**HELP!!*** spyware.Ispynow Infected

View previous topic View next topic Go down

**HELP!!*** spyware.Ispynow Infected

Post by jbender on 1st December 2008, 12:17 am

I was doing some work on my computer today(uploading a zip file to one of our servers) and mid transfer of the file my machine shut down completely. I rebooted, logged back in, and upon startup received a visual studio just in time debugging error. I then began receiving fake windows security center messages reporting the spyware.ispynow has been found. When I try to access avg.com I get a message stating 'Failed to Connect'. If I do a search for hijack this and select a link, I'm redirected to a yahoo jobs site. I was able to run ccleaner, ran an avg scan and removed all found threats. I'm also unable to download the most recent avg updates. Below is my HiJackThis log file and the uninstall list:


[b]Log File:

Logfile of HijackThis v1.99.1
Scan saved at 6:58:21 PM, on 11/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NetSupport\NetSupport Manager\client32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Windows Media Player\wmplayer.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\198\g2mstart.exe "/Trigger RunAtLogon"
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [\\joelbender-pc\EPSON Stylus CX7400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE /FU "C:\DOCUME~1\jbender\LOCALS~1\Temp\E_SEC.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [DisplayFusion] "C:\Program Files\DisplayFusion\DisplayFusion.exe"
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [nah_Shell] C:\Documents and Settings\jbender\nah_xngv.exe
O4 - HKCU\..\Run: [HPseti] "C:\Documents and Settings\jbender\Application Data\Google\runhh6110411.exe"
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: MultiMon Taskbar.lnk = C:\Program Files\MMTaskbar\MultiMon.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\netsupport dna\dna\client\components\alphlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\netsupport dna\dna\client\components\alphlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\netsupport dna\dna\client\components\alphlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\netsupport dna\dna\client\components\alphlsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {4531AB38-01E8-4A1C-B3A7-7CDFBDB02CE0} (DNA Helpdesk Remote Control Ax) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ipcorporate.com
O17 - HKLM\Software\..\Telephony: DomainName = ipcorporate.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ipcorporate.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Client32 - NetSupport Ltd - C:\Program Files\NetSupport\NetSupport Manager\client32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NetSupport DNA Client - NetSupport Ltd - C:\Program Files\NetSupport DNA\DNA\Client\DNAClient.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Any help would be much appreciated!

jbender
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-11-30
OS OS : Windows XP Professional
Points Points : 29300
# Likes # Likes : 0

View user profile

Back to top Go down

Re: **HELP!!*** spyware.Ispynow Infected

Post by Belahzur on 1st December 2008, 12:20 am

Hello.
You are running an old version of Hijack This.

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

* Reply with quote **** Report post to moderator or admin

Post by jbender on 1st December 2008, 12:30 am

It's giving me an error stating : "The application failed to start because the application configuration is incorrect. Reinstalling the application may fix the problem."

jbender
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-11-30
OS OS : Windows XP Professional
Points Points : 29300
# Likes # Likes : 0

View user profile

Back to top Go down

Re: **HELP!!*** spyware.Ispynow Infected

Post by Belahzur on 1st December 2008, 12:35 am

Hello.
You may have the tdssserv rootkit.
We'll use the old version of Hijack This then.


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
    O4 - HKCU\..\Run: [nah_Shell] C:\Documents and Settings\jbender\nah_xngv.exe
    O4 - HKCU\..\Run: [HPseti] "C:\Documents and Settings\jbender\Application Data\Google\runhh6110411.exe"


  • Press "Fix Checked"
  • Close Hijack This.

====

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Files to delete:
C:\WINDOWS\system32\drivers\svchost.exe
C:\Documents and Settings\jbender\nah_xngv.exe
C:\Documents and Settings\jbender\Application Data\Google\runhh6110411.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Don't tick the box below.
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: **HELP!!*** spyware.Ispynow Infected

Post by jbender on 1st December 2008, 1:06 am

The below files weren't there to be checked for fix:

C:\Documents and Settings\jbender\nah_xngv.exe
C:\Documents and Settings\jbender\Application Data\Google\runhh6110411.exe



Avenger Log File:

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "TDSSserv.sys" found!
ImagePath: \systemroot\system32\drivers\TDSSpcuu.sys
Start Type: 1 (System)

Rootkit scan completed.

File "C:\WINDOWS\system32\drivers\svchost.exe" deleted successfully.
File "C:\Documents and Settings\jbender\nah_xngv.exe" deleted successfully.
File "C:\Documents and Settings\jbender\Application Data\Google\runhh6110411.exe" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

jbender
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-11-30
OS OS : Windows XP Professional
Points Points : 29300
# Likes # Likes : 0

View user profile

Back to top Go down

Re: **HELP!!*** spyware.Ispynow Infected

Post by Belahzur on 1st December 2008, 1:08 am

Hello.
The log shows the tdssserv rootkit, so lets kill it now.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Drivers to disable:
TDSSserv.sys

Drivers to delete:
TDSSserv.sys

Files to delete:
C:\WINDOWS\system32\drivers\TDSSpcuu.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Don't tick the box below.
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: **HELP!!*** spyware.Ispynow Infected

Post by jbender on 1st December 2008, 1:21 am

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "TDSSserv.sys" found!
ImagePath: \systemroot\system32\drivers\TDSSpcuu.sys
Start Type: 4 (Disabled)

Rootkit scan completed.

Driver "TDSSserv.sys" disabled successfully.
Driver "TDSSserv.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\TDSSpcuu.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

jbender
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-11-30
OS OS : Windows XP Professional
Points Points : 29300
# Likes # Likes : 0

View user profile

Back to top Go down

Re: **HELP!!*** spyware.Ispynow Infected

Post by Belahzur on 1st December 2008, 1:25 am

Hello.
The rootkit is gone now.


  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: **HELP!!*** spyware.Ispynow Infected

Post by jbender on 1st December 2008, 1:52 am

Your support is amazing, thanks so much for everything you've done so far.

When you are looking through the Hijack This logfile, what are you looking for? Any suggestion on places to start learning more about this?



scanning hidden files ...



scan completed successfully

hidden files: 0



**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------



- - - - - - - > 'winlogon.exe'(1308)

c:\program files\NetSupport\NetSupport Manager\pcihooks.dll



- - - - - - - > 'csrss.exe'(1284)

c:\program files\NetSupport\NetSupport Manager\pcihooks.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\WLTRYSVC.EXE

c:\windows\system32\BCMWLTRY.EXE

c:\windows\system32\scardsvr.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\NetSupport\NetSupport Manager\client32.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe

c:\progra~1\AVG\AVG8\avgam.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\program files\Dell\QuickSet\NicConfigSvc.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\program files\RealVNC\VNC4\winvnc4.exe

c:\program files\Citrix\GoToMeeting\198\g2mcomm.exe

c:\program files\Citrix\GoToMeeting\198\g2mlauncher.exe

c:\program files\TechSmith\SnagIt 8\TscHelp.exe

c:\program files\Apoint\hidfind.exe

c:\program files\Apoint\ApntEx.exe

c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe

c:\program files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe

.

**************************************************************************

.

Completion time: 2008-11-30 20:42:48 - machine was rebooted

ComboFix-quarantined-files.txt 2008-12-01 01:42:44



Pre-Run: 13,845,561,344 bytes free

Post-Run: 13,823,213,568 bytes free



WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect



336 --- E O F --- 2008-11-21 08:00:41

jbender
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-11-30
OS OS : Windows XP Professional
Points Points : 29300
# Likes # Likes : 0

View user profile

Back to top Go down

Re: **HELP!!*** spyware.Ispynow Infected

Post by Belahzur on 1st December 2008, 1:55 am

Hello.
I'm a trained professional, I've been playing this game for more than 3yrs.
There are many online websites that offer free training in malware removal.
I know what to look for, we know this as "earmark" of an infection.

The combofix log - That's only the bottom part, can you paste it all please?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: **HELP!!*** spyware.Ispynow Infected

Post by jbender on 1st December 2008, 2:04 am

Well I appreciate it, any recommendations on websites?


ComboFix 08-11-30.01 - jbender 2008-11-30 20:31:43.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1887 [GMT -5:00]

Running from: c:\documents and settings\jbender\Desktop\ComboFix.exe

* Created a new restore point

.



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.



c:\windows\Downloaded Program Files\setup.inf

c:\windows\system32\TDSSktkl.dll

c:\windows\system32\TDSSlmjf.dll

c:\windows\system32\TDSSocum.dll

c:\windows\system32\TDSSqrwn.log

c:\windows\system32\TDSSurxb.dll

c:\windows\system32\TDSSwgqt.dat

c:\windows\system32\TDSSxekj.dll



.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.



-------\Legacy_R_SERVER

-------\Legacy_TDSSSERV.SYS

-------\Service_r_server





((((((((((((((((((((((((( Files Created from 2008-11-01 to 2008-12-01 )))))))))))))))))))))))))))))))

.



2008-11-30 19:26 . 2008-11-30 19:25 812,344 --a------ C:\HJTInstall.exe

2008-11-30 17:43 . 2008-11-30 17:43 d--h----- C:\$AVG8.VAULT$

2008-11-30 16:17 . 2008-11-30 16:17 d-------- c:\windows\system32\drivers\Avg

2008-11-30 16:17 . 2008-11-30 16:17 d-------- c:\program files\AVG

2008-11-30 16:17 . 2008-11-30 16:17 d-------- c:\documents and settings\All Users\Application Data\avg8

2008-11-30 16:17 . 2008-11-30 16:17 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys

2008-11-30 16:17 . 2008-11-30 16:17 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys

2008-11-30 16:17 . 2008-11-30 16:17 12,936 --a------ c:\windows\system32\drivers\avgrkx86.sys

2008-11-30 16:17 . 2008-11-30 16:17 10,520 --a------ c:\windows\system32\avgrsstx.dll

2008-11-28 19:36 . 2008-11-28 19:36 d--h----- c:\windows\PIF

2008-11-28 19:32 . 2008-11-28 19:32 d-------- c:\program files\WinDirStat

2008-11-28 19:14 . 2008-11-28 19:14 d-------- c:\documents and settings\jbender\Application Data\Binary Fortress Software

2008-11-28 18:55 . 2008-11-28 18:55 d-------- c:\program files\DisplayFusion

2008-11-28 18:52 . 2008-11-28 18:52 d-------- c:\documents and settings\LocalService\Application Data\Roxio

2008-11-28 18:26 . 2008-11-28 18:26 d-------- c:\documents and settings\jbender\Application Data\Apple Computer

2008-11-28 18:25 . 2008-11-28 18:25 d-------- c:\program files\iTunes

2008-11-28 18:25 . 2008-11-28 18:25 d-------- c:\program files\iPod

2008-11-28 18:25 . 2008-11-28 18:25 d-------- c:\program files\Bonjour

2008-11-28 18:25 . 2008-11-28 18:25 d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2008-11-28 18:25 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll

2008-11-28 18:25 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys

2008-11-28 18:24 . 2008-11-28 18:25 d----c--- c:\windows\system32\DRVSTORE

2008-11-28 18:06 . 2008-11-28 18:06 d-------- c:\documents and settings\jbender\Application Data\Research In Motion

2008-11-28 18:06 . 2008-11-30 20:37 256 --a------ c:\windows\system32\pool.bin

2008-11-28 18:00 . 2008-11-28 18:00 d-------- c:\documents and settings\jbender\Application Data\InstallShield

2008-11-28 18:00 . 2008-11-28 18:00 d-------- c:\documents and settings\All Users\Application Data\Sonic

2008-11-28 18:00 . 2008-11-28 18:00 d-------- c:\documents and settings\All Users\Application Data\InstallShield

2008-11-28 17:55 . 2007-01-18 10:24 26,496 -ra------ c:\windows\system32\drivers\RimSerial.sys

2008-11-28 17:54 . 2008-11-28 17:54 d-------- c:\program files\Research In Motion

2008-11-28 17:54 . 2008-11-28 17:54 d-------- c:\program files\Common Files\Research In Motion

2008-11-26 00:20 . 2008-11-26 00:20 d-------- c:\program files\Microsoft Silverlight

2008-11-25 23:08 . 2008-11-25 23:08 d-------- c:\program files\Common Files\Merge Modules

2008-11-25 23:07 . 2008-11-25 23:08 d-------- c:\program files\Microsoft Visual FoxPro 9

2008-11-25 23:07 . 2008-11-25 23:07 d-------- c:\program files\Microsoft UDDI SDK

2008-11-25 23:02 . 2008-11-25 23:02 d-------- c:\program files\MSSOAP

2008-11-25 22:53 . 2008-11-25 22:55 d-------- C:\VFP9

2008-11-24 16:50 . 2008-11-24 16:50 d-------- c:\program files\CPR+

2008-11-21 11:48 . 2008-11-21 12:08 d-------- C:\Baks

2008-11-21 11:46 . 2008-11-21 11:47 13,312 --a------ C:\add delete inventory.xls

2008-11-21 09:20 . 2008-11-21 09:14 5,120 --a------ C:\browse inventory.xls

2008-11-21 09:15 . 2008-11-21 09:15 0 --a------ c:\windows\PasswordsPlus.INI

2008-11-21 09:13 . 2008-11-21 09:13 d-------- c:\program files\Passwords Plus

2008-11-20 20:52 . 2008-11-20 20:52 d-------- c:\program files\Microsoft IntelliType Pro

2008-11-20 20:52 . 2008-11-20 20:52 d-------- c:\program files\Microsoft IntelliPoint

2008-11-20 17:00 . 2008-11-20 17:02 d-------- C:\vfp_data

2008-11-20 16:57 . 2008-11-20 17:03 d-------- C:\Systems

2008-11-20 16:15 . 2008-05-08 20:10 717,891,072 --a------ C:\CPR.BAK

2008-11-20 16:08 . 2008-11-20 16:11 d-------- C:\Knowledge Base

2008-11-20 13:35 . 2008-08-15 14:47 79,896 --a------ c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.0.1600.22.dll

2008-11-20 13:35 . 2008-08-15 14:47 50,200 --a------ c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.0.1600.22.dll

2008-11-20 13:30 . 2008-11-20 13:30 d-------- c:\program files\Microsoft Synchronization Services

2008-11-20 13:30 . 2008-11-20 13:30 d-------- c:\program files\Microsoft SDKs

2008-11-20 13:29 . 2008-11-20 13:29 d-------- c:\windows\system32\RsFx

2008-11-20 13:29 . 2008-11-20 13:29 d-------- c:\program files\Microsoft SQL Server Compact Edition

2008-11-20 13:28 . 2008-11-20 13:30 d-------- c:\program files\Microsoft Visual Studio 9.0

2008-11-20 11:57 . 2008-11-20 12:02 45,568 --a------ C:\userprivs.xls

2008-11-20 09:00 . 2008-11-20 09:00 d-------- C:\981a80cf0aef5539d8

2008-11-20 08:58 . 2008-11-20 08:58 d-------- c:\program files\MSXML 6.0

2008-11-19 14:26 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys

2008-11-19 14:26 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\dllcache\usbccgp.sys

2008-11-19 14:26 . 2004-08-04 00:56 21,504 --a------ c:\windows\system32\hidserv.dll

2008-11-19 14:26 . 2004-08-04 00:56 21,504 --a------ c:\windows\system32\dllcache\hidserv.dll

2008-11-19 14:26 . 2004-08-03 22:58 14,848 --a------ c:\windows\system32\drivers\kbdhid.sys

2008-11-19 14:26 . 2004-08-03 22:58 14,848 --a------ c:\windows\system32\dllcache\kbdhid.sys

2008-11-18 13:10 . 2008-11-19 17:12 d-------- c:\program files\Microsoft Visual Studio 8

2008-11-18 12:53 . 2008-11-28 19:30 d-------- c:\documents and settings\jbender\Application Data\Roxio

2008-11-18 12:40 . 2008-11-18 12:40 d-------- c:\windows\DRIVERS

2008-11-18 12:40 . 2003-08-27 14:20 266,240 -ra------ c:\windows\SM1nint.exe

2008-11-18 12:40 . 2003-08-27 14:20 94,208 -ra------ c:\windows\SM1bg.exe

2008-11-18 12:40 . 2003-08-27 14:20 86,106 -ra------ c:\windows\system32\SM1un.exe

2008-11-18 12:40 . 2003-08-27 14:19 36,963 -ra------ c:\program files\Common Files\SM1updtr.dll

2008-11-18 12:40 . 2003-08-27 14:20 32,896 -ra------ c:\windows\system32\drivers\SM1fx_at.sys

2008-11-18 12:40 . 2003-08-27 14:20 12,382 -ra------ c:\windows\system32\SM1ui32.dll

2008-11-18 12:39 . 2008-11-18 15:06 d-------- c:\documents and settings\All Users\Application Data\Napster

2008-11-18 12:36 . 2008-11-18 12:36 d-------- c:\program files\Common Files\Sonic Shared

2008-11-18 12:35 . 2008-11-18 12:36 d-------- c:\program files\Sonic

2008-11-18 12:35 . 2008-11-28 17:59 d-------- c:\program files\Roxio

jbender
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-11-30
OS OS : Windows XP Professional
Points Points : 29300
# Likes # Likes : 0

View user profile

Back to top Go down

Re: **HELP!!*** spyware.Ispynow Infected

Post by jbender on 1st December 2008, 2:05 am

2008-11-18 12:35 . 2008-11-18 12:35 d-------- c:\program files\Common Files\TiVo Shared

2008-11-18 12:35 . 2008-11-28 17:59 d-------- c:\program files\Common Files\Roxio Shared

2008-11-18 12:35 . 2008-11-28 19:30 d-------- c:\documents and settings\All Users\Application Data\Roxio

2008-11-17 17:49 . 2008-11-17 17:49 d-------- c:\program files\CCleaner

2008-11-16 16:59 . 2008-11-16 16:59 d-------- c:\documents and settings\All Users\Application Data\EPSON

2008-11-16 13:20 . 2008-11-16 13:20 d-------- c:\program files\RocketDock

2008-11-15 09:39 . 2008-11-15 09:39 0 --a------ c:\windows\nsreg.dat

2008-11-13 19:27 . 2008-11-13 19:28 d-------- c:\program files\QuickTime

2008-11-13 19:27 . 2008-11-28 18:24 d-------- c:\program files\Common Files\Apple

2008-11-13 19:26 . 2008-11-13 19:26 d-------- c:\program files\Apple Software Update

2008-11-13 19:26 . 2008-11-13 19:26 d-------- c:\documents and settings\All Users\Application Data\Apple

2008-11-13 16:42 . 2008-11-13 16:42 1,791 --a------ c:\windows\system32\autoexec.nt

2008-11-12 17:06 . 2008-11-12 17:06 d-------- c:\documents and settings\jbender\Application Data\NetSupport DNA

2008-11-12 17:05 . 2008-11-20 13:29 d-------- c:\program files\Microsoft SQL Server

2008-11-12 16:52 . 2008-11-12 16:52 d-------- c:\program files\Crystal Decisions

2008-11-12 16:52 . 2008-11-12 16:52 d-------- c:\program files\Common Files\Crystal Decisions

2008-11-12 11:35 . 2008-11-12 11:37 d-------- C:\Roxio Easy Media Creator 7.5 ESD Install

2008-11-12 11:33 . 2008-11-12 11:33 d-------- c:\program files\TechSmith

2008-11-12 11:33 . 2008-11-12 11:33 d-------- c:\documents and settings\All Users\Application Data\TechSmith

2008-11-12 11:32 . 2008-11-12 11:32 d-------- c:\program files\Common Files\Wise Installation Wizard

2008-11-12 11:19 . 2008-11-12 11:19 d-------- c:\program files\Microsoft Works

2008-11-12 11:16 . 2008-11-20 14:37 d-------- c:\documents and settings\All Users\Application Data\Microsoft Help

2008-11-11 14:46 . 2008-11-11 14:46 d-------- c:\program files\Dell_HostCD

2008-11-11 14:46 . 2005-04-01 16:11 335,872 --a------ c:\windows\system32\lexlog.dll

2008-11-11 14:46 . 2008-11-11 14:46 2,018 --a------ c:\windows\system32\LexFiles.ulf

2008-11-11 14:46 . 2008-11-11 16:03 1,057 --a------ c:\windows\system32\LexFiles.usr

2008-11-11 14:46 . 2008-11-11 14:46 507 --a------ c:\windows\DKAAY2DD.ini

2008-11-11 13:37 . 2008-11-11 13:37 d-------- c:\program files\CPR+ Image Viewer

2008-11-11 13:37 . 2008-11-11 13:37 737,280 --a------ c:\windows\iun6002.exe

2008-11-11 13:36 . 2008-11-25 23:18 d-------- C:\CPR_SQL

2008-11-11 09:53 . 2008-11-11 09:53 d-------- c:\program files\MMTaskbar

2008-11-11 09:18 . 2008-11-11 09:18 60,744 --a------ c:\documents and settings\jbender\g2mdlhlpx.exe

2008-11-11 09:14 . 2008-11-11 09:14 d-------- c:\program files\Radmin Viewer 3

2008-11-11 08:54 . 2008-11-28 21:10 d-------- C:\Apps

2008-11-10 18:00 . 2008-11-10 18:00 d-------- c:\program files\NetSupport

2008-11-10 18:00 . 2008-11-10 18:00 d-------- c:\documents and settings\All Users\Application Data\NetSupport

2008-11-10 18:00 . 2007-07-20 13:28 102,456 --a------ c:\windows\system32\pcimon.old

2008-11-10 18:00 . 2007-07-20 13:28 102,456 --a------ c:\windows\system32\pcimon.dll

2008-11-10 18:00 . 2007-07-20 13:28 84,576 --a------ c:\windows\system32\clhook4.old

2008-11-10 18:00 . 2007-07-20 13:28 84,576 --a------ c:\windows\system32\clhook4.dll

2008-11-10 18:00 . 2007-08-28 14:10 39,520 --a------ c:\windows\system32\drivers\pcisys.sys

2008-11-10 18:00 . 2007-08-28 14:10 39,520 --a------ c:\windows\system32\drivers\pcisys.old

2008-11-10 18:00 . 2007-07-20 13:21 36,912 --a------ c:\windows\system32\pcimsg.old

2008-11-10 18:00 . 2007-07-20 13:21 36,912 --a------ c:\windows\system32\pcimsg.dll

2008-11-10 18:00 . 2007-07-20 13:28 32,825 --a------ c:\windows\system32\pcigina.dll

2008-11-10 18:00 . 2007-07-20 13:28 20,536 --a------ c:\windows\system32\pcivdd.old

2008-11-10 18:00 . 2007-07-20 13:28 20,536 --a------ c:\windows\system32\pcivdd.dll

2008-11-10 18:00 . 2008-11-30 20:13 8 --a------ c:\windows\system32\pcisys.ntk



.

jbender
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-11-30
OS OS : Windows XP Professional
Points Points : 29300
# Likes # Likes : 0

View user profile

Back to top Go down

Re: **HELP!!*** spyware.Ispynow Infected

Post by jbender on 1st December 2008, 2:05 am

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-30 22:56 --------- d-----w c:\program files\Radmin

2008-11-29 02:10 6,094,848 ----a-w c:\windows\system32\Skyrocket.scr

2008-11-29 02:10 532,480 ----a-w c:\windows\system32\Hyperspace.scr

2008-11-29 02:10 483,328 ----a-w c:\windows\system32\Helios.scr

2008-11-29 02:10 450,560 ----a-w c:\windows\system32\Euphoria.scr

2008-11-29 02:10 274,432 ----a-w c:\windows\system32\Cyclone.scr

2008-11-29 02:10 249,856 ----a-w c:\windows\system32\Flocks.scr

2008-11-29 02:10 245,760 ----a-w c:\windows\system32\Flux.scr

2008-11-29 02:10 237,568 ----a-w c:\windows\system32\SolarWinds.scr

2008-11-29 02:10 237,568 ----a-w c:\windows\system32\FieldLines.scr

2008-11-29 02:10 229,376 ----a-w c:\windows\system32\Plasma.scr

2008-11-29 02:10 1,908,736 ----a-w c:\windows\system32\Lattice.scr

2008-11-28 23:25 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer

2008-11-28 22:59 --------- d-----w c:\program files\Common Files\InstallShield

2008-11-20 19:44 --------- d-----w c:\program files\Java

2008-11-20 18:28 --------- d-----w c:\program files\Microsoft.NET

2008-11-18 17:40 --------- d--h--w c:\program files\InstallShield Installation Information

2008-11-10 13:27 --------- d-----w c:\program files\Wave Systems Corp

2008-11-10 13:27 --------- d-----w c:\program files\Broadcom

2008-11-10 13:08 --------- d-----w c:\documents and settings\admin\Application Data\Wave Systems Corp

2008-10-30 21:02 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\Wave Systems Corp

2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys

2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll

2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll

2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll

2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll

2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll

2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe

2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll

2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll

2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll

2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll

2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll

2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll

2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys

2008-09-15 11:57 1,846,016 ------w c:\windows\system32\dllcache\win32k.sys

2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll

2008-09-04 16:42 1,106,944 ------w c:\windows\system32\dllcache\msxml3.dll

.

jbender
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-11-30
OS OS : Windows XP Professional
Points Points : 29300
# Likes # Likes : 0

View user profile

Back to top Go down

Re: **HELP!!*** spyware.Ispynow Infected

Post by jbender on 1st December 2008, 2:06 am

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"GoToMeeting"="c:\program files\Citrix\GoToMeeting\198\g2mstart.exe" [2008-11-12 31816]

"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]

"\\joelbender-pc\EPSON Stylus CX7400 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE" [2007-02-15 179200]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]

"DisplayFusion"="c:\program files\DisplayFusion\DisplayFusion.exe" [2008-11-09 590512]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1392640]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2006-04-06 49152]

"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2006-06-29 1032192]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-03-08 1695744]

"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-06-26 236016]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-30 1235736]

"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]



c:\documents and settings\All Users\Start Menu\Programs\Startup\

Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2008-11-10 1528880]

Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2008-11-07 1512720]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-04-26 24576]

MultiMon Taskbar.lnk - c:\program files\MMTaskbar\MultiMon.exe [2008-11-11 294912]

SnagIt 8.lnk - c:\program files\TechSmith\SnagIt 8\SnagIt32.exe [2005-12-22 5513216]



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=avgrsstx.dll



[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"c:\\Program Files\\NetSupport\\NetSupport Manager\\client32.exe"=



[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"4899:TCP"= 4899:TCP:RAdmin



R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\Drivers\avgrkx86.sys [2008-11-30 12936]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-30 97928]

R1 Cinemsup;Cinemsup;c:\windows\system32\drivers\Cinemsup.sys [2003-12-19 6656]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-30 231704]

R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-30 76040]

R2 NetSupport DNA Client;NetSupport DNA Client;c:\program files\NetSupport DNA\DNA\Client\DNAClient.exe [2008-11-10 176231]

R3 BCMTPM;BCMTPM;c:\windows\system32\DRIVERS\btpmw32.sys [2007-04-26 17290]

S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\documents and settings\jbender\My Documents\VCdRom.sys []

S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\DRIVERS\PTDCWWAN.sys [2008-11-10 58240]

S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;"c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" [2008-08-15 47128]

S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\DRIVERS\RsFx0102.sys [2008-07-10 242712]

S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);"c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS [2008-08-15 369688]

.

Contents of the 'Scheduled Tasks' folder



2008-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]



2008-11-21 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job

- c:\program files\Microsoft IntelliType Pro\itype.exe [2006-11-21 20:08]

.

- - - - ORPHANS REMOVED - - - -



WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)





.

------- Supplementary Scan -------

.

FireFox -: Profile - c:\documents and settings\jbender\Application Data\Mozilla\Firefox\Profiles\f1qgsky1.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - [You must be registered and logged in to see this link.]

FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll

FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll

FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll

.



**************************************************************************



catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]

Rootkit scan 2008-11-30 20:36:02

Windows 5.1.2600 Service Pack 2 NTFS



scanning hidden processes ...



scanning hidden autostart entries ...



scanning hidden files ...



scan completed successfully

hidden files: 0



**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------



- - - - - - - > 'winlogon.exe'(1308)

c:\program files\NetSupport\NetSupport Manager\pcihooks.dll



- - - - - - - > 'csrss.exe'(1284)

c:\program files\NetSupport\NetSupport Manager\pcihooks.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\WLTRYSVC.EXE

c:\windows\system32\BCMWLTRY.EXE

c:\windows\system32\scardsvr.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\NetSupport\NetSupport Manager\client32.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe

c:\progra~1\AVG\AVG8\avgam.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\program files\Dell\QuickSet\NicConfigSvc.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\program files\RealVNC\VNC4\winvnc4.exe

c:\program files\Citrix\GoToMeeting\198\g2mcomm.exe

c:\program files\Citrix\GoToMeeting\198\g2mlauncher.exe

c:\program files\TechSmith\SnagIt 8\TscHelp.exe

c:\program files\Apoint\hidfind.exe

c:\program files\Apoint\ApntEx.exe

c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe

c:\program files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe

.

**************************************************************************

.

Completion time: 2008-11-30 20:42:48 - machine was rebooted

ComboFix-quarantined-files.txt 2008-12-01 01:42:44



Pre-Run: 13,845,561,344 bytes free

Post-Run: 13,823,213,568 bytes free



WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect



336 --- E O F --- 2008-11-21 08:00:41

jbender
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-11-30
OS OS : Windows XP Professional
Points Points : 29300
# Likes # Likes : 0

View user profile

Back to top Go down

Re: **HELP!!*** spyware.Ispynow Infected

Post by Belahzur on 1st December 2008, 2:12 am

Hello.
Log looks good, apart from a leftover I will have CF delete.
Is this machine part of a networking system or something? This file C:\userprivs.xls made me think it was.

Now open a new notepad file.
Input this into the notepad file:

File::
c:\documents and settings\jbender\g2mdlhlpx.exe

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: **HELP!!*** spyware.Ispynow Infected

Post by jbender on 1st December 2008, 2:29 am

ComboFix 08-11-30.01 - jbender 2008-11-30 21:22:57.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1799 [GMT -5:00]
Running from: c:\apps\Spyware Removal\ComboFix.exe
Command switches used :: c:\documents and settings\jbender\Desktop\CFscript.txt
* Created a new restore point

FILE ::
c:\documents and settings\jbender\g2mdlhlpx.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\jbender\g2mdlhlpx.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-01 to 2008-12-01 )))))))))))))))))))))))))))))))
.

2008-11-30 19:26 . 2008-11-30 19:25 812,344 --a------ C:\HJTInstall.exe
2008-11-30 17:43 . 2008-11-30 21:01 d--h----- C:\$AVG8.VAULT$
2008-11-30 16:17 . 2008-11-30 16:17 d-------- c:\windows\system32\drivers\Avg
2008-11-30 16:17 . 2008-11-30 16:17 d-------- c:\program files\AVG
2008-11-30 16:17 . 2008-11-30 16:17 d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-30 16:17 . 2008-11-30 16:17 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-30 16:17 . 2008-11-30 16:17 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-30 16:17 . 2008-11-30 16:17 12,936 --a------ c:\windows\system32\drivers\avgrkx86.sys
2008-11-30 16:17 . 2008-11-30 16:17 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-28 19:36 . 2008-11-28 19:36 d--h----- c:\windows\PIF
2008-11-28 19:32 . 2008-11-28 19:32 d-------- c:\program files\WinDirStat
2008-11-28 19:14 . 2008-11-28 19:14 d-------- c:\documents and settings\jbender\Application Data\Binary Fortress Software
2008-11-28 18:55 . 2008-11-28 18:55 d-------- c:\program files\DisplayFusion
2008-11-28 18:52 . 2008-11-28 18:52 d-------- c:\documents and settings\LocalService\Application Data\Roxio
2008-11-28 18:26 . 2008-11-28 18:26 d-------- c:\documents and settings\jbender\Application Data\Apple Computer
2008-11-28 18:25 . 2008-11-28 18:25 d-------- c:\program files\iTunes
2008-11-28 18:25 . 2008-11-28 18:25 d-------- c:\program files\iPod
2008-11-28 18:25 . 2008-11-28 18:25 d-------- c:\program files\Bonjour
2008-11-28 18:25 . 2008-11-28 18:25 d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-28 18:25 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-11-28 18:25 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-11-28 18:24 . 2008-11-28 18:25 d----c--- c:\windows\system32\DRVSTORE
2008-11-28 18:06 . 2008-11-28 18:06 d-------- c:\documents and settings\jbender\Application Data\Research In Motion
2008-11-28 18:06 . 2008-11-30 20:47 256 --a------ c:\windows\system32\pool.bin
2008-11-28 18:00 . 2008-11-28 18:00 d-------- c:\documents and settings\jbender\Application Data\InstallShield
2008-11-28 18:00 . 2008-11-28 18:00 d-------- c:\documents and settings\All Users\Application Data\Sonic
2008-11-28 18:00 . 2008-11-28 18:00 d-------- c:\documents and settings\All Users\Application Data\InstallShield
2008-11-28 17:55 . 2007-01-18 10:24 26,496 -ra------ c:\windows\system32\drivers\RimSerial.sys
2008-11-28 17:54 . 2008-11-28 17:54 d-------- c:\program files\Research In Motion
2008-11-28 17:54 . 2008-11-28 17:54 d-------- c:\program files\Common Files\Research In Motion
2008-11-26 00:20 . 2008-11-26 00:20 d-------- c:\program files\Microsoft Silverlight
2008-11-25 23:08 . 2008-11-25 23:08 d-------- c:\program files\Common Files\Merge Modules
2008-11-25 23:07 . 2008-11-25 23:08 d-------- c:\program files\Microsoft Visual FoxPro 9
2008-11-25 23:07 . 2008-11-25 23:07 d-------- c:\program files\Microsoft UDDI SDK
2008-11-25 23:02 . 2008-11-25 23:02 d-------- c:\program files\MSSOAP
2008-11-25 22:53 . 2008-11-25 22:55 d-------- C:\VFP9
2008-11-24 16:50 . 2008-11-24 16:50 d-------- c:\program files\CPR+
2008-11-21 11:48 . 2008-11-21 12:08 d-------- C:\Baks
2008-11-21 11:46 . 2008-11-21 11:47 13,312 --a------ C:\add delete inventory.xls
2008-11-21 09:20 . 2008-11-21 09:14 5,120 --a------ C:\browse inventory.xls
2008-11-21 09:15 . 2008-11-21 09:15 0 --a------ c:\windows\PasswordsPlus.INI
2008-11-21 09:13 . 2008-11-21 09:13 d-------- c:\program files\Passwords Plus
2008-11-20 20:52 . 2008-11-20 20:52 d-------- c:\program files\Microsoft IntelliType Pro
2008-11-20 20:52 . 2008-11-20 20:52 d-------- c:\program files\Microsoft IntelliPoint
2008-11-20 17:00 . 2008-11-20 17:02 d-------- C:\vfp_data
2008-11-20 16:57 . 2008-11-20 17:03 d-------- C:\Systems
2008-11-20 16:15 . 2008-05-08 20:10 717,891,072 --a------ C:\CPR.BAK
2008-11-20 16:08 . 2008-11-20 16:11 d-------- C:\Knowledge Base
2008-11-20 13:35 . 2008-08-15 14:47 79,896 --a------ c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.0.1600.22.dll
2008-11-20 13:35 . 2008-08-15 14:47 50,200 --a------ c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.0.1600.22.dll
2008-11-20 13:30 . 2008-11-20 13:30 d-------- c:\program files\Microsoft Synchronization Services
2008-11-20 13:30 . 2008-11-20 13:30 d-------- c:\program files\Microsoft SDKs
2008-11-20 13:29 . 2008-11-20 13:29 d-------- c:\windows\system32\RsFx
2008-11-20 13:29 . 2008-11-20 13:29 d-------- c:\program files\Microsoft SQL Server Compact Edition
2008-11-20 13:28 . 2008-11-20 13:30 d-------- c:\program files\Microsoft Visual Studio 9.0
2008-11-20 11:57 . 2008-11-20 12:02 45,568 --a------ C:\userprivs.xls
2008-11-20 09:00 . 2008-11-20 09:00 d-------- C:\981a80cf0aef5539d8
2008-11-20 08:58 . 2008-11-20 08:58 d-------- c:\program files\MSXML 6.0
2008-11-19 14:26 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-11-19 14:26 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\dllcache\usbccgp.sys
2008-11-19 14:26 . 2004-08-04 00:56 21,504 --a------ c:\windows\system32\hidserv.dll
2008-11-19 14:26 . 2004-08-04 00:56 21,504 --a------ c:\windows\system32\dllcache\hidserv.dll
2008-11-19 14:26 . 2004-08-03 22:58 14,848 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-11-19 14:26 . 2004-08-03 22:58 14,848 --a------ c:\windows\system32\dllcache\kbdhid.sys
2008-11-18 13:10 . 2008-11-19 17:12 d-------- c:\program files\Microsoft Visual Studio 8
2008-11-18 12:53 . 2008-11-28 19:30 d-------- c:\documents and settings\jbender\Application Data\Roxio
2008-11-18 12:40 . 2008-11-18 12:40 d-------- c:\windows\DRIVERS
2008-11-18 12:40 . 2003-08-27 14:20 266,240 -ra------ c:\windows\SM1nint.exe
2008-11-18 12:40 . 2003-08-27 14:20 94,208 -ra------ c:\windows\SM1bg.exe
2008-11-18 12:40 . 2003-08-27 14:20 86,106 -ra------ c:\windows\system32\SM1un.exe
2008-11-18 12:40 . 2003-08-27 14:19 36,963 -ra------ c:\program files\Common Files\SM1updtr.dll
2008-11-18 12:40 . 2003-08-27 14:20 32,896 -ra------ c:\windows\system32\drivers\SM1fx_at.sys
2008-11-18 12:40 . 2003-08-27 14:20 12,382 -ra------ c:\windows\system32\SM1ui32.dll
2008-11-18 12:39 . 2008-11-18 15:06 d-------- c:\documents and settings\All Users\Application Data\Napster
2008-11-18 12:36 . 2008-11-18 12:36 d-------- c:\program files\Common Files\Sonic Shared
2008-11-18 12:35 . 2008-11-18 12:36 d-------- c:\program files\Sonic
2008-11-18 12:35 . 2008-11-28 17:59 d-------- c:\program files\Roxio
2008-11-18 12:35 . 2008-11-18 12:35 d-------- c:\program files\Common Files\TiVo Shared
2008-11-18 12:35 . 2008-11-28 17:59 d-------- c:\program files\Common Files\Roxio Shared
2008-11-18 12:35 . 2008-11-28 19:30 d-------- c:\documents and settings\All Users\Application Data\Roxio
2008-11-17 17:49 . 2008-11-17 17:49 d-------- c:\program files\CCleaner
2008-11-16 16:59 . 2008-11-16 16:59 d-------- c:\documents and settings\All Users\Application Data\EPSON
2008-11-16 13:20 . 2008-11-16 13:20 d-------- c:\program files\RocketDock
2008-11-15 09:39 . 2008-11-15 09:39 0 --a------ c:\windows\nsreg.dat
2008-11-13 19:27 . 2008-11-13 19:28 d-------- c:\program files\QuickTime
2008-11-13 19:27 . 2008-11-28 18:24 d-------- c:\program files\Common Files\Apple
2008-11-13 19:26 . 2008-11-13 19:26 d-------- c:\program files\Apple Software Update
2008-11-13 19:26 . 2008-11-13 19:26 d-------- c:\documents and settings\All Users\Application Data\Apple
2008-11-13 16:42 . 2008-11-13 16:42 1,791 --a------ c:\windows\system32\autoexec.nt
2008-11-12 17:06 . 2008-11-12 17:06 d-------- c:\documents and settings\jbender\Application Data\NetSupport DNA
2008-11-12 17:05 . 2008-11-20 13:29 d-------- c:\program files\Microsoft SQL Server
2008-11-12 16:52 . 2008-11-12 16:52 d-------- c:\program files\Crystal Decisions
2008-11-12 16:52 . 2008-11-12 16:52 d-------- c:\program files\Common Files\Crystal Decisions
2008-11-12 11:35 . 2008-11-12 11:37 d-------- C:\Roxio Easy Media Creator 7.5 ESD Install
2008-11-12 11:33 . 2008-11-12 11:33 d-------- c:\program files\TechSmith
2008-11-12 11:33 . 2008-11-12 11:33 d-------- c:\documents and settings\All Users\Application Data\TechSmith
2008-11-12 11:32 . 2008-11-12 11:32 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-12 11:19 . 2008-11-12 11:19 d-------- c:\program files\Microsoft Works
2008-11-12 11:16 . 2008-11-20 14:37 d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-11 14:46 . 2008-11-11 14:46 d-------- c:\program files\Dell_HostCD
2008-11-11 14:46 . 2005-04-01 16:11 335,872 --a------ c:\windows\system32\lexlog.dll
2008-11-11 14:46 . 2008-11-11 14:46 2,018 --a------ c:\windows\system32\LexFiles.ulf
2008-11-11 14:46 . 2008-11-11 16:03 1,057 --a------ c:\windows\system32\LexFiles.usr
2008-11-11 14:46 . 2008-11-11 14:46 507 --a------ c:\windows\DKAAY2DD.ini
2008-11-11 13:37 . 2008-11-11 13:37 d-------- c:\program files\CPR+ Image Viewer
2008-11-11 13:37 . 2008-11-11 13:37 737,280 --a------ c:\windows\iun6002.exe
2008-11-11 13:36 . 2008-11-25 23:18 d-------- C:\CPR_SQL
2008-11-11 09:53 . 2008-11-11 09:53 d-------- c:\program files\MMTaskbar
2008-11-11 09:14 . 2008-11-11 09:14 d-------- c:\program files\Radmin Viewer 3
2008-11-11 08:54 . 2008-11-30 20:53 d-------- C:\Apps
2008-11-10 18:00 . 2008-11-10 18:00 d-------- c:\program files\NetSupport
2008-11-10 18:00 . 2008-11-10 18:00 d-------- c:\documents and settings\All Users\Application Data\NetSupport
2008-11-10 18:00 . 2007-07-20 13:28 102,456 --a------ c:\windows\system32\pcimon.old
2008-11-10 18:00 . 2007-07-20 13:28 102,456 --a------ c:\windows\system32\pcimon.dll
2008-11-10 18:00 . 2007-07-20 13:28 84,576 --a------ c:\windows\system32\clhook4.old
2008-11-10 18:00 . 2007-07-20 13:28 84,576 --a------ c:\windows\system32\clhook4.dll
2008-11-10 18:00 . 2007-08-28 14:10 39,520 --a------ c:\windows\system32\drivers\pcisys.sys
2008-11-10 18:00 . 2007-08-28 14:10 39,520 --a------ c:\windows\system32\drivers\pcisys.old
2008-11-10 18:00 . 2007-07-20 13:21 36,912 --a------ c:\windows\system32\pcimsg.old
2008-11-10 18:00 . 2007-07-20 13:21 36,912 --a------ c:\windows\system32\pcimsg.dll
2008-11-10 18:00 . 2007-07-20 13:28 32,825 --a------ c:\windows\system32\pcigina.dll
2008-11-10 18:00 . 2007-07-20 13:28 20,536 --a------ c:\windows\system32\pcivdd.old
2008-11-10 18:00 . 2007-07-20 13:28 20,536 --a------ c:\windows\system32\pcivdd.dll
2008-11-10 18:00 . 2008-11-30 20:13 8 --a------ c:\windows\system32\pcisys.ntk
2008-11-10 17:57 . 2008-11-10 17:57 d-------- c:\windows\pcirdist.tmp

jbender
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-11-30
OS OS : Windows XP Professional
Points Points : 29300
# Likes # Likes : 0

View user profile

Back to top Go down

Re: **HELP!!*** spyware.Ispynow Infected

Post by jbender on 1st December 2008, 2:30 am

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-30 22:56 --------- d-----w c:\program files\Radmin
2008-11-29 02:10 6,094,848 ----a-w c:\windows\system32\Skyrocket.scr
2008-11-29 02:10 532,480 ----a-w c:\windows\system32\Hyperspace.scr
2008-11-29 02:10 483,328 ----a-w c:\windows\system32\Helios.scr
2008-11-29 02:10 450,560 ----a-w c:\windows\system32\Euphoria.scr
2008-11-29 02:10 274,432 ----a-w c:\windows\system32\Cyclone.scr
2008-11-29 02:10 249,856 ----a-w c:\windows\system32\Flocks.scr
2008-11-29 02:10 245,760 ----a-w c:\windows\system32\Flux.scr
2008-11-29 02:10 237,568 ----a-w c:\windows\system32\SolarWinds.scr
2008-11-29 02:10 237,568 ----a-w c:\windows\system32\FieldLines.scr
2008-11-29 02:10 229,376 ----a-w c:\windows\system32\Plasma.scr
2008-11-29 02:10 1,908,736 ----a-w c:\windows\system32\Lattice.scr
2008-11-28 23:25 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-28 22:59 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-20 19:44 --------- d-----w c:\program files\Java
2008-11-20 18:28 --------- d-----w c:\program files\Microsoft.NET
2008-11-18 17:40 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-10 13:27 --------- d-----w c:\program files\Wave Systems Corp
2008-11-10 13:27 --------- d-----w c:\program files\Broadcom
2008-11-10 13:08 --------- d-----w c:\documents and settings\admin\Application Data\Wave Systems Corp
2008-10-30 21:02 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\Wave Systems Corp
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-15 11:57 1,846,016 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-09-04 16:42 1,106,944 ------w c:\windows\system32\dllcache\msxml3.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-01 01:20:44 97,380 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-01 01:40:43 97,380 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-01 01:20:44 511,250 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-01 01:40:44 511,250 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"GoToMeeting"="c:\program files\Citrix\GoToMeeting\198\g2mstart.exe" [2008-11-12 31816]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"\\joelbender-pc\EPSON Stylus CX7400 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE" [2007-02-15 179200]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"DisplayFusion"="c:\program files\DisplayFusion\DisplayFusion.exe" [2008-11-09 590512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1392640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2006-04-06 49152]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2006-06-29 1032192]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-03-08 1695744]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-06-26 236016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-30 1235736]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2008-11-10 1528880]
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2008-11-07 1512720]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-04-26 24576]
MultiMon Taskbar.lnk - c:\program files\MMTaskbar\MultiMon.exe [2008-11-11 294912]
SnagIt 8.lnk - c:\program files\TechSmith\SnagIt 8\SnagIt32.exe [2005-12-22 5513216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\NetSupport\\NetSupport Manager\\client32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4899:TCP"= 4899:TCP:RAdmin

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\Drivers\avgrkx86.sys [2008-11-30 12936]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-30 97928]
R1 Cinemsup;Cinemsup;c:\windows\system32\drivers\Cinemsup.sys [2003-12-19 6656]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-30 231704]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-30 76040]
R3 BCMTPM;BCMTPM;c:\windows\system32\DRIVERS\btpmw32.sys [2007-04-26 17290]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\documents and settings\jbender\My Documents\VCdRom.sys []
S2 NetSupport DNA Client;NetSupport DNA Client;c:\program files\NetSupport DNA\DNA\Client\DNAClient.exe [2008-11-10 176231]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\DRIVERS\PTDCWWAN.sys [2008-11-10 58240]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;"c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" [2008-08-15 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\DRIVERS\RsFx0102.sys [2008-07-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);"c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS [2008-08-15 369688]
.
Contents of the 'Scheduled Tasks' folder

2008-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-11-21 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2006-11-21 20:08]
.

jbender
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-11-30
OS OS : Windows XP Professional
Points Points : 29300
# Likes # Likes : 0

View user profile

Back to top Go down

Re: **HELP!!*** spyware.Ispynow Infected

Post by jbender on 1st December 2008, 2:30 am

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-11-30 21:25:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1308)
c:\program files\NetSupport\NetSupport Manager\pcihooks.dll

- - - - - - - > 'csrss.exe'(1284)
c:\program files\NetSupport\NetSupport Manager\pcihooks.dll
.
Completion time: 2008-11-30 21:26:28
ComboFix-quarantined-files.txt 2008-12-01 02:26:00
ComboFix2.txt 2008-12-01 01:42:49

Pre-Run: 13,640,744,960 bytes free
Post-Run: 13,783,793,664 bytes free

286 --- E O F --- 2008-11-21 08:00:41

jbender
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-11-30
OS OS : Windows XP Professional
Points Points : 29300
# Likes # Likes : 0

View user profile

Back to top Go down

Re: **HELP!!*** spyware.Ispynow Infected

Post by Belahzur on 1st December 2008, 2:35 am

Hello.
What problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: **HELP!!*** spyware.Ispynow Infected

Post by Doctor Inferno on 10th December 2008, 4:34 am

Due to lack of feedback, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104620
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum