I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by rortega03 on 1st December 2008, 5:18 pm

nevermind i was able to run combofix. I had to save it first on my desktop and then run it. Here is the log I received

ComboFix 08-11-30.02 - Admin 2008-12-01 10:55:33.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.505 [GMT -6:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Admin\Application Data\google\runhh6110411.exe
c:\documents and settings\Admin\nah_wdwf.exe
c:\program files\FunWebProducts
c:\program files\FunWebProducts\PopSwatr\History\allowed
c:\program files\FunWebProducts\PopSwatr\History\notallow
c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
c:\program files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
c:\program files\FunWebProducts\Shared\Cache\WebfettiBtn.html
c:\windows\system32\drivers\svchost.exe
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\TDSSkkai.log
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSmtvd.dat

c:\windows\system32\winlogon.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_TDSSSERV.SYS
-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2008-11-01 to 2008-12-01 )))))))))))))))))))))))))))))))
.

2008-12-01 09:47 . 2008-12-01 09:47 268 --ah----- C:\sqmdata13.sqm
2008-12-01 09:47 . 2008-12-01 09:47 244 --ah----- C:\sqmnoopt13.sqm
2008-11-30 21:44 . 2008-11-30 21:44 268 --ah----- C:\sqmdata12.sqm
2008-11-30 21:44 . 2008-11-30 21:44 244 --ah----- C:\sqmnoopt12.sqm
2008-11-30 21:16 . 2008-11-30 21:16 268 --ah----- C:\sqmdata11.sqm
2008-11-30 21:16 . 2008-11-30 21:16 244 --ah----- C:\sqmnoopt11.sqm
2008-11-30 19:41 . 2008-11-30 19:41 268 --ah----- C:\sqmdata10.sqm
2008-11-30 19:41 . 2008-11-30 19:41 244 --ah----- C:\sqmnoopt10.sqm
2008-11-30 18:58 . 2008-11-30 18:58 268 --ah----- C:\sqmdata09.sqm
2008-11-30 18:58 . 2008-11-30 18:58 244 --ah----- C:\sqmnoopt09.sqm
2008-11-29 01:55 . 2008-11-29 01:55 268 --ah----- C:\sqmdata08.sqm
2008-11-29 01:55 . 2008-11-29 01:55 244 --ah----- C:\sqmnoopt08.sqm
2008-11-27 16:03 . 2008-11-27 16:03 268 --ah----- C:\sqmdata07.sqm
2008-11-27 16:03 . 2008-11-27 16:03 244 --ah----- C:\sqmnoopt07.sqm
2008-11-27 15:08 . 2008-11-27 15:08 268 --ah----- C:\sqmdata06.sqm
2008-11-27 15:08 . 2008-11-27 15:08 244 --ah----- C:\sqmnoopt06.sqm
2008-11-26 00:17 . 2008-11-26 00:17 268 --ah----- C:\sqmdata05.sqm
2008-11-26 00:17 . 2008-11-26 00:17 244 --ah----- C:\sqmnoopt05.sqm
2008-11-25 23:42 . 2008-11-25 23:48 68,950 --a------ c:\windows\hpoins05.dat
2008-11-25 23:42 . 2004-12-14 10:07 19,696 --------- c:\windows\hpomdl05.dat
2008-11-25 23:40 . 2004-12-14 10:07 581,632 -ra------ c:\windows\system32\hpotscl.dll
2008-11-25 23:40 . 2004-12-14 10:07 229,376 -ra------ c:\windows\system32\hpovst08.dll
2008-11-25 23:32 . 2008-11-25 23:32 268 --ah----- C:\sqmdata04.sqm
2008-11-25 23:32 . 2008-11-25 23:32 244 --ah----- C:\sqmnoopt04.sqm
2008-11-23 02:08 . 2008-11-23 02:08 268 --ah----- C:\sqmdata03.sqm
2008-11-23 02:08 . 2008-11-23 02:08 244 --ah----- C:\sqmnoopt03.sqm
2008-11-23 01:17 . 2008-11-23 01:17 268 --ah----- C:\sqmdata02.sqm
2008-11-23 01:17 . 2008-11-23 01:17 244 --ah----- C:\sqmnoopt02.sqm
2008-11-22 03:36 . 2008-11-22 03:36 268 --ah----- C:\sqmdata01.sqm
2008-11-22 03:36 . 2008-11-22 03:36 244 --ah----- C:\sqmnoopt01.sqm
2008-11-20 22:02 . 2008-11-20 22:02 268 --ah----- C:\sqmdata00.sqm
2008-11-20 22:02 . 2008-11-20 22:02 244 --ah----- C:\sqmnoopt00.sqm
2008-11-20 20:47 . 2008-07-18 22:07 270,880 --a------ c:\windows\system32\mucltui.dll
2008-11-20 20:47 . 2008-07-18 22:07 210,976 --a------ c:\windows\system32\muweb.dll
2008-11-20 20:47 . 2008-07-18 22:07 29,728 --a------ c:\windows\system32\mucltui.dll.mui
2008-11-19 09:49 . 2008-11-19 09:49 d-------- c:\documents and settings\Admin\Contacts
2008-11-19 09:38 . 2008-11-19 09:47 d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
2008-11-19 09:37 . 2008-11-19 09:47 d-------- c:\program files\Windows Live
2008-11-19 09:37 . 2008-11-19 09:37 d-------- c:\documents and settings\All Users\Application Data\WLInstaller
2008-11-12 10:22 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 10:21 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-30 21:14 --------- d-----w c:\documents and settings\Admin\Application Data\LimeWire
2008-11-27 22:30 --------- d-----w c:\documents and settings\Admin\Application Data\Roxio
2008-11-26 05:46 --------- d-----w c:\program files\HP
2008-11-23 18:02 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8
2008-11-21 05:46 --------- d-----w c:\program files\Common Files\Research In Motion
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-08 21:19 --------- d-----w c:\documents and settings\Admin\Application Data\ePASS
2008-10-08 21:13 --------- d-----w c:\program files\Lavasoft
2008-10-08 21:13 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-08 21:12 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-08 20:55 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-08 20:30 --------- d-----w c:\documents and settings\Admin\Application Data\Encompass
2008-10-08 18:06 --------- d-----w c:\program files\CounterPath
2008-10-08 18:06 --------- d-----w c:\program files\Common Files\Intel
2008-10-08 17:46 --------- d-----w c:\program files\Microsoft WSE
2008-10-08 17:46 --------- d-----w c:\program files\Ellie Mae
2008-10-08 17:45 --------- d-----w c:\program files\Common Files\Outlook Security Manager
2008-10-08 17:26 --------- d-----w c:\program files\Java
2008-10-08 17:16 --------- d-----w c:\program files\Google
2008-10-08 17:16 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-10-08 17:16 --------- d-----w c:\documents and settings\Admin\Application Data\Yahoo!
2008-10-08 16:26 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-10-08 16:26 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys
2008-10-08 16:26 --------- d-----w c:\program files\AVG
2008-10-08 16:06 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-08 16:06 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-10-08 15:59 --------- d-----w c:\program files\Symantec
2008-10-01 00:12 --------- d-----w c:\documents and settings\Admin\Application Data\W Photo Studio Viewer
2008-08-26 01:01 77,472 ----a-w c:\documents and settings\Admin\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2008-01-29 583048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-10-08 1234712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-09-13 14:49 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-09-10 16:40 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2007-08-16 07:56 236016 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

rortega03
Novice
Novice

Posts Posts : 42
Joined Joined : 2008-12-01
OS OS : Windows XP
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by rortega03 on 1st December 2008, 5:21 pm

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-10-08 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-10-08 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-08 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-10-08 76040]
R2 SCAppMgr;Smart Client Manager;"c:\program files\Ellie Mae\SCAppMgr\SCAppMgr.exe" [2008-07-29 36864]
.
Contents of the 'Scheduled Tasks' folder

2008-11-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-01 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 -: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: Yahoo! Checkers - [You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\Yahoo! Checkers.osd

O16 -: Yahoo! Pool 2 - [You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\Yahoo! Pool 2.osd

c:\windows\Downloaded Program Files\print3.ocx - O16 -: {A2EBA59E-C601-4AE3-900B-6B61F29500BE}
[You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-01 10:59:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(820)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Windows Defender\MsMpEng.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-01 11:03:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-01 17:03:39

Pre-Run: 62,300,864,512 bytes free
Post-Run: 62,695,133,184 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

251 --- E O F --- 2008-11-30 23:31:24

rortega03
Novice
Novice

Posts Posts : 42
Joined Joined : 2008-12-01
OS OS : Windows XP
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by Belahzur on 1st December 2008, 5:25 pm

Hello.
Looks good, just a few leftovers.

Now open a new notepad file.
Input this into the notepad file:

File::
C:\sqmdata13.sqm
C:\sqmnoopt13.sqm
C:\sqmdata12.sqm
C:\sqmnoopt12.sqm
C:\sqmdata11.sqm
C:\sqmnoopt11.sqm
C:\sqmdata10.sqm
C:\sqmnoopt10.sqm
C:\sqmdata09.sqm
C:\sqmnoopt09.sqm
C:\sqmdata08.sqm
C:\sqmnoopt08.sqm
C:\sqmdata07.sqm
C:\sqmnoopt07.sqm
C:\sqmdata06.sqm
C:\sqmnoopt06.sqm
C:\sqmdata05.sqm
C:\sqmnoopt05.sqm
C:\sqmdata04.sqm
C:\sqmnoopt04.sqm
C:\sqmdata03.sqm
C:\sqmnoopt03.sqm
C:\sqmdata02.sqm
C:\sqmnoopt02.sqm
C:\sqmdata01.sqm
C:\sqmnoopt01.sqm
C:\sqmdata00.sqm
C:\sqmnoopt00.sqm

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by rortega03 on 1st December 2008, 5:31 pm

ok I dragged the CFScript to ComboFix and nothing happend. Can I double click on ComboFix to open it?

rortega03
Novice
Novice

Posts Posts : 42
Joined Joined : 2008-12-01
OS OS : Windows XP
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by Belahzur on 1st December 2008, 5:32 pm

No, CFScript drag and drop should automatically launch it again.
If it won't launch, we can use another tool.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by rortega03 on 1st December 2008, 5:40 pm

ok i was able to make it run here is the log


ComboFix 08-11-30.02 - Admin 2008-12-01 11:34:32.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.491 [GMT -6:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFscript_.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmdata02.sqm
C:\sqmdata03.sqm
C:\sqmdata04.sqm
C:\sqmdata05.sqm
C:\sqmdata06.sqm
C:\sqmdata07.sqm
C:\sqmdata08.sqm
C:\sqmdata09.sqm
C:\sqmdata10.sqm
C:\sqmdata11.sqm
C:\sqmdata12.sqm
C:\sqmdata13.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt02.sqm
C:\sqmnoopt03.sqm
C:\sqmnoopt04.sqm
C:\sqmnoopt05.sqm
C:\sqmnoopt06.sqm
C:\sqmnoopt07.sqm
C:\sqmnoopt08.sqm
C:\sqmnoopt09.sqm
C:\sqmnoopt10.sqm
C:\sqmnoopt11.sqm
C:\sqmnoopt12.sqm
C:\sqmnoopt13.sqm
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmdata02.sqm
C:\sqmdata03.sqm
C:\sqmdata04.sqm
C:\sqmdata05.sqm
C:\sqmdata06.sqm
C:\sqmdata07.sqm
C:\sqmdata08.sqm
C:\sqmdata09.sqm
C:\sqmdata10.sqm
C:\sqmdata11.sqm
C:\sqmdata12.sqm
C:\sqmdata13.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt02.sqm
C:\sqmnoopt03.sqm
C:\sqmnoopt04.sqm
C:\sqmnoopt05.sqm
C:\sqmnoopt06.sqm
C:\sqmnoopt07.sqm
C:\sqmnoopt08.sqm
C:\sqmnoopt09.sqm
C:\sqmnoopt10.sqm
C:\sqmnoopt11.sqm
C:\sqmnoopt12.sqm
C:\sqmnoopt13.sqm

.
((((((((((((((((((((((((( Files Created from 2008-11-01 to 2008-12-01 )))))))))))))))))))))))))))))))
.

2008-11-25 23:42 . 2008-11-25 23:48 68,950 --a------ c:\windows\hpoins05.dat
2008-11-25 23:42 . 2004-12-14 10:07 19,696 --------- c:\windows\hpomdl05.dat
2008-11-25 23:40 . 2004-12-14 10:07 581,632 -ra------ c:\windows\system32\hpotscl.dll
2008-11-25 23:40 . 2004-12-14 10:07 229,376 -ra------ c:\windows\system32\hpovst08.dll
2008-11-20 22:02 . 2008-11-20 22:02 244 --ah----- C:\sqmnoopt00.sqm
2008-11-20 20:47 . 2008-07-18 22:07 270,880 --a------ c:\windows\system32\mucltui.dll
2008-11-20 20:47 . 2008-07-18 22:07 210,976 --a------ c:\windows\system32\muweb.dll
2008-11-20 20:47 . 2008-07-18 22:07 29,728 --a------ c:\windows\system32\mucltui.dll.mui
2008-11-19 09:49 . 2008-11-19 09:49 d-------- c:\documents and settings\Admin\Contacts
2008-11-19 09:38 . 2008-11-19 09:47 d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
2008-11-19 09:37 . 2008-11-19 09:47 d-------- c:\program files\Windows Live
2008-11-19 09:37 . 2008-11-19 09:37 d-------- c:\documents and settings\All Users\Application Data\WLInstaller
2008-11-12 10:22 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 10:21 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-30 21:14 --------- d-----w c:\documents and settings\Admin\Application Data\LimeWire
2008-11-30 21:02 295,424 ----a-w c:\windows\system32\termsrv.dll
2008-11-27 22:30 --------- d-----w c:\documents and settings\Admin\Application Data\Roxio
2008-11-26 05:46 --------- d-----w c:\program files\HP
2008-11-23 18:02 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8
2008-11-21 05:46 --------- d-----w c:\program files\Common Files\Research In Motion
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-08 21:19 --------- d-----w c:\documents and settings\Admin\Application Data\ePASS
2008-10-08 21:13 --------- d-----w c:\program files\Lavasoft
2008-10-08 21:13 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-08 21:12 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-08 20:55 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-08 20:30 --------- d-----w c:\documents and settings\Admin\Application Data\Encompass
2008-10-08 18:06 --------- d-----w c:\program files\CounterPath
2008-10-08 18:06 --------- d-----w c:\program files\Common Files\Intel
2008-10-08 17:46 --------- d-----w c:\program files\Microsoft WSE
2008-10-08 17:46 --------- d-----w c:\program files\Ellie Mae
2008-10-08 17:45 --------- d-----w c:\program files\Common Files\Outlook Security Manager
2008-10-08 17:26 --------- d-----w c:\program files\Java
2008-10-08 17:16 --------- d-----w c:\program files\Google
2008-10-08 17:16 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-10-08 17:16 --------- d-----w c:\documents and settings\Admin\Application Data\Yahoo!
2008-10-08 16:26 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-10-08 16:26 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys
2008-10-08 16:26 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-10-08 16:26 --------- d-----w c:\program files\AVG
2008-10-08 16:06 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-08 16:06 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-10-08 15:59 --------- d-----w c:\program files\Symantec
2008-10-01 00:12 --------- d-----w c:\documents and settings\Admin\Application Data\W Photo Studio Viewer
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-26 01:01 77,472 ----a-w c:\documents and settings\Admin\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2008-01-29 583048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-01 1261336]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-09-13 14:49 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-09-10 16:40 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2007-08-16 07:56 236016 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-10-08 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-10-08 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-08 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-10-08 76040]
R2 SCAppMgr;Smart Client Manager;"c:\program files\Ellie Mae\SCAppMgr\SCAppMgr.exe" [2008-07-29 36864]
.
Contents of the 'Scheduled Tasks' folder

2008-11-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-01 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-01 11:36:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(820)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-01 11:37:46
ComboFix-quarantined-files.txt 2008-12-01 17:37:14
ComboFix2.txt 2008-12-01 17:03:50

Pre-Run: 62,653,558,784 bytes free
Post-Run: 62,642,462,720 bytes free

218 --- E O F --- 2008-11-30 23:31:24

rortega03
Novice
Novice

Posts Posts : 42
Joined Joined : 2008-12-01
OS OS : Windows XP
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by Belahzur on 1st December 2008, 5:46 pm

Darn, missed a file in my CFScript.
Delete these files/folders in bold:
C:\sqmnoopt00.sqm
C:\Qoobox

What problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by rortega03 on 1st December 2008, 5:48 pm

Delete them from where? Do I copy these on the notepad?

rortega03
Novice
Novice

Posts Posts : 42
Joined Joined : 2008-12-01
OS OS : Windows XP
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by Belahzur on 1st December 2008, 5:50 pm

No.
Press Start > Open "My Computer"
Then open the C Drive.
Find Qoobox and delete it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by rortega03 on 1st December 2008, 5:58 pm

ok i found the folder for C:\Qoobox and delete the folder. What about the C:\sqmnoopt00.sqm ?

rortega03
Novice
Novice

Posts Posts : 42
Joined Joined : 2008-12-01
OS OS : Windows XP
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by Belahzur on 1st December 2008, 6:00 pm

It's a hidden file, you can leave it if you want to. It won't cause any harm.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by rortega03 on 1st December 2008, 6:04 pm

I want to thank you for all your help and time. But what now? Is it cleared and fixed? I have a red security alert shield in the right hand corner of my screen, after I open it it states that Firewall ON, Automatic Updates ON, Virus Protection OFF

But I have AVG but when i open AVG and go under Overview it shows on RESIDENT SHIELD not active

rortega03
Novice
Novice

Posts Posts : 42
Joined Joined : 2008-12-01
OS OS : Windows XP
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by Belahzur on 1st December 2008, 6:08 pm

Luckily I have AVG too, so I can help change it back.
Open the AVG overview.

Where it says the resident shield is off, double click it and it will open up the advanced resident shield menu.
If the "Resident shield active" is unticked, re-tick it.

Before I can let you go though, we have to get your Java updated.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Select the first option where it says "Java SE Runtime Environment (JRE) 6 Update 10".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    - Java 2 Runtime Environment, SE v1.4.2
    - J2SE Runtime Environment 5.0
    - J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe that you downloaded to install the newest version.
Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from [You must be registered and logged in to see this link.]

  • First, unzip it.
  • Then run JavaRa.
  • Select English from the drop down menu and press Select.
  • This will open JavaRa.
  • Press Remove older versions
  • Press yes to the prompt.
  • It will make a log file of what it's removed.
  • Copy and paste the log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by rortega03 on 1st December 2008, 6:11 pm

ok I opened the resident shiel menu and it the Resident Shield is active box is checked.

rortega03
Novice
Novice

Posts Posts : 42
Joined Joined : 2008-12-01
OS OS : Windows XP
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by rortega03 on 1st December 2008, 6:14 pm

also on the bottom left corner I have a notification that says: Attention Enhance your protection.

AVG Free Edition provides you with good basic protection. Upgrade to AVG to AVG Internet Security for complete real-time protection against all online threats.

Download Now


Should I do download it?

rortega03
Novice
Novice

Posts Posts : 42
Joined Joined : 2008-12-01
OS OS : Windows XP
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by Belahzur on 1st December 2008, 6:17 pm

No, ignore the warning, that's the paid for version.
Execute this, see what happens.


  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=-

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by rortega03 on 1st December 2008, 6:30 pm

ok i did that, it was done succesfully. Whats next?

rortega03
Novice
Novice

Posts Posts : 42
Joined Joined : 2008-12-01
OS OS : Windows XP
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by Belahzur on 1st December 2008, 6:31 pm

Please update your Java, I left instructions for that above.
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by rortega03 on 1st December 2008, 7:03 pm

JavaRa 1.11 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Mon Dec 01 13:01:14 2008

Found and removed: C:\Program Files\Java\jre1.6.0_06

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_06\

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

------------------------------------

Finished reporting.

rortega03
Novice
Novice

Posts Posts : 42
Joined Joined : 2008-12-01
OS OS : Windows XP
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by Belahzur on 1st December 2008, 7:11 pm

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by rortega03 on 1st December 2008, 7:12 pm

how can i get a list of Add/Remove Programs for me to post here? I want to remove any thing that may be harmful to my computer. I know several people have posted there Add/Remove program list here

rortega03
Novice
Novice

Posts Posts : 42
Joined Joined : 2008-12-01
OS OS : Windows XP
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by Belahzur on 1st December 2008, 7:14 pm


  • Open HijackThis
  • Click "Open the Misc Tools section"
  • Click "Open Uninstall Manager"
  • Click "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by rortega03 on 1st December 2008, 7:14 pm

does everything look good with the Java log?

rortega03
Novice
Novice

Posts Posts : 42
Joined Joined : 2008-12-01
OS OS : Windows XP
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by Belahzur on 1st December 2008, 7:15 pm

Yeah, JavaRa just removes old version of Java, nothing really to analyse.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by rortega03 on 1st December 2008, 7:17 pm

Ad-Aware
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVG Free 8.0
BlackBerry Desktop Software 4.3
BlackBerry Desktop Software 4.3
BlackBerry Device Software Updater
BlackBerry v4.2.1 for the 8100 Series Wireless Handheld
Bonjour
Broadcom 440x 10/100 Integrated Controller
C-Major Audio
Conexant D110 MDC V.92 Modem
CutePDF Writer 2.7
Dell Wireless WLAN Card
Encompass SmartClient
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
HP Extended Capabilities 4.7
HP Image Zone 4.7
HP PSC & OfficeJet 4.7
HP Software Update
Intel(R) PROSet/Wireless Software
iTunes
Java(TM) 6 Update 10
LimeWire 4.18.3
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2003
Microsoft Office XP Small Business
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# 2.0 Redistributable Package
mIWA
mLogView
mMHouse
mPfMgr
mPfWiz
mProSafe
mSCfg
mSSO
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
mWlsSafe
mWMI
My Web Search (Smiley Central)
mZConfig
Pepsky Free CD Maker 3.5
QuickTime
Roxio Media Manager
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
SmartClient Core
SmartClient Installation Manager
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Windows Defender
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows XP Service Pack 3
WinRAR archiver
X-Lite 3.0
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar

rortega03
Novice
Novice

Posts Posts : 42
Joined Joined : 2008-12-01
OS OS : Windows XP
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by Belahzur on 1st December 2008, 7:21 pm

Nothing harmful in the uninstall log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by rortega03 on 1st December 2008, 7:22 pm

ok last but not least...Can I delete everything that I was asked to download during the process of removing the virus?

*Also should I be worried about opening my bank account online and other sites that require passwords?

rortega03
Novice
Novice

Posts Posts : 42
Joined Joined : 2008-12-01
OS OS : Windows XP
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by Belahzur on 1st December 2008, 7:25 pm

Yeah, you can delete everything we used.

And yes, the malware is gone, the machine is fine. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by rortega03 on 1st December 2008, 7:27 pm

Thank you so much Belahzur!!!!!!!!!!! YOUR THE BEST!!!! I appreciate all your help and time!!!! You're a genious!!

rortega03
Novice
Novice

Posts Posts : 42
Joined Joined : 2008-12-01
OS OS : Windows XP
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by rortega03 on 1st December 2008, 7:40 pm

Ok one more thing. I just ran a final scan on my computer from AVG and its showing under Found/Infection all these types of tracking cookies? whats is that all about? is it ok? what should I do?

rortega03
Novice
Novice

Posts Posts : 42
Joined Joined : 2008-12-01
OS OS : Windows XP
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by Belahzur on 1st December 2008, 7:42 pm

Harmless.
Everyone's browser needs those cookies to functions.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by rortega03 on 1st December 2008, 7:43 pm

thank you once again for all your help! Thank You!

rortega03
Novice
Novice

Posts Posts : 42
Joined Joined : 2008-12-01
OS OS : Windows XP
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by rortega03 on 1st December 2008, 8:48 pm

Im back again with a question. I went to How I got infected in the first place on GeeksToGo and it has the following listed.

2.) Go to IE > Tools > Windows Update > Product Updates, and install ALL High-Priority Security Updates listed.
If you're running Windows XP, that of course includes the Service Pack 2! If you suspect your computer is infected with Malware of any type, we advise you to not install SP2 if you don't already have it. You can post a HijackThis log on our Forums to get free Expert help cleaning your machine. Once you are sure you have a clean system, it is highly recommended to install SP2 to help prevent against future infections.


Do I need to install the SP2?

rortega03
Novice
Novice

Posts Posts : 42
Joined Joined : 2008-12-01
OS OS : Windows XP
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by Belahzur on 1st December 2008, 8:50 pm

Hijack This says you already have SP3, so windows updates shouldn't alert you of SP2, and that article needs updating. Goofy


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by rortega03 on 1st December 2008, 8:54 pm

Cool thanks

rortega03
Novice
Novice

Posts Posts : 42
Joined Joined : 2008-12-01
OS OS : Windows XP
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by rortega03 on 2nd December 2008, 12:55 am

Belahzur I just received a threat detected.

Threat detected!

File name: C:\System Volume Information\_restore{3C224264-C0A-418F-B117-81DFDEBFEF89}\RP221\A0111744.dll

Threat Name: Trojan horse Agent.ANI
detected on open

I was giving the option to either HEAL, MOVE TO VAULT or IGNORE

what should I do?

rortega03
Novice
Novice

Posts Posts : 42
Joined Joined : 2008-12-01
OS OS : Windows XP
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by Belahzur on 2nd December 2008, 12:57 am

System restore, don't worry. Smile

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by rortega03 on 2nd December 2008, 1:03 am

mean while what do i do with the alert? I havent clicked on anything such as heal, move to vault or ignore

rortega03
Novice
Novice

Posts Posts : 42
Joined Joined : 2008-12-01
OS OS : Windows XP
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by Belahzur on 2nd December 2008, 1:04 am

Move to vault, or ignore.
Either way, it's gonna get deleted when you turn system restore off.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by rortega03 on 2nd December 2008, 1:05 am

ok just completed your instruction to turn off and turn on system restore

rortega03
Novice
Novice

Posts Posts : 42
Joined Joined : 2008-12-01
OS OS : Windows XP
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by Belahzur on 2nd December 2008, 1:06 am

Okay, all the old restore points are gone. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by rortega03 on 2nd December 2008, 1:07 am

promise? everything is ok now. no need to run some other tests or analyz anything else?

rortega03
Novice
Novice

Posts Posts : 42
Joined Joined : 2008-12-01
OS OS : Windows XP
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by Belahzur on 2nd December 2008, 1:08 am

Trust me, it's clean.
System restore is no threat even if they are infected, as along as you don't use system restore.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by rortega03 on 2nd December 2008, 1:20 am

ok...thank you once again your the best. I dont know what I would of done with out this website and you!!! Take Care and dont work too hard

rortega03
Novice
Novice

Posts Posts : 42
Joined Joined : 2008-12-01
OS OS : Windows XP
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by cljones517 on 2nd December 2008, 3:28 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:43 PM, on 12/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Crystal Jones\Local Settings\Temporary Internet Files\Content.IE5\SELZYNKC\Hijack(GP)This[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [nah_Shell] C:\Documents and Settings\Crystal Jones\nah_dkpi.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6567 bytes

Uninstall List
Ad-Aware
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.2
Adobe Stock Photos 1.0
Airport Mania: First Flight
Apple Mobile Device Support
Apple Software Update
Azada : Ancient Magic
Big Fish Games Client
Bonjour
Broadcom 440x 10/100 Integrated Controller
Burger Shop
Camp Funshine: Carrie the Caregiver 3
Carrie the Caregiver
Conexant HDA D330 MDC V.92 Modem
Cooking Dash
Delicious Deluxe
Dell Resource CD
Dell Wireless WLAN Card
Diner Dash Flo on the Go
EPSON Printer Software
Fishdom
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
GoToAssist 8.0.0.480
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
iTunes
Java(TM) 6 Update 6
Java(TM) 6 Update 7
Megaplex Madness: Now Playing
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mystery P.I. - The Lottery Ticket
NVIDIA Drivers
OpenOffice.org Installer 1.0
Paradise Pet Salon
Pet Shop Hop
QuickTime

cljones517
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-12-02
OS OS : Windows XP
Points Points : 29280
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: I have been infected with the Spyware.ISpynow virus. PLEASE HELP ME :(

Post by Doctor Inferno on 9th December 2008, 2:35 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104620
# Likes # Likes : 0

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum