Rapid Eye Multi-Media 7.0\REMView.exe:*:Enabled:REMView
File not found -- C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/04/13 19:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/04/13 13:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
File not found -- C:\Program Files\Roxio\Media Manager 9\MediaManager9.exe:*:Enabled:MediaManager9 Module
File not found -- C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:*:Enabled:RoxioUPnPRenderer9
[2007/04/05 17:00:36 | 00,602,162 | R--- | M] () -- C:\Program Files\Rapid Eye Multi-Media 7.0\REMView.exe:*:Enabled:REMView
File not found -- C:\WINNT\system32\drivers\svchost.exe:*:Disabled:svchost
[2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINNT\explorer.exe:*:Enabled:Windows Explorer

========== (O10) Winsock2 Catalogs ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\]
NameSpace_Catalog5\Catalog_Entries\000000000004 [Bluetooth Namespace] -- C:\WINNT\system32\wshbth.dll (Microsoft Corporation)

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2008/03/06 16:37:36 | 00,106,496 | ---- | M] (Belarc, Inc.) C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (belarc:{6318E0AB-2E93-11D1-B8ED-00608CC9A71F} (HKLM) [VoilaXctl Class])
ipp: [HKLM - No CLSID value]
[2007/08/28 22:55:14 | 01,014,128 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]
msdaipp: [HKLM - No CLSID value]
[2007/08/28 22:55:14 | 01,014,128 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]
[2007/08/28 22:55:14 | 01,014,128 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]
[2006/10/26 12:45:02 | 00,873,216 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (ms-help:{314111c7-a502-11d2-bbca-00c04f8ec294} (HKLM) [HxProtocol Class])
[2000/04/19 17:47:36 | 00,520,117 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (ms-itss:{0A9007C0-4076-11D3-8789-0000F8105754} (HKLM) [Microsoft Infotech Storage Protocol for IE 4.0])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2006/10/26 20:41:48 | 00,044,344 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL text/xml:{807563E5-5146-11D5-A672-00B0D022E945} (HKLM) [Microsoft Office InfoPath XML Mime Filter]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{034759DA-E21A-4795-BFB3-C66D17FAD183}"=Sophos Anti-Virus
"{075473F5-846A-448B-BCB3-104AA1760205}"=Roxio Data Module
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}"=Roxio DLA
"{15C418EB-7675-42be-B2B3-281952DA014D}"=Sophos AutoUpdate
"{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}"=QuickTime
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}"=Roxio Update Manager
"{345112D9-0930-4A68-AB71-A831BA5DE7AA}"=Microsoft IntelliType Pro 6.2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{37A89DF0-5DD6-48BB-BC34-0CEB2A9E6F63}"=LS_HSI
"{44734179-8A79-4DEE-BB08-73037F065543}"=Apple Mobile Device Support
"{48AFBB60-8CF5-4605-BB04-704DD8702B80}"=VZAccess Manager for RIM
"{7299052b-02a4-4627-81f2-1818da5d550d}"=Microsoft Visual C++ 2005 Redistributable
"{7B6CF9EB-CB2B-4A1A-81A9-BE1A9044690A}"=TIPCI
"{8A708DD8-A5E6-11D4-A706-000629E95E20}"=Intel(R) Graphics Media Accelerator Driver
"{8E6B6BE3-929E-4B5A-B61C-EC9E82A0D1B1}"=Rapid Eye Multi-Media Admin and View 7.0.69
"{90120000-0010-0409-0000-0000000FF1CE}"=Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}"=Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0016-0409-0000-0000000FF1CE}"=Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0018-0409-0000-0000000FF1CE}"=Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0019-0409-0000-0000000FF1CE}"=Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001A-0409-0000-0000000FF1CE}"=Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001B-0409-0000-0000000FF1CE}"=Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0409-0000-0000000FF1CE}"=Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROR_{3EC77D26-799B-4CD8-914F-C1565E796173}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}"=Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROR_{430971B1-C31E-45DA-81E0-72C095BAB72C}"=2007 Microsoft

n8tivemtn
Novice
Novice

Posts Posts : 21
Joined Joined : 2008-11-30
Gender Gender : Male
OS OS : xp
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another victem to Spyware.ispynow

Post by n8tivemtn on Sun Nov 30, 2008 7:46 pm

2nd HalfOffice Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}"=Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROR_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-002C-0409-0000-0000000FF1CE}"=Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}"=Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROR_{FAD8A83E-9BAC-4179-9268-A35948034D85}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0115-0409-0000-0000000FF1CE}"=Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROR_{FAD8A83E-9BAC-4179-9268-A35948034D85}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0117-0409-0000-0000000FF1CE}"=Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90510409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Visio Professional 2003
"{91120000-0014-0000-0000-0000000FF1CE}"=Microsoft Office Professional 2007
"{91120000-0014-0000-0000-0000000FF1CE}_PROR_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{95120000-00B9-0409-0000-0000000FF1CE}"=Microsoft Application Error Reporting
"{9E397B40-13F7-4CA2-9943-ADB29ACBBFDF}"=ArcSoft Software Suite
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}"=Roxio Audio Module
"{AC76BA86-7AD7-1033-7B44-A81200000003}"=Adobe Reader 8.1.2
"{B12665F4-4E93-4AB4-B7FC-37053B524629}"=Roxio Copy Module
"{D70DE630-0D13-4394-A15B-5ACE6CF2A18D}"=Atheros Wireless LAN
"{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}"=U3Launcher
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}"=Realtek High Definition Audio Driver
"Adobe Acrobat Reader 3.01"=Adobe Acrobat Reader 3.01
"Adobe Flash Player ActiveX"=Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player"=Adobe Shockwave Player
"Belarc Advisor"=Belarc Advisor 7.2
"cayahooantispy"=CA Yahoo! Anti-Spy (remove only)
"GridVista"=Acer GridVista
"HijackThis"=HijackThis 2.0.2
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"InstallShield_{7B6CF9EB-CB2B-4A1A-81A9-BE1A9044690A}"=Texas Instruments PCIxx21/x515/xx12 drivers.
"Intelinet_is1"=Intelinet 3.1.0
"MSCompPackV1"=Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"PIXresizer_is1"=PIXresizer 2.0.2
"PROR"=Microsoft Office Professional 2007
"RealPlayer 6.0"=RealPlayer
"Samsung CLP-300 Series"=Samsung CLP-300 Series
"StumbleUponIEToolbar"=StumbleUpon IE Toolbar
"SynTPDeinstKey"=Synaptics Pointing Device Driver
"Wdf01005"=Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime"=Windows Media Format 11 runtime
"Windows Media Player"=Windows Media Player 11
"Windows XP Service Pack"=Windows XP Service Pack 3
"WMFDist11"=Windows Media Format 11 runtime
"wmp11"=Windows Media Player 11
"Wudf01000"=Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion"=Yahoo! Toolbar
"Yahoo! Mail"=Yahoo! Internet Mail
"Yahoo! Mail Advisor"=Yahoo! Mail Advisor
"Yahoo! Search Defender"=Yahoo! Search Protection
"YInstHelper"=Yahoo! Install Manager

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Networks Player - IE"=Move Networks Media Player for Internet Explorer

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/30/2008 12:55:41 PM | Computer Name = LEON-PC | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 11/30/2008 12:55:42 PM | Computer Name = LEON-PC | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 11/30/2008 12:55:52 PM | Computer Name = LEON-PC | Source = Application Error | ID = 1000
Description = Faulting application googleupdate.exe, version 1.2.131.7, faulting
module googleupdate.exe, version 1.2.131.7, fault address 0x00006eef.

Error - 11/30/2008 1:05:45 PM | Computer Name = LEON-PC | Source = Application Error | ID = 1000
Description = Faulting application intelinet.exe, version 3.1.0.0, faulting module
ntdll.dll, version 5.1.2600.5512, fault address 0x00011669.

Error - 11/30/2008 1:09:58 PM | Computer Name = LEON-PC | Source = Application Error | ID = 1000
Description = Faulting application googleupdate.exe, version 1.2.131.7, faulting
module googleupdate.exe, version 1.2.131.7, fault address 0x00006eef.

Error - 11/30/2008 1:10:05 PM | Computer Name = LEON-PC | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 11/30/2008 1:10:05 PM | Computer Name = LEON-PC | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 11/30/2008 1:10:06 PM | Computer Name = LEON-PC | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 11/30/2008 3:11:07 PM | Computer Name = LEON-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16735, faulting
module ieframe.dll, version 7.0.6000.16757, fault address 0x00087b08.

Error - 11/30/2008 3:12:23 PM | Computer Name = LEON-PC | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

[ OSession Events ]
Error - 12/18/2007 10:47:04 AM | Computer Name = LEON-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6023.5000, Microsoft Office Version: 12.0.4518.1014. This session lasted 2155
seconds with 1020 seconds of active time. This session ended with a crash.

Error - 1/23/2008 9:09:57 AM | Computer Name = LEON-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 618
seconds with 180 seconds of active time. This session ended with a crash.

Error - 3/18/2008 5:04:00 PM | Computer Name = LEON-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 3502
seconds with 1560 seconds of active time. This session ended with a crash.

Error - 3/31/2008 9:12:41 AM | Computer Name = LEON-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6300.5000, Microsoft Office Version: 12.0.4518.1014. This session lasted 7843
seconds with 2760 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 11/30/2008 12:57:15 PM | Computer Name = LEON-PC | Source = Service Control Manager | ID = 7000
Description = The Process creation detector. service failed to start due to the
following error: %%2

Error - 11/30/2008 1:10:03 PM | Computer Name = LEON-PC | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain ISCSECURITY due to the
following: %%1311. Make sure that the computer is connected to the network and try
again.
If the problem persists, please contact your domain administrator.

Error - 11/30/2008 1:10:05 PM | Computer Name = LEON-PC | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

Error - 11/30/2008 1:10:05 PM | Computer Name = LEON-PC | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

Error - 11/30/2008 1:11:08 PM | Computer Name = LEON-PC | Source = Service Control Manager | ID = 7000
Description = The DgiVecp service failed to start due to the following error: %%20

Error - 11/30/2008 1:11:08 PM | Computer Name = LEON-PC | Source = Service Control Manager | ID = 7000
Description = The Process creation detector. service failed to start due to the
following error: %%2

Error - 11/30/2008 1:25:08 PM | Computer Name = LEON-PC | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 29 minutes. NtpClient has no source of accurate
time.

Error - 11/30/2008 1:35:41 PM | Computer Name = LEON-PC | Source = Service Control Manager | ID = 7000
Description = The Process creation detector. service failed to start due to the
following error: %%2

Error - 11/30/2008 1:55:08 PM | Computer Name = LEON-PC | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 59 minutes. NtpClient has no source of accurate
time.

Error - 11/30/2008 2:55:08 PM | Computer Name = LEON-PC | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 119 minutes. NtpClient has no source of accurate
time.


< End of report >

n8tivemtn
Novice
Novice

Posts Posts : 21
Joined Joined : 2008-11-30
Gender Gender : Male
OS OS : xp
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another victem to Spyware.ispynow

Post by n8tivemtn on Sun Nov 30, 2008 7:48 pm

Extras 1st half
OTViewIt Extras logfile created on: 11/30/2008 2:41:09 PM - Run
OTViewIt by OldTimer - Version 1.0.20.0 Folder = C:\Documents and Settings\lbuel\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.11 Mb Total Physical Memory | 584.52 Mb Available Physical Memory | 57.64% Memory free
2.89 Gb Paging File | 2.58 Gb Available in Paging File | 89.11% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 54.56 Gb Free Space | 73.21% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LEON-PC
Current User Name: lbuel
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=1
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
"UpdatesDisableNotify"=0
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/13 19:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/05/21 03:37:24 | 12,844,576 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook
File not found -- C:\WINNT\system32\lxbfcoms.exe:*:Enabled:Lexmark Communications System
[2008/04/13 13:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
File not found -- C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:*:Enabled:RoxioUPnPRenderer9
File not found -- C:\Program Files\Roxio\Media Manager 9\MediaManager9.exe:*:Enabled:MediaManager9 Module
[2007/04/05 17:00:36 | 00,602,162 | R--- | M] () -- C:\Program Files\Rapid Eye Multi-Media 7.0\REMView.exe:*:Enabled:REMView
File not found -- C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/04/13 19:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/04/13 13:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
File not found -- C:\Program Files\Roxio\Media Manager 9\MediaManager9.exe:*:Enabled:MediaManager9 Module
File not found -- C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:*:Enabled:RoxioUPnPRenderer9
[2007/04/05 17:00:36 | 00,602,162 | R--- | M] () -- C:\Program Files\Rapid Eye Multi-Media 7.0\REMView.exe:*:Enabled:REMView
File not found -- C:\WINNT\system32\drivers\svchost.exe:*:Disabled:svchost
[2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINNT\explorer.exe:*:Enabled:Windows Explorer

========== (O10) Winsock2 Catalogs ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\]
NameSpace_Catalog5\Catalog_Entries\000000000004 [Bluetooth Namespace] -- C:\WINNT\system32\wshbth.dll (Microsoft Corporation)

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2008/03/06 16:37:36 | 00,106,496 | ---- | M] (Belarc, Inc.) C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (belarc:{6318E0AB-2E93-11D1-B8ED-00608CC9A71F} (HKLM) [VoilaXctl Class])
ipp: [HKLM - No CLSID value]
[2007/08/28 22:55:14 | 01,014,128 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]
msdaipp: [HKLM - No CLSID value]
[2007/08/28 22:55:14 | 01,014,128 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]
[2007/08/28 22:55:14 | 01,014,128 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]
[2006/10/26 12:45:02 | 00,873,216 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (ms-help:{314111c7-a502-11d2-bbca-00c04f8ec294} (HKLM) [HxProtocol Class])
[2000/04/19 17:47:36 | 00,520,117 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (ms-itss:{0A9007C0-4076-11D3-8789-0000F8105754} (HKLM) [Microsoft Infotech Storage Protocol for IE 4.0])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2006/10/26 20:41:48 | 00,044,344 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL text/xml:{807563E5-5146-11D5-A672-00B0D022E945} (HKLM) [Microsoft Office InfoPath XML Mime Filter]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{034759DA-E21A-4795-BFB3-C66D17FAD183}"=Sophos Anti-Virus
"{075473F5-846A-448B-BCB3-104AA1760205}"=Roxio Data Module
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}"=Roxio DLA
"{15C418EB-7675-42be-B2B3-281952DA014D}"=Sophos AutoUpdate
"{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}"=QuickTime
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}"=Roxio Update Manager
"{345112D9-0930-4A68-AB71-A831BA5DE7AA}"=Microsoft IntelliType Pro 6.2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{37A89DF0-5DD6-48BB-BC34-0CEB2A9E6F63}"=LS_HSI
"{44734179-8A79-4DEE-BB08-73037F065543}"=Apple Mobile Device Support
"{48AFBB60-8CF5-4605-BB04-704DD8702B80}"=VZAccess Manager for RIM
"{7299052b-02a4-4627-81f2-1818da5d550d}"=Microsoft Visual C++ 2005 Redistributable
"{7B6CF9EB-CB2B-4A1A-81A9-BE1A9044690A}"=TIPCI
"{8A708DD8-A5E6-11D4-A706-000629E95E20}"=Intel(R) Graphics Media Accelerator Driver
"{8E6B6BE3-929E-4B5A-B61C-EC9E82A0D1B1}"=Rapid Eye Multi-Media Admin and View 7.0.69
"{90120000-0010-0409-0000-0000000FF1CE}"=Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}"=Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0016-0409-0000-0000000FF1CE}"=Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0018-0409-0000-0000000FF1CE}"=Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0019-0409-0000-0000000FF1CE}"=Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001A-0409-0000-0000000FF1CE}"=Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001B-0409-0000-0000000FF1CE}"=Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0409-0000-0000000FF1CE}"=Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROR_{3EC77D26-799B-4CD8-914F-C1565E796173}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}"=Microsoft Office Proof (French) 2007

n8tivemtn
Novice
Novice

Posts Posts : 21
Joined Joined : 2008-11-30
Gender Gender : Male
OS OS : xp
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another victem to Spyware.ispynow

Post by n8tivemtn on Sun Nov 30, 2008 7:48 pm

Extras 2nd Half"{Office Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}"=Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROR_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-002C-0409-0000-0000000FF1CE}"=Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}"=Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROR_{FAD8A83E-9BAC-4179-9268-A35948034D85}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0115-0409-0000-0000000FF1CE}"=Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROR_{FAD8A83E-9BAC-4179-9268-A35948034D85}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0117-0409-0000-0000000FF1CE}"=Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90510409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Visio Professional 2003
"{91120000-0014-0000-0000-0000000FF1CE}"=Microsoft Office Professional 2007
"{91120000-0014-0000-0000-0000000FF1CE}_PROR_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{95120000-00B9-0409-0000-0000000FF1CE}"=Microsoft Application Error Reporting
"{9E397B40-13F7-4CA2-9943-ADB29ACBBFDF}"=ArcSoft Software Suite
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}"=Roxio Audio Module
"{AC76BA86-7AD7-1033-7B44-A81200000003}"=Adobe Reader 8.1.2
"{B12665F4-4E93-4AB4-B7FC-37053B524629}"=Roxio Copy Module
"{D70DE630-0D13-4394-A15B-5ACE6CF2A18D}"=Atheros Wireless LAN
"{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}"=U3Launcher
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}"=Realtek High Definition Audio Driver
"Adobe Acrobat Reader 3.01"=Adobe Acrobat Reader 3.01
"Adobe Flash Player ActiveX"=Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player"=Adobe Shockwave Player
"Belarc Advisor"=Belarc Advisor 7.2
"cayahooantispy"=CA Yahoo! Anti-Spy (remove only)
"GridVista"=Acer GridVista
"HijackThis"=HijackThis 2.0.2
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"InstallShield_{7B6CF9EB-CB2B-4A1A-81A9-BE1A9044690A}"=Texas Instruments PCIxx21/x515/xx12 drivers.
"Intelinet_is1"=Intelinet 3.1.0
"MSCompPackV1"=Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"PIXresizer_is1"=PIXresizer 2.0.2
"PROR"=Microsoft Office Professional 2007
"RealPlayer 6.0"=RealPlayer
"Samsung CLP-300 Series"=Samsung CLP-300 Series
"StumbleUponIEToolbar"=StumbleUpon IE Toolbar
"SynTPDeinstKey"=Synaptics Pointing Device Driver
"Wdf01005"=Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime"=Windows Media Format 11 runtime
"Windows Media Player"=Windows Media Player 11
"Windows XP Service Pack"=Windows XP Service Pack 3
"WMFDist11"=Windows Media Format 11 runtime
"wmp11"=Windows Media Player 11
"Wudf01000"=Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion"=Yahoo! Toolbar
"Yahoo! Mail"=Yahoo! Internet Mail
"Yahoo! Mail Advisor"=Yahoo! Mail Advisor
"Yahoo! Search Defender"=Yahoo! Search Protection
"YInstHelper"=Yahoo! Install Manager

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Networks Player - IE"=Move Networks Media Player for Internet Explorer

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/30/2008 12:55:41 PM | Computer Name = LEON-PC | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 11/30/2008 12:55:42 PM | Computer Name = LEON-PC | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 11/30/2008 12:55:52 PM | Computer Name = LEON-PC | Source = Application Error | ID = 1000
Description = Faulting application googleupdate.exe, version 1.2.131.7, faulting
module googleupdate.exe, version 1.2.131.7, fault address 0x00006eef.

Error - 11/30/2008 1:05:45 PM | Computer Name = LEON-PC | Source = Application Error | ID = 1000
Description = Faulting application intelinet.exe, version 3.1.0.0, faulting module
ntdll.dll, version 5.1.2600.5512, fault address 0x00011669.

Error - 11/30/2008 1:09:58 PM | Computer Name = LEON-PC | Source = Application Error | ID = 1000
Description = Faulting application googleupdate.exe, version 1.2.131.7, faulting
module googleupdate.exe, version 1.2.131.7, fault address 0x00006eef.

Error - 11/30/2008 1:10:05 PM | Computer Name = LEON-PC | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 11/30/2008 1:10:05 PM | Computer Name = LEON-PC | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 11/30/2008 1:10:06 PM | Computer Name = LEON-PC | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 11/30/2008 3:11:07 PM | Computer Name = LEON-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16735, faulting
module ieframe.dll, version 7.0.6000.16757, fault address 0x00087b08.

Error - 11/30/2008 3:12:23 PM | Computer Name = LEON-PC | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

[ OSession Events ]
Error - 12/18/2007 10:47:04 AM | Computer Name = LEON-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6023.5000, Microsoft Office Version: 12.0.4518.1014. This session lasted 2155
seconds with 1020 seconds of active time. This session ended with a crash.

Error - 1/23/2008 9:09:57 AM | Computer Name = LEON-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 618
seconds with 180 seconds of active time. This session ended with a crash.

Error - 3/18/2008 5:04:00 PM | Computer Name = LEON-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 3502
seconds with 1560 seconds of active time. This session ended with a crash.

Error - 3/31/2008 9:12:41 AM | Computer Name = LEON-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6300.5000, Microsoft Office Version: 12.0.4518.1014. This session lasted 7843
seconds with 2760 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 11/30/2008 12:57:15 PM | Computer Name = LEON-PC | Source = Service Control Manager | ID = 7000
Description = The Process creation detector. service failed to start due to the
following error: %%2

Error - 11/30/2008 1:10:03 PM | Computer Name = LEON-PC | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain ISCSECURITY due to the
following: %%1311. Make sure that the computer is connected to the network and try
again.
If the problem persists, please contact your domain administrator.

Error - 11/30/2008 1:10:05 PM | Computer Name = LEON-PC | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

Error - 11/30/2008 1:10:05 PM | Computer Name = LEON-PC | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

Error - 11/30/2008 1:11:08 PM | Computer Name = LEON-PC | Source = Service Control Manager | ID = 7000
Description = The DgiVecp service failed to start due to the following error: %%20

Error - 11/30/2008 1:11:08 PM | Computer Name = LEON-PC | Source = Service Control Manager | ID = 7000
Description = The Process creation detector. service failed to start due to the
following error: %%2

Error - 11/30/2008 1:25:08 PM | Computer Name = LEON-PC | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 29 minutes. NtpClient has no source of accurate
time.

Error - 11/30/2008 1:35:41 PM | Computer Name = LEON-PC | Source = Service Control Manager | ID = 7000
Description = The Process creation detector. service failed to start due to the
following error: %%2

Error - 11/30/2008 1:55:08 PM | Computer Name = LEON-PC | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 59 minutes. NtpClient has no source of accurate
time.

Error - 11/30/2008 2:55:08 PM | Computer Name = LEON-PC | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 119 minutes. NtpClient has no source of accurate
time.


< End of report >

n8tivemtn
Novice
Novice

Posts Posts : 21
Joined Joined : 2008-11-30
Gender Gender : Male
OS OS : xp
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another victem to Spyware.ispynow

Post by Belahzur on Sun Nov 30, 2008 7:52 pm

Hello.
You have posted extras log file twice, could you post OTViewIt.txt?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved 1st Half

Post by n8tivemtn on Sun Nov 30, 2008 8:05 pm

OTViewIt logfile created on: 11/30/2008 2:41:09 PM - Run
OTViewIt by OldTimer - Version 1.0.20.0 Folder = C:\Documents and Settings\lbuel\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.11 Mb Total Physical Memory | 584.52 Mb Available Physical Memory | 57.64% Memory free
2.89 Gb Paging File | 2.58 Gb Available in Paging File | 89.11% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 54.56 Gb Free Space | 73.21% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LEON-PC
Current User Name: lbuel
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2007/11/28 08:29:44 | 00,098,304 | ---- | M] (Sophos Plc) -- c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
[2008/09/10 13:01:28 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
[2007/09/06 12:28:18 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
[2005/05/31 15:20:36 | 00,053,248 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
[2007/11/26 09:53:53 | 00,069,632 | ---- | M] (Sophos Plc) -- c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
[2008/01/31 08:23:32 | 00,172,032 | ---- | M] (Sophos Plc) -- c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
[2004/08/04 07:00:00 | 00,008,192 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\cidaemon.exe
[2004/08/04 07:00:00 | 00,008,192 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\cidaemon.exe
[2006/06/13 08:57:00 | 00,094,208 | R--- | M] (Intel Corporation) -- C:\WINNT\system32\igfxtray.exe
[2006/06/13 08:57:00 | 00,077,824 | R--- | M] (Intel Corporation) -- C:\WINNT\system32\hkcmd.exe
[2006/06/13 08:57:00 | 00,118,784 | R--- | M] (Intel Corporation) -- C:\WINNT\system32\igfxpers.exe
[2006/04/29 05:13:46 | 00,766,041 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[2006/07/19 08:42:00 | 16,248,320 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINNT\RTHDCPL.exe
[2008/10/07 10:23:46 | 00,111,856 | ---- | M] (Yahoo! Inc) -- C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
[2005/02/25 04:33:00 | 00,127,037 | ---- | M] (Sonic Solutions) -- C:\WINNT\system32\dla\tfswctrl.exe
[2008/02/21 06:29:07 | 00,185,896 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[2007/10/22 23:11:58 | 00,524,288 | ---- | M] () -- C:\WINNT\Samsung\PanelMgr\SSMMgr.exe
[2008/04/13 19:12:33 | 00,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\rundll32.exe
[2007/08/31 11:13:42 | 00,988,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliType Pro\itype.exe
[2008/06/05 17:06:32 | 00,125,208 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
[2006/09/11 03:40:32 | 00,218,032 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
[2007/09/07 22:18:29 | 00,245,760 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\AutoUpdate\ALMon.exe
[2007/08/31 11:16:48 | 00,357,800 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
[2006/11/16 13:26:52 | 01,095,224 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
[2007/09/07 21:56:31 | 00,507,904 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Documents and Settings\lbuel\Local Settings\Temp\RtkBtMnt.exe
[2008/10/16 14:09:44 | 00,051,224 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wuauclt.exe
[2008/11/30 14:40:54 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\lbuel\Desktop\OTViewIt.exe

n8tivemtn
Novice
Novice

Posts Posts : 21
Joined Joined : 2008-11-30
Gender Gender : Male
OS OS : xp
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another victem to Spyware.ispynow

Post by n8tivemtn on Sun Nov 30, 2008 8:05 pm

2nd
========== (O23) Win32 Services ==========

[2008/09/10 13:01:28 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice [Auto | Running])
[2007/09/06 12:28:18 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
[2004/10/22 02:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
[2008/10/16 23:01:28 | 00,861,464 | ---- | M] () -- C:\Program Files\Intelinet\intelin2.exe -- (IntelinetSecure [On_Demand | Stopped])
[2005/05/31 15:20:36 | 00,053,248 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService [Auto | Running])
[2007/08/24 02:19:12 | 00,443,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
[2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2007/11/26 09:53:53 | 00,069,632 | ---- | M] (Sophos Plc) -- c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe -- (SAVAdminService [Unknown | Running])
[2007/11/28 08:29:44 | 00,098,304 | ---- | M] (Sophos Plc) -- c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe -- (SAVService [Unknown | Running])
[2008/01/31 08:23:32 | 00,172,032 | ---- | M] (Sophos Plc) -- c:\Program Files\Sophos\AutoUpdate\ALsvc.exe -- (Sophos AutoUpdate Service [Auto | Running])
[2008/04/13 19:12:38 | 00,050,176 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\utilman.exe -- (UtilMan [On_Demand | Stopped])
[2006/10/18 19:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services ==========

[2005/02/23 13:58:56 | 00,011,776 | ---- | M] (Arcsoft, Inc.) -- C:\WINNT\system32\drivers\afc.sys -- (Afc [On_Demand | Running])
[2008/02/27 12:49:00 | 00,003,840 | ---- | M] () -- C:\WINNT\system32\drivers\BANTExt.sys -- (BANTExt [System | Running])
[2006/10/12 15:28:42 | 00,604,928 | ---- | M] (Broadcom Corporation) -- C:\WINNT\system32\drivers\BCMWL5.SYS -- (BCM43XX [On_Demand | Running])
[2008/04/13 13:46:33 | 00,017,024 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\bthenum.sys -- (BthEnum [On_Demand | Stopped])
[2008/04/13 13:51:34 | 00,101,120 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\bthpan.sys -- (BthPan [On_Demand | Stopped])
[2008/06/13 06:05:51 | 00,272,128 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\bthport.sys -- (BTHPORT [On_Demand | Stopped])
[2008/04/13 13:46:29 | 00,018,944 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\bthusb.sys -- (BTHUSB [On_Demand | Stopped])
[2007/10/22 03:21:35 | 00,041,984 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\WINNT\system32\drivers\DGIVECP.SYS -- (DgiVecp [Auto | Stopped])
[2005/04/14 02:22:00 | 00,088,352 | ---- | M] (Sonic Solutions) -- C:\WINNT\system32\drivers\drvmcdb.sys -- (drvmcdb [Boot | Running])
[2004/12/23 01:56:00 | 00,040,544 | ---- | M] (Sonic Solutions) -- C:\WINNT\system32\drivers\drvnddm.sys -- (drvnddm [Auto | Running])
[2008/04/13 11:36:05 | 00,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) -- C:\WINNT\system32\drivers\hdaudbus.sys -- (HDAudBus [On_Demand | Running])
[2008/04/13 13:46:30 | 00,025,600 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\hidbth.sys -- (HidBth [On_Demand | Stopped])
[2006/06/13 08:57:00 | 01,166,972 | R--- | M] (Intel Corporation) -- C:\WINNT\system32\drivers\ialmnt5.sys -- (ialm [On_Demand | Running])
[2006/07/19 08:42:00 | 04,304,384 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINNT\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService [On_Demand | Running])
[2008/04/13 13:39:48 | 00,014,592 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\kbdhid.sys -- (kbdhid [System | Stopped])
[2007/08/31 11:15:46 | 00,018,856 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\nuidfltr.sys -- (NuidFltr [On_Demand | Stopped])
[2003/09/20 07:45:48 | 00,021,248 | ---- | M] (Padus, Inc.) -- C:\WINNT\system32\drivers\pfc.sys -- (pfc [On_Demand | Running])
[2004/08/04 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINNT\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2007/05/01 02:00:00 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINNT\system32\drivers\pxhelp20.sys -- (PxHelp20 [Boot | Running])
[2008/04/13 13:46:32 | 00,059,136 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\rfcomm.sys -- (RFCOMM [On_Demand | Stopped])
[2007/05/31 12:39:50 | 00,022,656 | ---- | M] (Research In Motion Limited) -- C:\WINNT\system32\drivers\RimUsb.sys -- (RimUsb [On_Demand | Stopped])
[2007/01/18 09:24:58 | 00,026,496 | R--- | M] (Research in Motion Ltd) -- C:\WINNT\system32\drivers\RimSerial.sys -- (RimVSerPort [On_Demand | Stopped])
[2004/08/04 07:00:00 | 00,005,888 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\rootmdm.sys -- (ROOTMODEM [On_Demand | Stopped])
[2007/11/26 09:54:08 | 00,101,120 | ---- | M] (Sophos Plc) -- C:\WINNT\system32\drivers\savonaccesscontrol.sys -- (SAVOnAccessControl [System | Running])
[2007/11/26 09:54:02 | 00,033,408 | ---- | M] (Sophos Plc) -- C:\WINNT\system32\drivers\savonaccessfilter.sys -- (SAVOnAccessFilter [System | Running])
[2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINNT\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2002/11/26 13:54:58 | 00,016,936 | ---- | M] (Smith Micro Software, Inc.) -- C:\Program Files\Verizon Wireless\VZAccess Manager\SMNDIS5.sys -- (SMNDIS5 [On_Demand | Stopped])
[2004/12/02 10:04:20 | 00,005,627 | ---- | M] (Sonic Solutions) -- C:\WINNT\system32\drivers\sscdbhk5.sys -- (sscdbhk5 [System | Running])
[2004/12/02 10:04:10 | 00,023,545 | ---- | M] (Sonic Solutions) -- C:\WINNT\system32\drivers\ssrtln.sys -- (ssrtln [System | Running])
[2006/04/29 04:54:52 | 00,193,056 | ---- | M] (Synaptics, Inc.) -- C:\WINNT\system32\drivers\SynTP.sys -- (SynTP [On_Demand | Running])
[2005/02/25 04:33:00 | 00,025,725 | ---- | M] (Sonic Solutions) -- C:\WINNT\system32\dla\tfsnboio.sys -- (tfsnboio [Auto | Running])
[2005/02/25 04:33:00 | 00,034,845 | ---- | M] (Sonic Solutions) -- C:\WINNT\system32\dla\tfsncofs.sys -- (tfsncofs [Auto | Running])
[2005/02/25 04:33:00 | 00,004,125 | ---- | M] (Sonic Solutions) -- C:\WINNT\system32\dla\tfsndrct.sys -- (tfsndrct [Auto | Running])
[2005/02/25 04:33:00 | 00,002,241 | ---- | M] (Sonic Solutions) -- C:\WINNT\system32\dla\tfsndres.sys -- (tfsndres [Auto | Running])
[2005/02/25 04:33:00 | 00,086,684 | ---- | M] (Sonic Solutions) -- C:\WINNT\system32\dla\tfsnifs.sys -- (tfsnifs [Auto | Running])
[2005/02/25 04:33:00 | 00,014,877 | ---- | M] (Sonic Solutions) -- C:\WINNT\system32\dla\tfsnopio.sys -- (tfsnopio [Auto | Running])
[2005/02/25 04:33:00 | 00,006,365 | ---- | M] (Sonic Solutions) -- C:\WINNT\system32\dla\tfsnpool.sys -- (tfsnpool [Auto | Running])
[2005/02/25 04:33:00 | 00,098,716 | ---- | M] (Sonic Solutions) -- C:\WINNT\system32\dla\tfsnudf.sys -- (tfsnudf [Auto | Running])
[2005/02/25 04:33:00 | 00,100,605 | ---- | M] (Sonic Solutions) -- C:\WINNT\system32\dla\tfsnudfa.sys -- (tfsnudfa [Auto | Running])
[2005/09/20 09:30:00 | 00,162,432 | ---- | M] (Texas Instruments) -- C:\WINNT\system32\drivers\tifm21.sys -- (tifm21 [On_Demand | Running])
[2006/11/02 06:22:54 | 00,492,000 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\wdf01000.sys -- (Wdf01000 [On_Demand | Stopped])
[2008/04/13 13:36:38 | 00,008,832 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\wmiacpi.sys -- (WmiAcpi [System | Running])
[2004/08/04 07:00:00 | 00,012,032 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\ws2ifsl.sys -- (WS2IFSL [Disabled | Stopped])
[2006/06/01 07:55:00 | 00,244,864 | ---- | M] (Marvell) -- C:\WINNT\system32\drivers\yk51x86.sys -- (yukonwxp [On_Demand | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://go.microsoft.com/fwlink/?LinkId=69157

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Page_Transitions"=

n8tivemtn
Novice
Novice

Posts Posts : 21
Joined Joined : 2008-11-30
Gender Gender : Male
OS OS : xp
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another victem to Spyware.ispynow

Post by n8tivemtn on Sun Nov 30, 2008 8:06 pm

3rd
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.yahoo.com/

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINNT\system32\ieframe.dll (Microsoft Corporation)
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (734 bytes) - C:\WINNT\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{02478D38-C3F9-4efb-9B51-7695ECA05670} (HKLM) -- C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
{145B29F4-A56B-4b90-BBAC-45784EBEBBB7} (HKLM) -- C:\Program Files\StumbleUpon\StumbleUponIEBar.dll (stumbleupon.com)
{3049C3E9-B461-4BC5-8870-4C09146192CA} (HKLM) -- C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
{5CA3D70E-1895-11CF-8E15-001234567890} (HKLM) -- C:\WINNT\system32\dla\tfswshx.dll (Sonic Solutions)
{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} (HKLM) -- C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{5093EB4C-3E93-40AB-9266-B607BA87BDC8}" (HKLM) -- C:\Program Files\StumbleUpon\StumbleUponIEBar.dll (stumbleupon.com)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{98828DED-A591-462F-83BA-D2F62A68B8B8}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"SITEguard" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
"Alcmtr"=ALCMTR.EXE (Realtek Semiconductor Corp.)
"AzMixerSel"=C:\Program Files\Realtek\InstallShield\AzMixerSel.exe (Realtek Semiconductor Corp.)
"BluetoothAuthenticationAgent"=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent (Microsoft Corporation)
"dla"=C:\WINNT\system32\dla\tfswctrl.exe (Sonic Solutions)
"igfxhkcmd"=C:\WINNT\system32\hkcmd.exe (Intel Corporation)
"igfxpers"=C:\WINNT\system32\igfxpers.exe (Intel Corporation)
"igfxtray"=C:\WINNT\system32\igfxtray.exe (Intel Corporation)
"itype"="c:\Program Files\Microsoft IntelliType Pro\itype.exe" (Microsoft Corporation)
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
"RTHDCPL"=RTHDCPL.EXE (Realtek Semiconductor Corp.)
"Samsung PanelMgr"=C:\WINNT\Samsung\PanelMgr\ssmmgr.exe /autorun ()
"SkyTel"=SkyTel.EXE (Realtek Semiconductor Corp.)
"Synchronization Manager"=mobsync.exe /logon (Microsoft Corporation)
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc.)
"YMailAdvisor"="C:\Program Files\Yahoo!\Common\YMailAdvisor.exe" (Yahoo! Inc.)
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" (Yahoo! Inc)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CyberDefender Early Detection Center"="C:\Program Files\CyberDefender\AntiSpyware\cdas11f.exe" /minimize File not found
"HPseti"="C:\Documents and Settings\lbuel\Application Data\Google\runhh6110411.exe" ()
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler (Macrovision Corporation)
"nah_Shell"=C:\Documents and Settings\lbuel\nah_kvyd.exe File not found
"Search Protection"=C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
"YSearchProtection"=C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)

========== (O4) Startup Folders ==========

[2007/09/07 22:18:29 | 00,245,760 | ---- | M] (Sophos Plc) -- C:\Documents and Settings\All Use

n8tivemtn
Novice
Novice

Posts Posts : 21
Joined Joined : 2008-11-30
Gender Gender : Male
OS OS : xp
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another victem to Spyware.ispynow

Post by n8tivemtn on Sun Nov 30, 2008 8:07 pm

4th
[2008/11/07 09:53:11 | 00,022,486 | R--- | M] () -- C:\Documents and Settings\lbuel\Start Menu\Programs\Startup\LaunchU3.exe.lnk = C:\Documents and Settings\lbuel\Application Data\Microsoft\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableRegistryTools"=0

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\Office12\EXCEL.EXE [2008/07/30 02:25:02 | 17,930,264 | ---- | M] (Microsoft Corporation)
StumbleUpon PhotoBlog It!: File not found

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{75C9223A-409A-4795-A3CA-08DE6B075B4B}: Button: StumbleUpon -- %ProgramFiles%\StumbleUpon\StumbleUponIEBar.dll [2008/07/29 06:43:16 | 01,041,744 | ---- | M] (stumbleupon.com)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [2007/04/19 13:10:18 | 00,063,840 | ---- | M] (Microsoft Corporation)
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\network diagnostic\xpnetdiag.exe [2008/04/13 13:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/13 19:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/13 19:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2007/04/19 13:10:18 | 00,063,840 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 19:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = [You must be registered and logged in to see this link.]
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
26 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{166B1BCA-3F9C-11CF-8075-444553540000}: [You must be registered and logged in to see this link.] -- Shockwave ActiveX Control
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}: C:\Program Files\Yahoo!\Common\Yinsthelper.dll -- Installation Support
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}: [You must be registered and logged in to see this link.] -- Reg Error: Key does not exist or could not be opened.
{D27CDB6E-AE6D-11CF-96B8-444553540000}: [You must be registered and logged in to see this link.] -- Shockwave Flash Object
{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}: [You must be registered and logged in to see this link.] -- PopCapLoader Object
DirectAnimation Java Classes: [You must be registered and logged in to see this link.] -- Reg Error: Key does not exist or could not be opened.
Microsoft XML Parser for Java: [You must be registered and logged in to see this link.] -- Reg Error: Key does not exist or could not be opened.
Yahoo! Cribbage: [You must be registered and logged in to see this link.] -- Reg Error: Key does not exist or could not be opened.

========== (O17) DNS Name Servers ==========

{2C2A07C0-5FC8-4451-AFF6-565053B7BBCB} (Servers: | Description: )
{56CBBBE0-56FF-4899-BA91-8B34DEF81F6D} (Servers: | Description: Marvell Yukon 88E8038 PCI-E Fast Ethernet Controller)
{CBB5FFB4-EEFB-4A4C-B97A-2B8AAB864786} (Servers: | Description: Broadcom 802.11g Network Adapter)

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
igfxcui: "DllName" = igfxdev.dll -- C:\WINNT\system32\igfxdev.dll (Intel Corporation)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2007/09/07 19:25:34 | 00,000,000 | -H-- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

n8tivemtn
Novice
Novice

Posts Posts : 21
Joined Joined : 2008-11-30
Gender Gender : Male
OS OS : xp
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another victem to Spyware.ispynow

Post by n8tivemtn on Sun Nov 30, 2008 8:08 pm

5th sorry for the size
========== Files/Folders - Created Within 30 Days ==========

[2008/11/30 14:40:54 | 00,422,400 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\lbuel\Desktop\OTViewIt.exe
[2008/11/30 14:31:15 | 00,389,120 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\CF26812.exe
[2008/11/30 14:26:42 | 00,389,120 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\CF25920.exe
[2008/11/30 14:23:31 | 00,389,120 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\CF25297.exe
[2008/11/30 14:17:30 | 00,389,120 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\CF24118.exe
[2008/11/30 14:11:06 | 00,389,120 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\CF22864.exe
[2008/11/30 13:32:11 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\lbuel\Desktop\HijackThis.lnk
[2008/11/30 13:32:11 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2008/11/29 17:20:27 | 00,000,058 | ---- | C] () -- C:\proc.id
[2008/11/29 17:20:27 | 00,000,000 | ---- | C] () -- C:\asdasd.asdasd
[2008/11/29 17:20:21 | 00,000,640 | ---- | C] () -- C:\Documents and Settings\lbuel\Desktop\Intelinet.lnk
[2008/11/29 17:20:15 | 00,000,000 | ---D | C] -- C:\Program Files\Intelinet
[2008/11/29 12:14:49 | 00,000,793 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2008/11/29 12:14:47 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2008/11/29 12:14:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2008/11/29 12:13:57 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2008/11/29 10:13:13 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2008/11/29 10:13:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2008/11/29 08:52:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\lbuel\My Documents\New Folder
[2008/11/28 22:10:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2008/11/28 22:09:42 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\iS3
[2008/11/28 22:09:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2008/11/11 21:52:53 | 00,455,296 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\mrxsmb.sys
[2008/11/11 21:52:38 | 01,106,944 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\msxml3.dll
[2008/11/07 09:53:11 | 00,002,661 | ---- | C] () -- C:\Documents and Settings\lbuel\Start Menu\Programs\Startup\LaunchU3.exe.lnk

========== Files - Modified Within 30 Days ==========

[3 C:\WINNT\System32\*.tmp files]
[5 C:\WINNT\*.tmp files]
[2008/11/30 14:40:54 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\lbuel\Desktop\OTViewIt.exe
[2008/11/30 14:31:12 | 00,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\CF26812.exe
[2008/11/30 14:26:39 | 00,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\CF25920.exe
[2008/11/30 14:23:28 | 00,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\CF25297.exe
[2008/11/30 14:21:51 | 00,000,058 | ---- | M] () -- C:\proc.id
[2008/11/30 14:17:27 | 00,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\CF24118.exe
[2008/11/30 14:12:35 | 00,002,422 | ---- | M] () -- C:\WINNT\System32\wpa.dbl
[2008/11/30 14:12:33 | 00,002,661 | ---- | M] () -- C:\Documents and Settings\lbuel\Start Menu\Programs\Startup\LaunchU3.exe.lnk
[2008/11/30 14:11:03 | 00,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\CF22864.exe
[2008/11/30 13:32:11 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\lbuel\Desktop\HijackThis.lnk
[2008/11/30 12:35:37 | 00,000,000 | ---- | M] () -- C:\asdasd.asdasd
[2008/11/30 12:14:14 | 00,367,764 | ---- | M] () -- C:\WINNT\System32\PerfStringBackup.INI
[2008/11/30 12:14:14 | 00,320,472 | ---- | M] () -- C:\WINNT\System32\perfh009.dat
[2008/11/30 12:14:14 | 00,043,164 | ---- | M] () -- C:\WINNT\System32\perfc009.dat
[2008/11/30 12:09:48 | 00,000,006 | -H-- | M] () -- C:\WINNT\tasks\SA.DAT
[2008/11/30 12:09:36 | 00,002,048 | --S- | M] () -- C:\WINNT\bootstat.dat
[2008/11/30 12:08:28 | 00,000,012 | ---- | M] () -- C:\WINNT\bthservsdp.dat
[2008/11/29 17:20:21 | 00,000,640 | ---- | M] () -- C:\Documents and Settings\lbuel\Desktop\Intelinet.lnk
[2008/11/29 12:14:49 | 00,000,793 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2008/11/29 11:19:55 | 00,000,482 | ---- | M] () -- C:\WINNT\win.ini
[2008/11/28 20:55:09 | 00,507,904 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\winlogon.exe
[2008/11/28 20:55:09 | 00,295,424 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\termsrv.dll
[2008/11/25 22:10:34 | 07,444,984 | -H-- | M] () -- C:\Documents and Settings\lbuel\Local Settings\Application Data\IconCache.db
[2008/11/22 10:02:21 | 00,054,156 | -H-- | M] () -- C:\WINNT\QTFont.qfn
[2008/11/14 06:37:28 | 00,001,393 | ---- | M] () -- C:\WINNT\imsins.BAK
[2008/11/03 19:10:25 | 17,318,336 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\MRT.exe
[2008/11/03 17:35:51 | 00,025,600 | ---- | M] () -- C:\Documents and Settings\lbuel\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
< End of report >

n8tivemtn
Novice
Novice

Posts Posts : 21
Joined Joined : 2008-11-30
Gender Gender : Male
OS OS : xp
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another victem to Spyware.ispynow

Post by Belahzur on Sun Nov 30, 2008 9:06 pm

Hello.
No problem about the lenth, the longer it is, the more detail we get.


  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HPseti"=-
    "nah_Shell"=-

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.


Try running combofix again.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Another victem to Spyware.ispynow

Post by n8tivemtn on Sun Nov 30, 2008 9:17 pm

Does not open upon double click

n8tivemtn
Novice
Novice

Posts Posts : 21
Joined Joined : 2008-11-30
Gender Gender : Male
OS OS : xp
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another victem to Spyware.ispynow

Post by Belahzur on Sun Nov 30, 2008 9:21 pm

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Files to delete:
C:\Documents and Settings\lbuel\Application Data\Google\runhh6110411.exe
C:\Documents and Settings\lbuel\nah_kvyd.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Don't tick the box below.
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Avenger results

Post by n8tivemtn on Sun Nov 30, 2008 9:41 pm

Avenger
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sun Nov 30 16:31:33 2008

16:31:33: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "TDSSserv.sys" found!
ImagePath: \systemroot\system32\drivers\TDSSpxjt.sys
Start Type: 1 (System)

Rootkit scan completed.

File "C:\Documents and Settings\lbuel\Application Data\Google\runhh6110411.exe" deleted successfully.
File "C:\Documents and Settings\lbuel\nah_kvyd.exe" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:42:11 PM, on 11/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\RTHDCPL.EXE
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
c:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\DOCUME~1\lbuel\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {98828DED-A591-462F-83BA-D2F62A68B8B8} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [YMailAdvisor] "C:\Program Files\Yahoo!\Common\YMailAdvisor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [nah_Shell] C:\Documents and Settings\lbuel\nah_kvyd.exe
O4 - HKCU\..\Run: [HPseti] "C:\Documents and Settings\lbuel\Application Data\Google\runhh6110411.exe"
O4 - HKCU\..\Run: [CyberDefender Early Detection Center] "C:\Program Files\CyberDefender\AntiSpyware\cdas11f.exe" /minimize
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - [You must be registered and logged in to see this link.]
O9 - Extra button: StumbleUpon - {75C9223A-409A-4795-A3CA-08DE6B075B4B} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Cribbage - [You must be registered and logged in to see this link.]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = iscsecurity.net
O17 - HKLM\Software\..\Telephony: DomainName = iscsecurity.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = iscsecurity.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = iscsecurity.net
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IntelinetSecure - Unknown owner - C:\Program Files\Intelinet\intelin2.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe

--
End of file - 9325 bytes

n8tivemtn
Novice
Novice

Posts Posts : 21
Joined Joined : 2008-11-30
Gender Gender : Male
OS OS : xp
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another victem to Spyware.ispynow

Post by Belahzur on Sun Nov 30, 2008 9:47 pm

Hello.
That showed the rootkit, now lets get rid of it.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Drivers to disable:
TDSSserv.sys

Drivers to delete:
TDSSserv.sys

Files to delete:
C:\windows\system32\drivers\TDSSpxjt.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Don't tick the box below.
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Another victem to Spyware.ispynow

Post by n8tivemtn on Sun Nov 30, 2008 9:57 pm

Avenger
Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "TDSSserv.sys" found!
ImagePath: \systemroot\system32\drivers\TDSSpxjt.sys
Start Type: 4 (Disabled)

Rootkit scan completed.

Driver "TDSSserv.sys" disabled successfully.
Driver "TDSSserv.sys" deleted successfully.

Error: could not open file "C:\windows\system32\drivers\TDSSpxjt.sys"
Deletion of file "C:\windows\system32\drivers\TDSSpxjt.sys" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Completed script processing.

HijackerLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:57:48 PM, on 11/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\RTHDCPL.EXE
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
c:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\DOCUME~1\lbuel\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {98828DED-A591-462F-83BA-D2F62A68B8B8} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [YMailAdvisor] "C:\Program Files\Yahoo!\Common\YMailAdvisor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [nah_Shell] C:\Documents and Settings\lbuel\nah_kvyd.exe
O4 - HKCU\..\Run: [HPseti] "C:\Documents and Settings\lbuel\Application Data\Google\runhh6110411.exe"
O4 - HKCU\..\Run: [CyberDefender Early Detection Center] "C:\Program Files\CyberDefender\AntiSpyware\cdas11f.exe" /minimize
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - [You must be registered and logged in to see this link.]
O9 - Extra button: StumbleUpon - {75C9223A-409A-4795-A3CA-08DE6B075B4B} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Cribbage - [You must be registered and logged in to see this link.]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = iscsecurity.net
O17 - HKLM\Software\..\Telephony: DomainName = iscsecurity.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = iscsecurity.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = iscsecurity.net
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IntelinetSecure - Unknown owner - C:\Program Files\Intelinet\intelin2.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe

--
End of file - 9412 bytes

n8tivemtn
Novice
Novice

Posts Posts : 21
Joined Joined : 2008-11-30
Gender Gender : Male
OS OS : xp
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another victem to Spyware.ispynow

Post by Belahzur on Sun Nov 30, 2008 10:02 pm

Hello, the deleting part didn't work because of an error on my behalf. Lets get rid of it this time.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Files to delete:
C:\WINNT\system32\drivers\TDSSpxjt.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Don't tick the box below.
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

Please try to run combofix now, it will work. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Another victem to Spyware.ispynow

Post by n8tivemtn on Sun Nov 30, 2008 10:07 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINNT\system32\drivers\TDSSpxjt.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

n8tivemtn
Novice
Novice

Posts Posts : 21
Joined Joined : 2008-11-30
Gender Gender : Male
OS OS : xp
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another victem to Spyware.ispynow

Post by n8tivemtn on Sun Nov 30, 2008 10:09 pm

Same result
Combofix tries to rename and then boots me from internet

n8tivemtn
Novice
Novice

Posts Posts : 21
Joined Joined : 2008-11-30
Gender Gender : Male
OS OS : xp
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another victem to Spyware.ispynow

Post by Belahzur on Sun Nov 30, 2008 10:36 pm

Combofix is supposed to disconnect you from the internet, is that what you mean?


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKCU\..\Run: [nah_Shell] C:\Documents and Settings\lbuel\nah_kvyd.exe
    O4 - HKCU\..\Run: [HPseti] "C:\Documents and Settings\lbuel\Application Data\Google\runhh6110411.exe"


  • Press "Fix Checked"
  • Close Hijack This.


If you can get combofix running, please try. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Another victem to Spyware.ispynow

Post by n8tivemtn on Sun Nov 30, 2008 11:31 pm

Combo fix reort
omboFix 08-11-30.01 - lbuel 2008-11-30 18:11:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.602 [GMT -5:00]
Running from: c:\documents and settings\lbuel\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\lbuel\LOCALS~1\Temp\install_flash_player.exe
c:\winnt\system32\TDSSarxx.dll
c:\winnt\system32\TDSSdxcp.dll
c:\winnt\system32\TDSSkkai.log
c:\winnt\system32\TDSSmtve.dat
c:\winnt\system32\TDSSoitt.dll
c:\winnt\system32\TDSSvoql.dll
c:\winnt\Web\default.htt

c:\winnt\system32\winlogon.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_IAS


((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-30 )))))))))))))))))))))))))))))))
.

2008-11-30 13:32 . 2008-11-30 13:32 d-------- c:\program files\Trend Micro
2008-11-29 17:20 . 2008-11-30 12:35 d-------- c:\program files\Intelinet
2008-11-29 17:20 . 2008-11-30 14:21 58 --a------ C:\proc.id
2008-11-29 17:20 . 2008-11-30 12:35 0 --a------ C:\asdasd.asdasd
2008-11-29 12:14 . 2008-11-29 12:14 d-------- c:\program files\Lavasoft
2008-11-29 12:14 . 2008-11-29 12:15 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-29 12:13 . 2008-11-29 12:13 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-29 10:13 . 2008-11-30 16:35 d-------- c:\program files\Spybot - Search & Destroy
2008-11-29 10:13 . 2008-11-30 14:11 d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-28 22:10 . 2008-11-29 10:04 d-------- c:\documents and settings\All Users\Application Data\SITEguard
2008-11-28 22:09 . 2008-11-28 22:09 d-------- c:\program files\Common Files\iS3
2008-11-28 22:09 . 2008-11-29 10:17 d-------- c:\documents and settings\All Users\Application Data\STOPzilla!
2008-11-11 21:52 . 2008-09-04 12:15 1,106,944 -----c--- c:\winnt\system32\dllcache\msxml3.dll
2008-11-11 21:52 . 2008-10-24 06:21 455,296 -----c--- c:\winnt\system32\dllcache\mrxsmb.sys
2008-10-24 19:20 . 2008-11-30 12:08 d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-10-24 04:37 . 2008-10-15 11:34 337,408 -----c--- c:\winnt\system32\dllcache\netapi32.dll
2008-10-17 09:21 . 2008-10-17 09:21 262,144 --a------ C:\ntuser.dat
2008-10-15 00:59 . 2008-08-14 05:11 2,189,184 -----c--- c:\winnt\system32\dllcache\ntoskrnl.exe
2008-10-15 00:59 . 2008-08-14 05:09 2,145,280 -----c--- c:\winnt\system32\dllcache\ntkrnlmp.exe
2008-10-15 00:59 . 2008-08-14 04:33 2,066,048 -----c--- c:\winnt\system32\dllcache\ntkrnlpa.exe
2008-10-15 00:59 . 2008-08-14 04:33 2,023,936 -----c--- c:\winnt\system32\dllcache\ntkrpamp.exe
2008-10-15 00:59 . 2008-09-15 07:12 1,846,400 -----c--- c:\winnt\system32\dllcache\win32k.sys
2008-10-15 00:59 . 2008-09-08 05:41 333,824 -----c--- c:\winnt\system32\dllcache\srv.sys
2008-10-06 05:46 . 2008-10-10 21:04 d-------- c:\program files\AWS
2008-10-03 12:49 . 2008-10-03 12:49 d-------- c:\documents and settings\lbuel\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-30 22:03 --------- d-----w c:\documents and settings\lbuel\Application Data\StumbleUpon
2008-11-29 13:24 --------- d-----w c:\program files\Rapid Eye Multi-Media 7.0
2008-11-23 13:23 --------- d-----w c:\program files\CA Yahoo! Anti-Spy
2008-11-23 00:00 --------- d-----w c:\documents and settings\lbuel\Application Data\U3
2008-11-14 11:40 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-24 11:21 455,296 ----a-w c:\winnt\system32\drivers\mrxsmb.sys
2008-10-18 00:34 --------- d-----w c:\documents and settings\lbuel\Application Data\Yahoo!
2007-12-11 11:29 256 ----a-w c:\documents and settings\lbuel\pool.bin
2007-09-08 00:25 271 --sh--w c:\program files\desktop.ini
2007-09-08 00:25 21,952 ---ha-w c:\program files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-07-15 08:46 160496 --a------ c:\program files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-13 15360]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-07-19 53248]
"igfxtray"="c:\winnt\system32\igfxtray.exe" [2006-06-13 94208]
"igfxhkcmd"="c:\winnt\system32\hkcmd.exe" [2006-06-13 77824]
"igfxpers"="c:\winnt\system32\igfxpers.exe" [2006-06-13 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-29 766041]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"dla"="c:\winnt\system32\dla\tfswctrl.exe" [2005-02-25 127037]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-02-21 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2008-06-05 125208]
"Synchronization Manager"="mobsync.exe" [2008-04-13 c:\winnt\system32\mobsync.exe]
"SkyTel"="SkyTel.EXE" [2006-07-19 c:\winnt\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-19 c:\winnt\RTHDCPL.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\winnt\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2008-04-13 214528]
"tscuninstall"="c:\winnt\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\lbuel\Start Menu\Programs\Startup\
LaunchU3.exe.lnk - c:\documents and settings\lbuel\Application Data\Microsoft\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2008-11-07 22486]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2007-09-07 245760]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Rapid Eye Multi-Media 7.0\\REMView.exe"=

R1 SAVOnAccessControl;SAVOnAccessControl;c:\winnt\system32\DRIVERS\savonaccesscontrol.sys [2007-09-07 101120]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\winnt\system32\DRIVERS\savonaccessfilter.sys [2007-09-07 33408]
S3 IntelinetSecure;IntelinetSecure;c:\program files\Intelinet\intelin2.exe [2008-11-29 861464]
.
Contents of the 'Scheduled Tasks' folder

2008-11-30 c:\winnt\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\lbuel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 19:53]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
HKCU-Run-CyberDefender Early Detection Center - c:\program files\CyberDefender\AntiSpyware\cdas11f.exe
SafeBoot-sglfb.sys
SafeBoot-tga.sys


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage

O16 -: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
c:\winnt\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
c:\winnt\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-11-30 18:22:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Sophos\Sophos Anti-Virus\SavService.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\winnt\system32\rundll32.exe
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\documents and settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
c:\docume~1\lbuel\LOCALS~1\temp\RtkBtMnt.exe
.
**************************************************************************
.
Completion time: 2008-11-30 18:24:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-30 23:24:11

Pre-Run: 58,553,364,480 bytes free
Post-Run: 58,634,125,312 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

167 --- E O F --- 2008-11-15 11:27:50

n8tivemtn
Novice
Novice

Posts Posts : 21
Joined Joined : 2008-11-30
Gender Gender : Male
OS OS : xp
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another victem to Spyware.ispynow

Post by Belahzur on Sun Nov 30, 2008 11:35 pm

Hello.
Leftovers are gone now, but we need to get a leftover, so do this.

Now open a new notepad file.
Input this into the notepad file:

File::
c:\documents and settings\lbuel\pool.bin
c:\program files\folder.htt

FileLook::
C:\proc.id
C:\asdasd.asdasd

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Another victem to Spyware.ispynow

Post by n8tivemtn on Sun Nov 30, 2008 11:59 pm

ComboFix 08-11-30.01 - lbuel 2008-11-30 18:56:25.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.635 [GMT -5:00]
Running from: c:\documents and settings\lbuel\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\lbuel\Desktop\CFscript.txt
* Created a new restore point

FILE ::
c:\documents and settings\lbuel\pool.bin
c:\program files\folder.htt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\lbuel\pool.bin
c:\program files\folder.htt

.
((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-30 )))))))))))))))))))))))))))))))
.

2008-11-30 13:32 . 2008-11-30 13:32 d-------- c:\program files\Trend Micro
2008-11-29 17:20 . 2008-11-30 12:35 d-------- c:\program files\Intelinet
2008-11-29 17:20 . 2008-11-30 14:21 58 --a------ C:\proc.id
2008-11-29 17:20 . 2008-11-30 12:35 0 --a------ C:\asdasd.asdasd
2008-11-29 12:14 . 2008-11-29 12:14 d-------- c:\program files\Lavasoft
2008-11-29 12:14 . 2008-11-29 12:15 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-29 12:13 . 2008-11-29 12:13 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-29 10:13 . 2008-11-30 16:35 d-------- c:\program files\Spybot - Search & Destroy
2008-11-29 10:13 . 2008-11-30 14:11 d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-28 22:10 . 2008-11-29 10:04 d-------- c:\documents and settings\All Users\Application Data\SITEguard
2008-11-28 22:09 . 2008-11-28 22:09 d-------- c:\program files\Common Files\iS3
2008-11-28 22:09 . 2008-11-29 10:17 d-------- c:\documents and settings\All Users\Application Data\STOPzilla!
2008-11-11 21:52 . 2008-09-04 12:15 1,106,944 -----c--- c:\winnt\system32\dllcache\msxml3.dll
2008-11-11 21:52 . 2008-10-24 06:21 455,296 -----c--- c:\winnt\system32\dllcache\mrxsmb.sys
2008-10-24 19:20 . 2008-11-30 12:08 d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-10-24 04:37 . 2008-10-15 11:34 337,408 -----c--- c:\winnt\system32\dllcache\netapi32.dll
2008-10-17 09:21 . 2008-10-17 09:21 262,144 --a------ C:\ntuser.dat
2008-10-15 00:59 . 2008-08-14 05:11 2,189,184 -----c--- c:\winnt\system32\dllcache\ntoskrnl.exe
2008-10-15 00:59 . 2008-08-14 05:09 2,145,280 -----c--- c:\winnt\system32\dllcache\ntkrnlmp.exe
2008-10-15 00:59 . 2008-08-14 04:33 2,066,048 -----c--- c:\winnt\system32\dllcache\ntkrnlpa.exe
2008-10-15 00:59 . 2008-08-14 04:33 2,023,936 -----c--- c:\winnt\system32\dllcache\ntkrpamp.exe
2008-10-15 00:59 . 2008-09-15 07:12 1,846,400 -----c--- c:\winnt\system32\dllcache\win32k.sys
2008-10-15 00:59 . 2008-09-08 05:41 333,824 -----c--- c:\winnt\system32\dllcache\srv.sys
2008-10-06 05:46 . 2008-10-10 21:04 d-------- c:\program files\AWS
2008-10-03 12:49 . 2008-10-03 12:49 d-------- c:\documents and settings\lbuel\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-30 22:03 --------- d-----w c:\documents and settings\lbuel\Application Data\StumbleUpon
2008-11-29 13:24 --------- d-----w c:\program files\Rapid Eye Multi-Media 7.0
2008-11-29 01:55 295,424 ----a-w c:\winnt\system32\termsrv.dll
2008-11-23 13:23 --------- d-----w c:\program files\CA Yahoo! Anti-Spy
2008-11-23 00:00 --------- d-----w c:\documents and settings\lbuel\Application Data\U3
2008-11-14 11:40 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-24 11:21 455,296 ----a-w c:\winnt\system32\drivers\mrxsmb.sys
2008-10-18 00:34 --------- d-----w c:\documents and settings\lbuel\Application Data\Yahoo!
2008-10-16 19:13 202,776 ----a-w c:\winnt\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\winnt\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\winnt\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\winnt\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\winnt\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\winnt\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\winnt\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\winnt\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\winnt\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\winnt\system32\muweb.dll
2008-09-30 21:43 1,286,152 ----a-w c:\winnt\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\winnt\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\winnt\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\winnt\system32\msxml3.dll
2008-09-04 17:15 1,106,944 ----a-w c:\winnt\system32\msxml3(2).dll
2008-08-26 07:24 826,368 ----a-w c:\winnt\system32\wininet.dll
2008-08-14 10:11 2,189,184 ----a-w c:\winnt\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w c:\winnt\system32\ntkrnlpa.exe
2007-09-08 00:25 271 --sh--w c:\program files\desktop.ini
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\asdasd.asdasd -- Not a PE file.
MD5: d41d8cd98f00b204e9800998ecf8427e

C:\proc.id -- Not a PE file.
MD5: 35a38adf3949acf714209a5e1c661c14


((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-30 23:18:54 43,164 ----a-w c:\winnt\system32\perfc009.dat
+ 2008-11-30 23:24:16 43,164 ----a-w c:\winnt\system32\perfc009.dat
- 2008-11-30 23:18:54 320,472 ----a-w c:\winnt\system32\perfh009.dat
+ 2008-11-30 23:24:16 320,472 ----a-w c:\winnt\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-07-15 08:46 160496 --a------ c:\program files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-13 15360]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-07-19 53248]
"igfxtray"="c:\winnt\system32\igfxtray.exe" [2006-06-13 94208]
"igfxhkcmd"="c:\winnt\system32\hkcmd.exe" [2006-06-13 77824]
"igfxpers"="c:\winnt\system32\igfxpers.exe" [2006-06-13 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-29 766041]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"dla"="c:\winnt\system32\dla\tfswctrl.exe" [2005-02-25 127037]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-02-21 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2008-06-05 125208]
"Synchronization Manager"="mobsync.exe" [2008-04-13 c:\winnt\system32\mobsync.exe]
"SkyTel"="SkyTel.EXE" [2006-07-19 c:\winnt\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-19 c:\winnt\RTHDCPL.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\winnt\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2008-04-13 214528]
"tscuninstall"="c:\winnt\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\lbuel\Start Menu\Programs\Startup\
LaunchU3.exe.lnk - c:\documents and settings\lbuel\Application Data\Microsoft\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2008-11-07 22486]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2007-09-07 245760]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Rapid Eye Multi-Media 7.0\\REMView.exe"=

R1 SAVOnAccessControl;SAVOnAccessControl;c:\winnt\system32\DRIVERS\savonaccesscontrol.sys [2007-09-07 101120]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\winnt\system32\DRIVERS\savonaccessfilter.sys [2007-09-07 33408]
S3 IntelinetSecure;IntelinetSecure;c:\program files\Intelinet\intelin2.exe [2008-11-29 861464]
.
Contents of the 'Scheduled Tasks' folder

2008-11-30 c:\winnt\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\lbuel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 19:53]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-11-30 18:57:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-30 18:58:39
ComboFix-quarantined-files.txt 2008-11-30 23:58:03
ComboFix2.txt 2008-11-30 23:24:33

Pre-Run: 58,625,789,952 bytes free
Post-Run: 58,614,706,176 bytes free

153 --- E O F --- 2008-11-15 11:27:50

n8tivemtn
Novice
Novice

Posts Posts : 21
Joined Joined : 2008-11-30
Gender Gender : Male
OS OS : xp
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another victem to Spyware.ispynow

Post by Belahzur on Mon Dec 01, 2008 12:03 am

Hello.
Looks good, what problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Another victem to Spyware.ispynow

Post by n8tivemtn on Mon Dec 01, 2008 12:17 am

I will monitor

Thank you very much for your help.

n8tivemtn
Novice
Novice

Posts Posts : 21
Joined Joined : 2008-11-30
Gender Gender : Male
OS OS : xp
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another victem to Spyware.ispynow

Post by Belahzur on Mon Dec 01, 2008 12:21 am

Okay. Smile

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.
=====


Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Another victem to Spyware.ispynow

Post by Doctor Inferno on Sun Dec 07, 2008 12:21 pm

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104600
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum