Another Spyware.Ispynow (Hijackthis Log Included)

View previous topic View next topic Go down

Solved Another Spyware.Ispynow (Hijackthis Log Included)

Post by Topple on Sun Nov 30, 2008 8:10 pm

I saw it and said a billion swear words. Never thought I would get it too.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:09:45 PM, on 11/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 207.38.124.200 login.warrock.net
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LELA] "C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {61900274-3323-4446-BDCD-91548D32AF1B} (SpiderSolitaire Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Unknown owner - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7593 bytes

Topple
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-11-30
OS OS : Windows XP
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another Spyware.Ispynow (Hijackthis Log Included)

Post by Belahzur on Sun Nov 30, 2008 9:08 pm

Hello.


  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Another Spyware.Ispynow (Hijackthis Log Included)

Post by Topple on Sun Nov 30, 2008 9:17 pm

For some reason Combofix will not run.

Topple
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-11-30
OS OS : Windows XP
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another Spyware.Ispynow (Hijackthis Log Included)

Post by Belahzur on Sun Nov 30, 2008 9:22 pm

Hello.
Okay, don't run combofix for now.

Download [You must be registered and logged in to see this link.] to your desktop.

  • Close all windows and open it
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up called OTViewIt.txt, the other will be saved on your desktop and called Extras. Post both those logs here.
  • You may need to use two posts to get it all on the forum


Please note: Please make sure you post all of OTViewIt.txt, the log can be quite long and I need to see all of it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Another Spyware.Ispynow (Hijackthis Log Included)

Post by Topple on Sun Nov 30, 2008 9:29 pm

OTViewIt logfile created on: 11/30/2008 3:35:52 PM - Run 2
OTViewIt by OldTimer - Version 1.0.20.0 Folder = C:\Documents and Settings\john\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.30 Mb Total Physical Memory | 106.08 Mb Available Physical Memory | 21.08% Memory free
1.20 Gb Paging File | 0.56 Gb Available in Paging File | 46.83% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 178.70 Gb Total Space | 150.23 Gb Free Space | 84.07% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 7.59 Gb Total Space | 1.91 Gb Free Space | 25.22% Space Free | Partition Type: FAT32
I: Drive not present or media not loaded

Computer Name: MAIN
Current User Name: john
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2004/06/29 08:06:38 | 00,088,363 | ---- | M] (Agere Systems) -- C:\WINDOWS\AGRSMMSG.exe
[2008/03/30 09:36:40 | 00,267,048 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
[2005/04/06 17:57:12 | 00,090,112 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
[2005/04/06 17:53:00 | 02,805,248 | ---- | M] (RealTek Semicoductor Corp.) -- C:\WINDOWS\ALCWZRD.EXE
[2007/05/08 16:24:20 | 00,054,840 | ---- | M] (Hewlett-Packard) -- C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
[2008/06/10 03:27:04 | 00,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
[2007/01/13 08:47:04 | 00,163,840 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
[2008/02/18 10:16:30 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
[2008/08/30 07:56:29 | 00,231,704 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
[2007/01/13 08:46:36 | 00,135,168 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
[2008/04/09 00:15:10 | 00,648,504 | ---- | M] (Pure Networks, Inc.) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
[2007/07/24 14:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
[2008/04/18 03:30:43 | 00,204,800 | ---- | M] () -- C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
[2007/08/09 01:27:52 | 00,073,728 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
[2008/05/14 14:43:03 | 00,066,872 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrA.exe
[2005/05/11 22:23:26 | 00,282,624 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
[2008/07/02 08:36:43 | 00,287,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
[2008/04/09 00:15:12 | 00,648,504 | ---- | M] (Pure Networks, Inc.) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
[2008/08/30 07:56:30 | 00,875,288 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
[2005/05/11 23:33:52 | 00,479,232 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
[2008/06/10 00:21:01 | 00,135,168 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\system32\java.exe
[2008/03/30 09:36:30 | 00,504,104 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
[2007/05/11 02:06:38 | 00,341,616 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
[2006/10/20 21:21:24 | 00,036,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
[2008/04/13 18:12:33 | 00,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rundll32.exe
[2008/03/25 14:21:28 | 00,050,528 | ---- | M] (AOL LLC) -- C:\Program Files\AIM6\aim6.exe
[2007/05/25 11:16:08 | 00,042,032 | ---- | M] (AOL LLC) -- C:\Program Files\AIM6\aolsoftware.exe
[2008/11/30 15:34:32 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\john\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2008/02/18 10:16:30 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
[2007/10/24 00:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2008/08/30 07:56:30 | 00,875,288 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc [Auto | Running])
[2008/08/30 07:56:29 | 00,231,704 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
[2007/07/24 14:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
[2007/10/24 00:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
File not found -- -- (FLEXnet Licensing Service [On_Demand | Stopped])
[2006/10/20 21:21:24 | 00,036,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Running])
[2006/10/30 03:33:58 | 00,741,376 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
[2008/03/30 09:36:30 | 00,504,104 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
[2008/04/18 03:30:43 | 00,204,800 | ---- | M] () -- C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe -- (LinksysUpdater [Auto | Running])
[2006/10/30 03:34:02 | 00,122,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
[2008/04/09 00:15:12 | 00,648,504 | ---- | M] (Pure Networks, Inc.) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe -- (nmservice [Auto | Running])
[2007/08/24 03:19:12 | 00,443,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
[2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2007/08/09 01:27:52 | 00,073,728 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12 [Auto | Running])
[2008/05/14 14:43:03 | 00,066,872 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrA.exe -- (PnkBstrA [Auto | Running])
[2007/10/18 11:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Stopped])
[2007/01/04 15:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service [Auto | Stopped])
[2007/10/25 15:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])

========== Driver Services ==========

[2004/06/29 08:07:18 | 01,268,204 | ---- | M] (Agere Systems) -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem [On_Demand | Running])
[2008/08/30 07:56:28 | 00,097,928 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (AvgLdx86 [System | Running])
[2008/07/02 08:36:43 | 00,026,824 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])
[2008/07/02 08:36:52 | 00,076,040 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (AvgTdiX [Auto | Running])
[2008/01/29 11:01:28 | 00,016,168 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Stopped])
[2004/03/17 14:10:40 | 00,113,664 | ---- | M] (Windows (R) Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\Hdaudio.sys -- (HdAudAddService [On_Demand | Stopped])
[2008/04/13 10:36:05 | 00,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus [On_Demand | Running])
[2005/03/08 06:52:26 | 00,051,120 | ---- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZid412.sys -- (HPZid412 [On_Demand | Stopped])
[2005/03/08 06:52:27 | 00,016,496 | ---- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12 [On_Demand | Stopped])
[2005/03/08 06:52:28 | 00,021,744 | ---- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12 [On_Demand | Stopped])
[2007/01/13 09:33:18 | 05,672,032 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm [On_Demand | Running])
[2005/04/15 17:05:42 | 02,564,032 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
[2007/10/10 16:41:50 | 00,042,112 | ---- | M] (Motorola Inc) -- C:\WINDOWS\system32\drivers\motodrv.sys -- (MotDev [On_Demand | Stopped])
[2008/04/23 12:23:32 | 00,047,360 | ---- | M] (VSO Software) -- C:\WINDOWS\system32\drivers\pcouffin.sys -- (pcouffin [On_Demand | Running])
[2008/04/09 00:14:04 | 00,023,992 | ---- | M] (Pure Networks, Inc.) -- C:\WINDOWS\system32\drivers\pnarp.sys -- (pnarp [Auto | Running])
[2004/08/04 06:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2008/04/09 00:14:00 | 00,025,272 | ---- | M] (Pure Networks, Inc.) -- C:\WINDOWS\system32\drivers\purendis.sys -- (purendis [Auto | Running])
[2008/02/25 11:54:56 | 00,105,088 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp [On_Demand | Running])
[2004/08/03 16:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139 [On_Demand | Stopped])
[2007/11/13 04:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2008/05/02 11:47:49 | 00,717,296 | ---- | M] () -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd [Boot | Running])
[2008/02/18 10:16:24 | 00,030,464 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://go.microsoft.com/fwlink/?LinkId=69157

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant"=http://www.comcast.net/toolbar2.0/search/

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.comcast.net/comcast.html

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = *.local

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-21-776561741-839522115-247751363-1003\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.comcast.net/comcast.html

Topple
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-11-30
OS OS : Windows XP
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another Spyware.Ispynow (Hijackthis Log Included)

Post by Topple on Sun Nov 30, 2008 9:39 pm

[HKEY_USERS\S-1-5-21-776561741-839522115-247751363-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-776561741-839522115-247751363-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = *.local

========== (O1) Hosts File ==========

HOSTS File = (768 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost
207.38.124.200 login.warrock.net

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} (HKLM) -- C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} (HKLM) -- C:\Program Files\ComcastToolbar\comcasttoolbar.dll (Comcast Cable Communications. )
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
{7E853D72-626A-48EC-A868-BA8D5E23E045} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{9030D464-4C02-4ABF-8ECC-5164760863C6} (HKLM) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29}" (HKLM) -- C:\Program Files\ComcastToolbar\comcasttoolbar.dll (Comcast Cable Communications. )

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29}" (HKLM) -- C:\Program Files\ComcastToolbar\comcasttoolbar.dll (Comcast Cable Communications. )

[HKEY_USERS\S-1-5-21-776561741-839522115-247751363-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29}" (HKLM) -- C:\Program Files\ComcastToolbar\comcasttoolbar.dll (Comcast Cable Communications. )

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
"AGRSMMSG"=AGRSMMSG.exe (Agere Systems)
"Alcmtr"=ALCMTR.EXE File not found
"AlcWzrd"=ALCWZRD.EXE (RealTek Semicoductor Corp.)
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
"High Definition Audio Property Page Shortcut"=HDAudPropShortcut.exe (Windows (R) Server 2003 DDK provider)
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard)
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
"LELA"="C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized (Linksys LLC - A Division of Cisco Systems)
"MeinVB6"=C:\Documents and Settings\john\My Documents\drivers\tool.exe File not found
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" (Pure Networks, Inc.)
"Persistence"=C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
"SoundMan"=SOUNDMAN.EXE (Realtek Semiconductor Corp.)
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" (Sun Microsystems, Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" (Adobe Systems Incorporated)
"Aim6"= File not found
"HPseti"="C:\Documents and Settings\john\Application Data\Google\runhh6110411.exe" ()
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (Microsoft Corporation)
"nah_Shell"=C:\Documents and Settings\john\nah_bbfo.exe File not found
"P2kAutostart"= File not found

[HKEY_USERS\S-1-5-21-776561741-839522115-247751363-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" (Adobe Systems Incorporated)
"Aim6"= File not found
"HPseti"="C:\Documents and Settings\john\Application Data\Google\runhh6110411.exe" ()
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (Microsoft Corporation)
"nah_Shell"=C:\Documents and Settings\john\nah_bbfo.exe File not found
"P2kAutostart"= File not found

========== (O4) Startup Folders ==========

[2005/05/11 22:23:26 | 00,282,624 | ---- | M] (Hewlett-Packard Co.) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
[2005/05/11 23:49:24 | 00,073,728 | ---- | M] (Hewlett-Packard Co.) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-776561741-839522115-247751363-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=0

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\Office12\EXCEL.EXE [2008/07/30 03:25:02 | 17,930,264 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-776561741-839522115-247751363-1003\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\Office12\EXCEL.EXE [2008/07/30 03:25:02 | 17,930,264 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [2008/06/10 03:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\Office12\REFIEBAR.DLL [2006/10/26 20:12:22 | 00,040,424 | ---- | M] (Microsoft Corporation)
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\network diagnostic\xpnetdiag.exe [2008/04/13 12:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/13 18:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/13 18:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 18:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 18:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 18:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-776561741-839522115-247751363-1003\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 18:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = [You must be registered and logged in to see this link.]
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{17492023-C23A-453E-A040-C7C580BBF700}: [You must be registered and logged in to see this link.] -- Windows Genuine Advantage Validation Tool
{1A1F56AA-3401-46F9-B277-D57F3421F821}: [You must be registered and logged in to see this link.] -- FunGamesLoader Object
{233C1507-6A77-46A4-9443-F871F945D258}: [You must be registered and logged in to see this link.] -- Shockwave ActiveX Control
{2C153C75-8476-434B-B3C3-57B63A3D1939}: [You must be registered and logged in to see this link.] -- Brickout Control
{54B52E52-8000-4413-BD67-FC7FE24B59F2}: [You must be registered and logged in to see this link.] -- EARTPatchX Class
{61900274-3323-4446-BDCD-91548D32AF1B}: [You must be registered and logged in to see this link.] -- SpiderSolitaire Control
{8A94C905-FF9D-43B6-8708-F0F22D22B1CB}: [You must be registered and logged in to see this link.] -- Wwlaunch Control
{8AD9C840-044E-11D1-B3E9-00805F499D93}: [You must be registered and logged in to see this link.] -- Java Plug-in 1.6.0_07
{C36661D7-3590-45B1-80B5-520839E94DAD}: [You must be registered and logged in to see this link.] -- MaxisSimCity4PatcherX Control
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}: [You must be registered and logged in to see this link.] -- Java Plug-in 1.6.0_03
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}: [You must be registered and logged in to see this link.] -- Java Plug-in 1.6.0_05
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}: [You must be registered and logged in to see this link.] -- Java Plug-in 1.6.0_07
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: [You must be registered and logged in to see this link.] -- Java Plug-in 1.6.0_07
{D27CDB6E-AE6D-11CF-96B8-444553540000}: [You must be registered and logged in to see this link.] -- Shockwave Flash Object

========== (O17) DNS Name Servers ==========

{C92911BE-DFDB-4488-A50D-21EA7808BFB1} (Servers: | Description: 1394 Net Adapter)
{CF186698-5494-49EC-8359-C49DBBA6B727} (Servers: | Description: Realtek RTL8139/810x Family Fast Ethernet NIC)

========== (O20) AppInit_DLLs ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_Dlls"=avgrsstx.dll
>[2008/07/02 08:36:43 | 00,010,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\avgrsstx.dll

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
igfxcui: "DllName" = igfxdev.dll -- C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2008/04/14 20:58:42 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

AUTOEXEC.BAT []
[2001/07/27 14:07:38 | 00,000,000 | -HS- | M] () -- H:\AUTOEXEC.BAT -- [ FAT32 ]

Autorun.inf [[AUTORUN] | ShellExecute=Info.exe protect.ed 480 480 | ]
[2004/04/30 06:01:14 | 00,000,053 | -HS- | M] () -- H:\Autorun.inf -- [ FAT32 ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{67f50d1c-0a55-11dd-88c2-806d6172696f}\Shell]
""=AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{67f50d1c-0a55-11dd-88c2-806d6172696f}\Shell\AutoRun]
""=Auto&Play

Topple
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-11-30
OS OS : Windows XP
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another Spyware.Ispynow (Hijackthis Log Included)

Post by Topple on Sun Nov 30, 2008 9:39 pm

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{67f50d1c-0a55-11dd-88c2-806d6172696f}\Shell\AutoRun\command]
""=C:\WINDOWS\system32\shell32.dll -- [2008/04/13 18:12:05 | 08,461,312 | ---- | M] (Microsoft Corporation)

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2008/11/30 15:34:45 | 00,422,400 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\john\Desktop\OTViewIt.exe
[2008/11/30 15:12:36 | 00,000,268 | -H-- | C] () -- C:\sqmdata03.sqm
[2008/11/30 15:12:35 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt03.sqm
[2008/11/30 15:09:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\john\My Documents\ComboFix
[2008/11/30 14:32:28 | 00,000,268 | -H-- | C] () -- C:\sqmdata02.sqm
[2008/11/30 14:32:28 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt02.sqm
[2008/11/30 13:10:57 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\john\Desktop\HijackThis.lnk
[2008/11/30 13:10:56 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2008/11/30 13:04:21 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2008/11/30 13:04:18 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2008/11/30 13:04:17 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2008/11/30 13:04:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2008/11/30 13:01:49 | 02,372,472 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\john\My Documents\mbam-setup.exe
[2008/11/30 12:24:35 | 00,000,268 | -H-- | C] () -- C:\sqmdata01.sqm
[2008/11/30 12:24:35 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt01.sqm
[2008/11/30 12:15:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\john\Local Settings\Application Data\Linksys_LLC_-_A_Division_
[2008/11/30 10:31:05 | 01,202,649 | ---- | C] () -- C:\Documents and Settings\john\My Documents\nike.pptx
[2008/11/29 11:40:40 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Visual Studio
[2008/11/29 11:40:40 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\DESIGNER
[2008/11/29 11:40:14 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[2008/11/29 11:37:35 | 00,000,000 | ---D | C] -- C:\WINDOWS\SHELLNEW
[2008/11/29 11:37:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\john\Local Settings\Application Data\Microsoft Help
[2008/11/29 11:36:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Microsoft Help
[2008/11/29 11:36:01 | 00,000,000 | RH-D | C] -- C:\MSOCache
[2008/11/28 09:28:24 | 00,000,234 | ---- | C] () -- C:\WINDOWS\PrnHlpLogConfig.ini
[2008/11/22 12:22:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\john\My Documents\no$gba-w_2.5c
[2008/11/18 19:27:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\RoboForm
[2008/11/17 15:48:58 | 00,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2008/11/17 15:47:28 | 00,000,000 | ---D | C] -- C:\Program Files\InterActual
[2008/11/15 14:38:33 | 00,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2008/11/15 14:36:06 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2008/11/15 14:35:06 | 00,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2008/11/15 14:34:18 | 00,014,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg2.dll
[2008/11/15 14:32:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Linksys
[2008/11/15 14:30:00 | 00,023,992 | ---- | C] (Pure Networks, Inc.) -- C:\WINDOWS\System32\drivers\pnarp.sys
[2008/11/15 14:29:50 | 00,025,272 | ---- | C] (Pure Networks, Inc.) -- C:\WINDOWS\System32\drivers\purendis.sys
[2008/11/15 14:29:40 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Pure Networks Shared
[2008/11/15 14:29:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Pure Networks
[2008/11/15 14:27:43 | 00,000,000 | ---D | C] -- C:\Program Files\Linksys
[2008/11/12 20:33:33 | 00,014,336 | ---- | C] () -- C:\Documents and Settings\john\My Documents\Crucible_Lie_Essay.wps
[2008/11/12 08:22:14 | 00,000,268 | -H-- | C] () -- C:\sqmdata00.sqm
[2008/11/12 08:22:14 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt00.sqm
[2008/11/12 02:25:17 | 00,455,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mrxsmb.sys
[2008/11/12 02:24:36 | 01,106,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msxml3.dll
[2008/11/06 03:00:47 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft CAPICOM 2.1.0.2
[2008/11/05 21:43:21 | 00,579,528 | ---- | C] () -- C:\Documents and Settings\john\My Documents\Something to Read and Think About_ - Animal Kingdom - Comcast_net Community Forums.mht
[2008/11/05 04:31:13 | 00,268,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll
[2008/11/05 04:31:13 | 00,208,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\muweb.dll
[2008/11/05 04:31:13 | 00,027,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll.mui
[2008/11/04 19:02:16 | 00,000,561 | ---- | C] () -- C:\Documents and Settings\john\My Documents\My Sharing Folders.lnk
[2008/11/04 19:01:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\john\My Documents\My Received Files
[2008/11/04 18:59:01 | 00,000,000 | -HSD | C] -- C:\Program Files\Common Files\WindowsLiveInstaller
[2008/11/04 18:58:39 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live
[2008/11/04 18:58:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\WLInstaller

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2008/11/30 15:34:32 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\john\Desktop\OTViewIt.exe
[2008/11/30 15:12:36 | 00,000,268 | -H-- | M] () -- C:\sqmdata03.sqm
[2008/11/30 15:12:35 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2008/11/30 14:50:44 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2008/11/30 14:50:03 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2008/11/30 14:49:38 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2008/11/30 14:49:30 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2008/11/30 14:32:28 | 00,000,268 | -H-- | M] () -- C:\sqmdata02.sqm
[2008/11/30 14:32:28 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2008/11/30 13:10:57 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\john\Desktop\HijackThis.lnk
[2008/11/30 13:01:53 | 02,372,472 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\john\My Documents\mbam-setup.exe
[2008/11/30 12:24:35 | 00,000,268 | -H-- | M] () -- C:\sqmdata01.sqm
[2008/11/30 12:24:35 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2008/11/30 12:09:40 | 01,483,512 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/11/30 12:08:07 | 05,860,576 | -H-- | M] () -- C:\Documents and Settings\john\Local Settings\Application Data\IconCache.db
[2008/11/30 12:03:43 | 00,507,904 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\winlogon.exe
[2008/11/30 12:03:43 | 00,295,424 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\termsrv.dll
[2008/11/30 12:03:17 | 00,045,184 | ---- | M] () -- C:\Documents and Settings\john\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008/11/30 10:30:12 | 01,202,649 | ---- | M] () -- C:\Documents and Settings\john\My Documents\nike.pptx
[2008/11/29 15:05:34 | 30,449,696 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2008/11/28 09:28:24 | 00,000,234 | ---- | M] () -- C:\WINDOWS\PrnHlpLogConfig.ini
[2008/11/28 08:43:29 | 00,065,537 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2008/11/18 20:25:38 | 00,000,676 | ---- | M] () -- C:\Documents and Settings\john\Application Data\wklnhst.dat
[2008/11/17 18:43:04 | 00,061,952 | ---- | M] () -- C:\Documents and Settings\john\My Documents\Tobacco Ad Thing.wps
[2008/11/17 15:48:58 | 00,000,000 | ---- | M] () -- C:\WINDOWS\iPlayer.INI
[2008/11/15 14:39:22 | 00,520,428 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2008/11/15 14:39:22 | 00,441,954 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2008/11/15 14:39:22 | 00,071,512 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2008/11/12 20:33:33 | 00,014,336 | ---- | M] () -- C:\Documents and Settings\john\My Documents\Crucible_Lie_Essay.wps
[2008/11/12 08:22:14 | 00,000,268 | -H-- | M] () -- C:\sqmdata00.sqm
[2008/11/12 08:22:14 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2008/11/12 03:03:00 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2008/11/07 08:30:22 | 00,334,743 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2008/11/05 21:43:25 | 00,579,528 | ---- | M] () -- C:\Documents and Settings\john\My Documents\Something to Read and Think About_ - Animal Kingdom - Comcast_net Community Forums.mht
[2008/11/04 19:02:18 | 00,000,561 | ---- | M] () -- C:\Documents and Settings\john\My Documents\My Sharing Folders.lnk
[2008/11/03 18:10:25 | 17,318,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
< End of report >

Topple
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-11-30
OS OS : Windows XP
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another Spyware.Ispynow (Hijackthis Log Included)

Post by Topple on Sun Nov 30, 2008 9:41 pm

EXTRAS.TXT
OTViewIt Extras logfile created on: 11/30/2008 3:39:35 PM - Run 3
OTViewIt by OldTimer - Version 1.0.20.0 Folder = C:\Documents and Settings\john\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.30 Mb Total Physical Memory | 44.22 Mb Available Physical Memory | 8.79% Memory free
1.20 Gb Paging File | 0.48 Gb Available in Paging File | 39.93% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 178.70 Gb Total Space | 150.23 Gb Free Space | 84.07% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 7.59 Gb Total Space | 1.91 Gb Free Space | 25.22% Space Free | Partition Type: FAT32
I: Drive not present or media not loaded

Computer Name: MAIN
Current User Name: john
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=1
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
"UpdatesDisableNotify"=0
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=1
"DoNotAllowExceptions"=0
"DisableNotifications"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/13 18:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/04/13 12:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2007/10/18 11:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
[2007/10/02 17:18:24 | 00,304,488 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/04/13 18:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
File not found -- C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe
File not found -- C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe
File not found -- C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe
[2008/04/13 12:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2007/07/24 14:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour
[2008/03/30 09:36:34 | 20,638,504 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
[2006/11/03 01:17:27 | 00,010,800 | ---- | M] (AOL LLC) -- C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader
[2008/03/25 14:21:28 | 00,050,528 | ---- | M] (AOL LLC) -- C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM
File not found -- C:\Program Files\Bonjour\Morpheus\Morpheus.exe:*:Enabled:Morpheus
[2008/04/13 18:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
File not found -- C:\Documents and Settings\john\My Documents\drivers\audio\cs2d_0104\CounterStrike2D.exe:*:Enabled:CounterStrike2D
[2008/04/13 18:12:18 | 00,083,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test
[2008/04/13 18:12:33 | 00,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rundll32.exe:*:Enabled:Run a DLL as an App
[2008/05/13 19:28:16 | 03,007,824 | ---- | M] (Xfire Inc.) -- C:\Program Files\Xfire\xfire.exe:*:Enabled:Xfire
[2008/08/30 07:56:07 | 00,641,304 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe
[2008/08/30 07:56:30 | 00,875,288 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe
File not found -- C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC
[2006/12/29 01:07:44 | 00,038,912 | ---- | M] (Tsinghua Unversity) -- C:\Program Files\Diablo II\D2Loader-1.11b.exe:*:Enabled:Diablo II
File not found -- C:\Documents and Settings\john\My Documents\drivers\hacks_redvex_redvex_v3_core_june_12_2007\Red.exe:*:Enabled:Red
File not found -- C:\Documents and Settings\john\My Documents\drivers\hacks_redvex_RedVex_v2.6_Beta3\RedVex.exe:*:Enabled:RedVex
[2008/08/07 19:53:29 | 00,106,496 | ---- | M] () -- C:\Program Files\Steam\steamapps\xmx_topple\counter-strike source\hl2.exe:*:Enabled:hl2
File not found -- C:\Program Files\Counter-Strike\hl.exe:*:Enabled:Half-Life Launcher
[2008/10/29 19:24:18 | 03,104,080 | ---- | M] (Xfire Inc.) -- C:\Program Files\xerox\xfire.exe:*:Enabled:Xfire
[2008/08/07 19:46:11 | 00,098,304 | ---- | M] () -- C:\Program Files\Steam\steamapps\xmx_topple\day of defeat source\hl2.exe:*:Enabled:hl2
[2008/08/13 12:49:06 | 00,098,304 | ---- | M] () -- C:\Program Files\Steam\steamapps\bearce_92\day of defeat source\hl2.exe:*:Enabled:hl2
[2008/08/20 14:47:43 | 00,106,496 | ---- | M] () -- C:\Program Files\Steam\steamapps\bearce_92\counter-strike source\hl2.exe:*:Enabled:hl2
[2008/08/10 11:12:09 | 00,081,920 | ---- | M] (Valve) -- C:\Program Files\Steam\steamapps\bearce_92\day of defeat\hl.exe:*:Enabled:Half-Life Launcher
[2008/08/22 23:56:15 | 00,635,848 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer
[2007/10/18 11:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
[2007/10/02 17:18:24 | 00,304,488 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)
[2008/08/11 17:58:11 | 00,267,056 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\uTorrent\uTorrent.exe:*:Disabled:µTorrent
File not found -- C:\WINDOWS\system32\drivers\svchost.exe:*:Enabled:svchost
[2008/04/09 00:15:12 | 00,648,504 | ---- | M] (Pure Networks, Inc.) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:LocalSubNet:Enabled:Pure Networks Platform Service

========== (O10) Winsock2 Catalogs ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\]
NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] -- C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2007/08/28 23:55:14 | 01,014,128 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2008/07/02 08:36:48 | 00,079,128 | ---- | M] (AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG8\avgpp.dll (linkscanner:{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} (HKLM) [XPLPPFilter Class])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2007/10/18 11:31:54 | 00,066,072 | ---- | M] (Microsoft Corporation) C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (livecall:{828030A1-22C1-4009-854F-8E305202313F} (HKLM) [Reg Error: Value does not exist or could not be read.])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2007/08/28 23:55:14 | 01,014,128 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2007/08/28 23:55:14 | 01,014,128 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2006/10/26 13:45:02 | 00,873,216 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (ms-help:{314111c7-a502-11d2-bbca-00c04f8ec294} (HKLM) [HxProtocol Class])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2001/06/20 10:26:46 | 00,221,184 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (ms-itss:{0A9007C0-4076-11D3-8789-0000F8105754} (HKLM) [Microsoft Infotech Storage Protocol for IE 4.0])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2007/10/18 11:31:54 | 00,066,072 | ---- | M] (Microsoft Corporation) C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (msnim:{828030A1-22C1-4009-854F-8E305202313F} (HKLM) [Reg Error: Value does not exist or could not be read.])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2008/04/25 12:56:38 | 00,140,600 | ---- | M] (Pure Networks, Inc.) C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp3.dll (pure-go:{4746C79A-2042-4332-8650-48966E44ABA8} (HKLM) [CPureGoProtoInfo Object])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2006/10/26 21:41:48 | 00,044,344 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL text/xml:{807563E5-5146-11D5-A672-00B0D022E945} (HKLM) [Microsoft Office InfoPath XML Mime Filter]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0046FA01-C5B9-4985-BACB-398DC480FC05}"=Adobe Photoshop CS3
"{03B1B42B-F6DE-41d9-8CFF-DC44E895C7A7}"=PhotoGallery
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}"=Steam
"{04AF207D-9A77-465A-8B76-991F6AB66245}"=Adobe Help Viewer CS3
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}"=Adobe Bridge Start Meeting
"{09984AEC-6B9F-4ca7-B78D-CB44D4771DA3}"=Destinations
"{15095BF3-A3D7-4DDF-B193-3A496881E003}"=Microsoft .NET Framework 3.0
"{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}"=QuickTime
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}"=Adobe WinSoft Linguistics Plugin
"{21DB3D90-D816-4092-A260-CA3F6B55A6DD}"=Sonic_PrimoSDK
"{23A7B376-BBEC-4e76-BBD7-0F155E70D74B}"=CP_Panorama1Config
"{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}"=Adobe Extendscript Toolkit 2
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}"=Adobe Stock Photos CS3
"{2CADCEAB-D5DA-44D6-B5FC-7DEE87AB3C0C}"=Unload
"{30C19FF2-7FBA-4d09-B9DE-1659977F64F6}"=TrayApp
"{3248F0A8-6813-11D6-A77B-00B0D0160030}"=Java(TM) 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}"=Java(TM) 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}"=Java(TM) 6 Update 7
"{32BDCCB8-9DC8-496d-9DB1-F77510775BDB}"=InstantShareDevices
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{36E47DA1-10E1-45d9-8B19-14D19607CDCF}"=CP_CalendarTemplates1
"{36FDBE6E-6684-462B-AE98-9A39A1B200CC}"=HP Product Assistant
"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}"=Microsoft Works
"{44734179-8A79-4DEE-BB08-73037F065543}"=Apple Mobile Device Support
"{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}"=Bonjour
"{491DD792-AD81-429C-9EB4-86DD3D22E333}"=Windows Communication Foundation
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}"=Windows Live Messenger
"{51846830-E7B2-4218-8968-B77F0FF475B8}"=Adobe Color EU Extra Settings
"{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}"=FullDPAppQFolder
"{54793AA1-5001-42F4-ABB6-C364617C6078}"=Adobe Linguistics CS3

Topple
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-11-30
OS OS : Windows XP
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another Spyware.Ispynow (Hijackthis Log Included)

Post by Topple on Sun Nov 30, 2008 9:41 pm

"{56EE8B17-8274-418d-89AC-C057C5DB251E}"=RandMap
"{56F8AFC3-FA98-4ff1-9673-8A026CBF85BE}"=WebReg
"{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}"=iTunes
"{5A01C58E-B0EC-49b9-AD71-7C0468688087}"=CP_Package_Basic1
"{5F26311C-B135-4F7F-B11E-8E650F83651E}"=DeviceFunctionQFolder
"{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}"=Adobe Setup
"{66BA8C26-AFE4-4408-807B-43E76B57EF53}"=SkinsHP1
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}"=eSupportQFolder
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}"=Adobe Fonts All
"{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}"=Power Tab Editor 1.7
"{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}"=Adobe Color Common Settings
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}"=Adobe Asset Services CS3
"{7299052b-02a4-4627-81f2-1818da5d550d}"=Microsoft Visual C++ 2005 Redistributable
"{76C24F39-B161-498F-BD8B-C64789812D13}_is1"=ConvertXtoDVD 3.0.0.9
"{79546A5F-AE7C-4693-8670-A3401B43ABD2}"=HP Deskjet 5900 series
"{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}"=Windows Workflow Foundation
"{7E27304E-BAA2-4d90-A34E-76641FAFABB4}"=CP_AtenaShokunin1Config
"{7FE3214C-283E-40C6-A8D5-CB773110090C}"=Linksys EasyLink Advisor
"{802771A9-A856-4A41-ACF7-1450E523C923}"=Adobe XMP Panels CS3
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}"=Adobe Device Central CS3
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}"=Adobe Type Support
"{90120000-0010-0409-0000-0000000FF1CE}"=Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}"=Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0016-0409-0000-0000000FF1CE}"=Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0018-0409-0000-0000000FF1CE}"=Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0019-0409-0000-0000000FF1CE}"=Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001A-0409-0000-0000000FF1CE}"=Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001B-0409-0000-0000000FF1CE}"=Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0409-0000-0000000FF1CE}"=Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{3EC77D26-799B-4CD8-914F-C1565E796173}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}"=Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{430971B1-C31E-45DA-81E0-72C095BAB72C}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}"=Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-002C-0409-0000-0000000FF1CE}"=Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}"=Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0044-0409-0000-0000000FF1CE}"=Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-006E-0409-0000-0000000FF1CE}"=Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{FAD8A83E-9BAC-4179-9268-A35948034D85}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00A1-0409-0000-0000000FF1CE}"=Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00BA-0409-0000-0000000FF1CE}"=Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0114-0409-0000-0000000FF1CE}"=Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0115-0409-0000-0000000FF1CE}"=Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{FAD8A83E-9BAC-4179-9268-A35948034D85}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0117-0409-0000-0000000FF1CE}"=Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90176341-0A8B-4CCC-A78D-F862228A6B95}"=Adobe Anchor Service CS3
"{95655ED4-7CA5-46DF-907F-7144877A32E5}"=Adobe Color NA Recommended Settings
"{9C1EED58-1790-45C4-ADBC-5D45FCA7292E}"=Pure Networks Platform
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}"=Adobe Bridge CS3
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}"=Adobe CMaps
"{A2D81E70-2A98-4A08-A628-94388B063C5E}"=Adobe Color - Photoshop Specific
"{A5222E5A-13CB-4C98-9F5C-21CF6896A25C}"=HPDeskjet5900Series
"{A5BB5365-EFB4-44c3-A7E2-EB59B7EFD23D}"=CueTour
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}"=Windows Live installer
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}"=DeviceManagementQFolder
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}"=PDF Settings
"{AC76BA86-7AD7-1033-7B44-A81200000003}"=Adobe Reader 8.1.2
"{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}"=Windows Live Sign-in Assistant
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}"=Adobe Camera Raw 4.0
"{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}"=Adobe Setup
"{B508B3F1-A24A-32C0-B310-85786919EF28}"=Microsoft .NET Framework 2.0 Service Pack 1
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}"=Apple Software Update
"{B996AE66-10DB-4ac5-B151-E8B4BFBC42FC}"=BufferChm
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}"=Adobe Default Language CS3
"{BAF78226-3200-4DB4-BE33-4D922A799840}"=Windows Presentation Foundation
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}"=Microsoft .NET Framework 1.1
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}"=Adobe Version Cue CS3 Client
"{D1BB4446-AE9C-4256-9A7F-4D46604D2462}"=Adobe Setup
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}"=Adobe PDF Library Files
"{D2BD3C8F-9D7F-472B-BDF9-7309A5CB813A}"=Motorola Driver Installation 3.5.0
"{DB0A8A2A-4EA7-4FE3-802E-8A6DEE32696C}_is1"=Orban/Coding Technologies AAC/aacPlus Player Plugin™ 1.0
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}"=Adobe Color JA Extra Settings
"{E3F90083-80D4-4b5a-87C7-E97E12F5516D}"=HPProductAssistant
"{E69AE897-9E0B-485C-8552-7841F48D42D8}"=Adobe Update Manager CS3
"{EA103B64-C0E4-4C0E-A506-751590E1653D}"=SolutionCenter
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}"=Realtek High Definition Audio Driver
"{F4C2E5F5-2970-45f4-ABD3-C180C4D961C4}"=Status
"{FE57DE70-95DE-4B64-9266-84DA811053DB}"=HP Update
"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"Adobe Flash Player Plugin"=Adobe Flash Player 10 Plugin
"Adobe Shockwave Player"=Adobe Shockwave Player 11
"Adobe_2ac78060bc5856b0c1cf873bb919b58"=Adobe Photoshop CS3
"Adobe_3e054d2218e7aa282c2369d939e58ff"=Adobe Extendscript Toolkit 2
"Adobe_6c8e2cb4fd241c55406016127a6ab2e"=Adobe Color Common Settings
"Agere Systems Soft Modem"=Agere Systems PCI Soft Modem
"AIM_6"=AIM 6
"AVG8Uninstall"=AVG Free 8.0
"ComcastToolbar"=Comcast Toolbar
"ENTERPRISE"=Microsoft Office Enterprise 2007
"HDMI"=Intel(R) Graphics Media Accelerator Driver
"HijackThis"=HijackThis 2.0.2
"HP Imaging Device Functions"=HP Imaging Device Functions 5.0
"HP Photo & Imaging"=HP Image Zone 5.0
"HP Solution Center & Imaging Support Tools"=HP Solution Center & Imaging Support Tools 5.0
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"InstallShield_{7FE3214C-283E-40C6-A8D5-CB773110090C}"=Linksys EasyLink Advisor
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)"=Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.0"=Microsoft .NET Framework 3.0
"Mozilla Firefox (3.0.3)"=Mozilla Firefox (3.0.3)
"MS-MPEG4"=Microsoft MPEG-4 VKI Video Codec V1/V2/V3
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"ST6UNST #1"=Hero Editor V0.96
"Steam App 17500"=Zombie Panic! Source
"ViewpointMediaPlayer"=Viewpoint Media Player
"Windows XP Service Pack"=Windows XP Service Pack 3
"WinRAR archiver"=WinRAR archiver
"Xfire"=Xfire (remove only)
"XpsEPSC"=XML Paper Specification Shared Components Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent"=µTorrent

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-776561741-839522115-247751363-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent"=µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/4/2008 2:35:56 PM | Computer Name = MAIN | Source = Application Hang | ID = 1002
Description = Hanging application FretsOnFire.exe, version 0.0.0.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 6/4/2008 6:39:23 PM | Computer Name = MAIN | Source = Application Hang | ID = 1002
Description = Hanging application FretsOnFire.exe, version 0.0.0.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 6/4/2008 6:39:35 PM | Computer Name = MAIN | Source = Application Hang | ID = 1002
Description = Hanging application FretsOnFire.exe, version 0.0.0.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 6/7/2008 6:03:39 PM | Computer Name = MAIN | Source = Application Error | ID = 1000
Description = Faulting application itunes.exe, version 7.6.2.9, faulting module
quicktime.qts, version 7.4.5.67, fault address 0x001515d3.

Error - 6/14/2008 9:04:44 PM | Computer Name = MAIN | Source = Application Hang | ID = 1002
Description = Hanging application ST6UNST.EXE, version 6.0.97.82, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 6/14/2008 9:04:45 PM | Computer Name = MAIN | Source = Application Hang | ID = 1002
Description = Hanging application ST6UNST.EXE, version 6.0.97.82, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 6/14/2008 9:05:38 PM | Computer Name = MAIN | Source = Application Hang | ID = 1002
Description = Hanging application Setup1.exe, version 6.0.0.9782, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 6/14/2008 9:05:57 PM | Computer Name = MAIN | Source = Application Hang | ID = 1002
Description = Hanging application Hero Editor.exe, version 0.0.0.96, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 6/29/2008 6:13:14 PM | Computer Name = MAIN | Source = Application Error | ID = 1000
Description = Faulting application dualis.exe, version 0.0.0.0, faulting module
arm9.dll, version 0.0.0.0, fault address 0x0000a8da.

Error - 7/13/2008 11:36:46 AM | Computer Name = MAIN | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16674, faulting
module avgssie.dll, version 8.0.0.136, fault address 0x0000b299.

[ System Events ]
Error - 11/30/2008 3:16:07 PM | Computer Name = MAIN | Source = Service Control Manager | ID = 7034
Description = The WebClient service terminated unexpectedly. It has done this 1
time(s).

Error - 11/30/2008 3:19:33 PM | Computer Name = MAIN | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Viewpoint Manager Service
service to connect.

Error - 11/30/2008 3:19:33 PM | Computer Name = MAIN | Source = Service Control Manager | ID = 7000
Description = The Viewpoint Manager Service service failed to start due to the following
error: %%1053

Error - 11/30/2008 3:25:04 PM | Computer Name = MAIN | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Viewpoint Manager Service
service to connect.

Error - 11/30/2008 3:25:04 PM | Computer Name = MAIN | Source = Service Control Manager | ID = 7000
Description = The Viewpoint Manager Service service failed to start due to the following
error: %%1053

Error - 11/30/2008 4:01:23 PM | Computer Name = MAIN | Source = Service Control Manager | ID = 7034
Description = The Pml Driver HPZ12 service terminated unexpectedly. It has done
this 1 time(s).

Error - 11/30/2008 4:20:51 PM | Computer Name = MAIN | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
the volume.

Error - 11/30/2008 4:50:33 PM | Computer Name = MAIN | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Viewpoint Manager Service
service to connect.

Error - 11/30/2008 4:50:33 PM | Computer Name = MAIN | Source = Service Control Manager | ID = 7000
Description = The Viewpoint Manager Service service failed to start due to the following
error: %%1053

Error - 11/30/2008 5:15:57 PM | Computer Name = MAIN | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
the volume.


< End of report >

Topple
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-11-30
OS OS : Windows XP
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another Spyware.Ispynow (Hijackthis Log Included)

Post by Belahzur on Sun Nov 30, 2008 9:46 pm

Hello.
We need to get combofix running, and I think this will allow CF to run.
First, lets remove the malwares run value.


  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HPseti"=-
    "nah_Shell"=-
    [HKEY_USERS\S-1-5-21-776561741-839522115-247751363-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HPseti"=-
    "nah_Shell"=-

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.

====

What external drive do you have plugged into H:\? because that has a malicious file we need to remove.
Plug it in now, so we can delete it.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Files to delete:
H:\Autorun.inf
C:\sqmdata03.sqm
C:\sqmnoopt03.sqm
C:\sqmdata02.sqm
C:\sqmnoopt02.sqm
C:\sqmdata01.sqm
C:\sqmnoopt01.sqm
C:\sqmdata00.sqm
C:\sqmnoopt00.sqm
C:\Documents and Settings\john\Application Data\Google\runhh6110411.exe
C:\Documents and Settings\john\nah_bbfo.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Don't tick the box below.
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Another Spyware.Ispynow (Hijackthis Log Included)

Post by Topple on Sun Nov 30, 2008 10:04 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "TDSSserv.sys" found!
ImagePath: \systemroot\system32\drivers\TDSSletu.sys
Start Type: 1 (System)

Rootkit scan completed.

File "C:\sqmdata03.sqm" deleted successfully.
File "C:\sqmnoopt03.sqm" deleted successfully.
File "C:\sqmdata02.sqm" deleted successfully.
File "C:\sqmnoopt02.sqm" deleted successfully.
File "C:\sqmdata01.sqm" deleted successfully.
File "C:\sqmnoopt01.sqm" deleted successfully.
File "C:\sqmdata00.sqm" deleted successfully.
File "C:\sqmnoopt00.sqm" deleted successfully.
File "C:\Documents and Settings\john\Application Data\Google\runhh6110411.exe" deleted successfully.
File "C:\Documents and Settings\john\nah_bbfo.exe" deleted successfully.
File "H:\Autorun.inf" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Topple
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-11-30
OS OS : Windows XP
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another Spyware.Ispynow (Hijackthis Log Included)

Post by Topple on Sun Nov 30, 2008 10:04 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:04:41 PM, on 11/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 207.38.124.200 login.warrock.net
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [MeinVB6] C:\Documents and Settings\john\My Documents\drivers\tool.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LELA] "C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\Run: [HPseti] "C:\Documents and Settings\john\Application Data\Google\runhh6110411.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {61900274-3323-4446-BDCD-91548D32AF1B} (SpiderSolitaire Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Unknown owner - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8935 bytes

Topple
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-11-30
OS OS : Windows XP
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another Spyware.Ispynow (Hijackthis Log Included)

Post by Belahzur on Sun Nov 30, 2008 10:33 pm

Hello.
Still more to do.


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKCU\..\Run: [HPseti] "C:\Documents and Settings\john\Application Data\Google\runhh6110411.exe"


  • Press "Fix Checked"
  • Close Hijack This.



2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to disable:
TDSSserv.sys

Drivers to delete:
TDSSserv.sys

Files to delete:
C:\windows\system32\drivers\TDSSletu.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Don't tick the box below.
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log.

Please try combofix now, it should work. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Another Spyware.Ispynow (Hijackthis Log Included)

Post by Topple on Sun Nov 30, 2008 10:54 pm

I think that did it. ComboFix worked.
Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "TDSSserv.sys" found!
ImagePath: \systemroot\system32\drivers\TDSSletu.sys
Start Type: 4 (Disabled)

Rootkit scan completed.

Driver "TDSSserv.sys" disabled successfully.
Driver "TDSSserv.sys" deleted successfully.
File "C:\windows\system32\drivers\TDSSletu.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Last edited by Topple on Sun Nov 30, 2008 10:55 pm; edited 1 time in total

Topple
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-11-30
OS OS : Windows XP
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another Spyware.Ispynow (Hijackthis Log Included)

Post by Topple on Sun Nov 30, 2008 10:55 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:54:58 PM, on 11/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\CF32026.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 207.38.124.200 login.warrock.net
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LELA] "C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {61900274-3323-4446-BDCD-91548D32AF1B} (SpiderSolitaire Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Unknown owner - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8704 bytes

Topple
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-11-30
OS OS : Windows XP
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another Spyware.Ispynow (Hijackthis Log Included)

Post by Belahzur on Sun Nov 30, 2008 10:56 pm

Please give combofix a try now. The HJT log looks clean and the rootkit is gone.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Another Spyware.Ispynow (Hijackthis Log Included)

Post by Topple on Sun Nov 30, 2008 10:59 pm

ComboFix did it's thing. Smile

Here's the log file if you need it. I think it's taken care of though.

Thank you so much for helping me. I really DID NOT want to resort to Geek Squad or some other company. You saved me probably days of agony and about 200 dollars.





ComboFix 08-08-03.05 - john 2008-11-30 16:47:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.115 [GMT -6:00]
Running from: C:\Documents and Settings\john\My Documents\ComboFix\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-30 )))))))))))))))))))))))))))))))
.

2008-11-30 16:35 . 2008-11-30 16:35 268 --ah----- C:\sqmdata00.sqm
2008-11-30 16:35 . 2008-11-30 16:35 244 --ah----- C:\sqmnoopt00.sqm
2008-11-30 13:10 . 2008-11-30 13:10 d-------- C:\Program Files\Trend Micro
2008-11-30 13:04 . 2008-11-30 15:19 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-11-30 13:04 . 2008-11-30 13:04 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-11-30 13:04 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-11-30 13:04 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-11-30 12:03 . 2008-11-30 12:03 35,840 --a------ C:\WINDOWS\system32\TDSSelfi.dll
2008-11-30 12:03 . 2008-11-30 12:03 31,232 --a------ C:\WINDOWS\system32\TDSStqek.dll
2008-11-30 12:03 . 2008-11-30 12:03 29,696 --a------ C:\WINDOWS\system32\TDSSdreq.dll
2008-11-30 12:03 . 2008-11-30 16:00 2,274 --a------ C:\WINDOWS\system32\TDSShbpi.dll
2008-11-30 12:03 . 2008-11-30 12:03 527 --a------ C:\WINDOWS\system32\TDSSwiwd.dat
2008-11-29 11:40 . 2008-11-29 11:40 d-------- C:\Program Files\Microsoft.NET
2008-11-29 11:37 . 2008-11-29 11:38 d-------- C:\WINDOWS\SHELLNEW
2008-11-29 11:36 . 2008-11-29 11:36 dr-h----- C:\MSOCache
2008-11-29 11:36 . 2008-11-30 03:24 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-11-28 09:32 . 2008-11-28 09:32 d-------- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-11-28 09:28 . 2008-11-28 09:28 234 --a------ C:\WINDOWS\PrnHlpLogConfig.ini
2008-11-28 09:28 . 2008-11-28 09:28 214 --a------ C:\WINDOWS\HP_InstantSHareJPG.ini
2008-11-28 09:27 . 2008-11-28 09:27 217 --a------ C:\WINDOWS\HP_IZClosingDiscErrorPatch.ini
2008-11-28 09:26 . 2008-11-28 09:26 221 --a------ C:\WINDOWS\HP_RedboxHprblog_HPSU.ini
2008-11-18 19:27 . 2008-11-18 19:27 d-------- C:\Documents and Settings\All Users\Application Data\RoboForm
2008-11-17 15:48 . 2008-11-17 15:48 0 --a------ C:\WINDOWS\iPlayer.INI
2008-11-17 15:47 . 2008-11-17 15:49 d-------- C:\Program Files\InterActual
2008-11-15 14:38 . 2008-11-15 14:38 d-------- C:\Program Files\MSBuild
2008-11-15 14:36 . 2008-11-15 14:36 d-------- C:\WINDOWS\system32\XPSViewer
2008-11-15 14:35 . 2008-11-15 14:35 d-------- C:\Program Files\Reference Assemblies
2008-11-15 14:34 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-11-15 14:32 . 2008-11-30 12:10 d-------- C:\Documents and Settings\All Users\Application Data\Linksys
2008-11-15 14:30 . 2008-04-09 00:14 23,992 --a------ C:\WINDOWS\system32\drivers\pnarp.sys
2008-11-15 14:29 . 2008-11-15 14:29 d-------- C:\Program Files\Common Files\Pure Networks Shared
2008-11-15 14:29 . 2008-11-15 14:29 d-------- C:\Documents and Settings\All Users\Application Data\Pure Networks
2008-11-15 14:29 . 2008-04-09 00:14 25,272 --a------ C:\WINDOWS\system32\drivers\purendis.sys
2008-11-15 14:27 . 2008-11-15 14:28 d-------- C:\Program Files\Linksys
2008-11-12 02:25 . 2008-10-24 05:21 455,296 -----c--- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2008-11-12 02:24 . 2008-09-04 11:15 1,106,944 -----c--- C:\WINDOWS\system32\dllcache\msxml3.dll
2008-11-06 03:00 . 2008-11-06 03:00 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-11-05 04:31 . 2008-10-16 14:06 268,648 --a------ C:\WINDOWS\system32\mucltui.dll
2008-11-05 04:31 . 2008-10-16 14:06 208,744 --a------ C:\WINDOWS\system32\muweb.dll
2008-11-05 04:31 . 2008-10-16 14:06 27,496 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-11-04 19:01 . 2008-11-04 19:01 d-------- C:\Documents and Settings\john\Contacts
2008-11-04 18:59 . 2008-11-04 19:00 d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-11-04 18:58 . 2008-11-04 19:00 d-------- C:\Program Files\Windows Live
2008-11-04 18:58 . 2008-11-04 18:58 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-10-29 19:24 . 2008-10-29 19:24 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-10-24 04:51 . 2008-10-15 10:34 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-22 17:44 . 2008-10-22 17:44 0 --a------ C:\WINDOWS\nsreg.dat
2008-10-17 15:16 . 2008-10-17 15:16 d-------- C:\Documents and Settings\All Users\Application Data\FunGames
2008-10-15 06:40 . 2008-08-14 04:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 06:40 . 2008-08-14 04:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 06:40 . 2008-08-14 03:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 06:40 . 2008-08-14 03:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 06:40 . 2008-09-15 06:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 06:40 . 2008-09-08 04:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-13 16:45 . 2008-11-30 10:55 31 --a------ C:\Documents and Settings\john\jagex_runescape_preferences.dat
2008-10-06 18:43 . 2008-10-06 18:45 d-------- C:\Documents and Settings\john\Application Data\W Photo Studio Viewer
2008-10-01 16:15 . 2008-10-01 16:15 d-------- C:\Documents and Settings\john\Application Data\Viewpoint

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-30 18:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-11-29 17:37 --------- d-----w C:\Documents and Settings\john\Application Data\uTorrent
2008-11-28 15:33 --------- d-----w C:\Program Files\HP
2008-11-20 05:27 --------- d-----w C:\Documents and Settings\john\Application Data\Xfire
2008-11-19 02:25 676 ----a-w C:\Documents and Settings\john\Application Data\wklnhst.dat
2008-11-15 20:32 --------- d-----w C:\Program Files\Java
2008-11-15 20:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-11-10 11:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-10-24 11:21 455,296 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-10-21 20:38 --------- d-----w C:\Program Files\Steam
2008-08-04 21:09 73,728 ----a-w C:\WINDOWS\ALCFDRTM.EXE
2008-04-23 18:23 47,360 ----a-w C:\Documents and Settings\john\Application Data\pcouffin.sys
2008-08-10 15:08 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081020080811\index.dat
.

------- Sigcheck -------

2004-08-04 06:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2008-04-13 18:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2008-11-30 12:03 507904 3969440ba384d35317dbbdeeaae641ce C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 18:12 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-11 15:51 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 22:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 09:36 267048]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 03:27 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 21:16 39792]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-11-27 08:17 1261336]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-01-13 08:47 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-01-13 08:47 163840]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-01-13 08:46 135168]
"LELA"="C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" [2008-05-01 05:38 131072]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-04-09 00:15 648504]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 08:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 14:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-04-06 17:57 90112 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-04-06 17:53 2805248 C:\WINDOWS\ALCWZRD.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 22:23:26 282624]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-11 23:49:24 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\Diablo II\\D2Loader-1.11b.exe"=
"C:\\Program Files\\Steam\\steamapps\\xmx_topple\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\xerox\\xfire.exe"=
"C:\\Program Files\\Steam\\steamapps\\xmx_topple\\day of defeat source\\hl2.exe"=
"C:\\Program Files\\Steam\\steamapps\\bearce_92\\day of defeat source\\hl2.exe"=
"C:\\Program Files\\Steam\\steamapps\\bearce_92\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Steam\\steamapps\\bearce_92\\day of defeat\\hl.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-30 07:56]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-30 07:56]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 07:56]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-02 08:36]
R2 LinksysUpdater;Linksys Updater;C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-04-18 03:30]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 15:38]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-10-10 16:41]
S3 scrcap;scrcap;C:\WINDOWS\system32\DRIVERS\scrcap.sys []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKCU-Run-P2kAutostart - (no file)
HKLM-Run-MeinVB6 - C:\Documents and Settings\john\My Documents\drivers\tool.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\2aqanr75.default\
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-11-30 16:49:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
P2kAutostart = ???

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-30 16:52:28
ComboFix-quarantined-files.txt 2008-11-30 22:52:01

Pre-Run: 161,235,701,760 bytes free
Post-Run: 162,175,471,616 bytes free

183 --- E O F --- 2008-11-30 18:31:27

Topple
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-11-30
OS OS : Windows XP
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another Spyware.Ispynow (Hijackthis Log Included)

Post by Belahzur on Sun Nov 30, 2008 11:04 pm

Thank you.

Now open a new notepad file.
Input this into the notepad file:

@echo off
sc stop "Viewpoint Manager Service"
sc delete "Viewpoint Manager Service"
del Fixservices.bat
exit

Save this as Fixservices.bat, save it to your desktop.
Double click Fixservices.bat and the black cmd window will open and close, this is normal.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Files to delete:
C:\sqmdata00.sqm
C:\sqmnoopt00.sqm
C:\WINDOWS\system32\TDSSelfi.dll
C:\WINDOWS\system32\TDSStqek.dll
C:\WINDOWS\system32\TDSSdreq.dll
C:\WINDOWS\system32\TDSShbpi.dll
C:\WINDOWS\system32\TDSSwiwd.dat

Folders to delete:
C:\Documents and Settings\john\Application Data\Viewpoint
C:\Program Files\Viewpoint

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Don't tick the box below.
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Another Spyware.Ispynow (Hijackthis Log Included)

Post by Topple on Sun Nov 30, 2008 11:25 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\sqmdata00.sqm" deleted successfully.
File "C:\sqmnoopt00.sqm" deleted successfully.
File "C:\WINDOWS\system32\TDSSelfi.dll" deleted successfully.
File "C:\WINDOWS\system32\TDSStqek.dll" deleted successfully.
File "C:\WINDOWS\system32\TDSSdreq.dll" deleted successfully.
File "C:\WINDOWS\system32\TDSShbpi.dll" deleted successfully.
File "C:\WINDOWS\system32\TDSSwiwd.dat" deleted successfully.
Folder "C:\Documents and Settings\john\Application Data\Viewpoint" deleted successfully.
Folder "C:\Program Files\Viewpoint" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Topple
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-11-30
OS OS : Windows XP
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another Spyware.Ispynow (Hijackthis Log Included)

Post by Belahzur on Sun Nov 30, 2008 11:26 pm

Hello.
Looks good now, what problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Another Spyware.Ispynow (Hijackthis Log Included)

Post by Topple on Sun Nov 30, 2008 11:28 pm

I don't think anything remains. Thanks again for your help.

Topple
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-11-30
OS OS : Windows XP
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another Spyware.Ispynow (Hijackthis Log Included)

Post by Belahzur on Sun Nov 30, 2008 11:31 pm

Glad to hear it. Smile
Before I can let you go, we need to do some updates and get you secured.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Select the first option where it says "Java SE Runtime Environment (JRE) 6 Update 10".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    - Java 2 Runtime Environment, SE v1.4.2
    - J2SE Runtime Environment 5.0
    - J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe that you downloaded to install the newest version.
Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from [You must be registered and logged in to see this link.]

  • First, unzip it.
  • Then run JavaRa.
  • Select English from the drop down menu and press Select.
  • This will open JavaRa.
  • Press Remove older versions
  • Press yes to the prompt.
  • It will make a log file of what it's removed.
  • Copy and paste the log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Another Spyware.Ispynow (Hijackthis Log Included)

Post by Topple on Sun Nov 30, 2008 11:41 pm

JavaRa 1.11 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Sun Nov 30 17:40:38 2008

There was an error removing C:\Program Files\Java\jre1.6.0_07. The error returned was 32.

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

------------------------------------

Finished reporting.

Topple
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-11-30
OS OS : Windows XP
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another Spyware.Ispynow (Hijackthis Log Included)

Post by Belahzur on Sun Nov 30, 2008 11:43 pm

Please delete this folder in bold:
C:\avenger

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.
====

Everything looks great --- your HijackThis log appears to be clean. Smile
Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Another Spyware.Ispynow (Hijackthis Log Included)

Post by Doctor Inferno on Sun Dec 07, 2008 12:21 pm

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104600
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum