Spyware.Ispynow

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Solved Spyware.Ispynow

Post by johnm on Tue 02 Dec 2008, 1:10 am

Having the same problem with the security alert pop up. firewall has detected unauthorized activity, but cannot help to remove viruses, keyloggers and other spyware threats. Directs to page selling virus removal.
PLEASE HELP


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:00:08 PM, on 12/1/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Maxtor\OneTouch\Utils\OneTouch.exe
C:\Program Files\Lexmark X1100 Series\LXBKbmgr.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\AceBIT\WISE-FTP\WF_Scheduler.exe
C:\Program Files\earthlink totalaccess\TaskPanl.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\drivers\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\john\Desktop\Hijack(GP)This.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SnapfishMediaDetector] C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [lxbkbmgr.exe] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DPService] "C:\Program Files\HP\DVDPlay\DPService.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{4427A92D-3B4C-4ECD-A716-7CDF0BFE08FC}: NameServer = 207.69.188.187 207.69.188.186
O17 - HKLM\System\CS1\Services\Tcpip\..\{4427A92D-3B4C-4ECD-A716-7CDF0BFE08FC}: NameServer = 207.69.188.187 207.69.188.186
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxbk_device - - C:\Windows\system32\lxbkcoms.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9269 bytes



===========
uninstall list

1&1 EasyLogin
Activation Assistant for the 2007 Microsoft Office suites
Ad-Aware
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Reader 8.1.2
AppCore
AV
Canon iP1800 series
Canon iP1800 series User Registration
Canon My Printer
Canon Utilities Easy-LayoutPrint
Canon Utilities Easy-PhotoPrint
ccCommon
Crazy Browser version 2.0.1
DVD Play
EarthLink Software
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Hardware Diagnostic Tools
HijackThis 2.0.2
HP Customer Experience Enhancements
HP Customer Feedback
HP Easy Setup - Frontend
HP On-Screen Cap/Num/Scroll Lock Indicator
HP Photosmart Essential 2.5
HP Total Care Advisor
HP Update
Lexmark X1100 Series
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Maxtor Backup
Maxtor OneTouch III
Meta Whiz 1.0
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office Live Image Uploader
Microsoft Office Live Small Business Image Uploader
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSRedist
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 6.0
My HP Games
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
NVIDIA Drivers
Nvu 1.0
OpenMG Limited Patch 4.7-07-14-05-01
OpenMG Secure Module 4.7.00
Panda ActiveScan 2.0
Picasa 2
PIXMA Extended Survey Program
Python 2.4.3
RealPlayer
Realtek High Definition Audio Driver
Rhapsody
Rhapsody Player Engine
Rolling Stone - Cover to Cover
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Simple Search-Replace
Snapfish Media Detector
Soft Data Fax Modem with SmartCP
SonicStage 4.3
SPBBC 32bit
Symantec Technical Support Web Controls
Trellian SEO Toolkit v2.0
Trellian WebPage
Turbo Lister 2
Windows Live OneCare safety scanner
Wise-FTP
Yahoo! Toolbar for Internet Explorer
ZipCentral 4.01

johnm

Newbie Surfer
Newbie Surfer

Posts: 12
Joined: 2008-12-02
Operating System: Vista Home Basic Version 6.0.6001 Service Pack 1 Build 6001

View user profile

Back to top Go down

Solved Re: Spyware.Ispynow

Post by Belahzur on Tue 02 Dec 2008, 1:14 am

Hello.
1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts, but select NO when asked to install the recovery console.
3. When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.



If I have helped you, please consider donating to me.

Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts: 34919
Joined: 2008-08-03
Operating System: XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Spyware.Ispynow

Post by johnm on Tue 02 Dec 2008, 9:02 am

When I click on the link it has a page load error screen (it does that for all antivirus sites) and I tried to just type it into the address bar to bypass the link but the same thing happens. Is there a way around it to get the program?
also just started getting popup "Windows host process (RUNDll32)stopped working"

johnm

Newbie Surfer
Newbie Surfer

Posts: 12
Joined: 2008-12-02
Operating System: Vista Home Basic Version 6.0.6001 Service Pack 1 Build 6001

View user profile

Back to top Go down

Solved Re: Spyware.Ispynow

Post by Belahzur on Tue 02 Dec 2008, 10:05 am

Hmmm.
Lets try this.

Please download SilentRunners from here:
[You must be registered and logged in to see this link.]
Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, a message will pop up and a logfile will have been created on the desktop. Please post the entire contents of this logfile for me to see.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.



If I have helped you, please consider donating to me.

Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts: 34919
Joined: 2008-08-03
Operating System: XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Spyware.Ispynow

Post by johnm on Tue 02 Dec 2008, 11:00 am

"Silent Runners.vbs", revision 58, [You must be registered and logged in to see this link.]
Operating System: Windows Vista
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"nah_Shell" = "C:\Users\john\nah_qrqd.exe" [MS]
"WMPNSCFG" = "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [MS]
"Wise-FTP Scheduler" = "C:\Program Files\AceBIT\WISE-FTP\WF_Scheduler.exe" ["AceBIT GmbH"]
"SVCHOST.EXE" = "C:\Windows\system32\drivers\svchost.exe" [null data]
"E6TaskPanel" = ""C:\Program Files\earthlink totalaccess\TaskPanl.exe" -winstart" ["EarthLink, Inc."]
"HPseti" = ""C:\Users\john\AppData\Roaming\Google\dvvm.exe"" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"(Default)" = "(empty string)" [file not found]
"Windows Defender" = "%ProgramFiles%\Windows Defender\MSASCui.exe -hide" [MS]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"Symantec PIF AlertEng" = ""C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"" ["Symantec Corporation"]
"SnapfishMediaDetector" = "C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe" [null data]
"RtHDVCpl" = "RtHDVCpl.exe" ["Realtek Semiconductor"]
"OsdMaestro" = ""C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"" ["OsdMaestro"]
"NvSvc" = "RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"NvCplDaemon" = "RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup" [MS]
"mxomssmenu" = ""C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"" ["Maxtor Corp."]
"MaxtorOneTouch" = "C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" ["Maxtor Corporation"]
"lxbkbmgr.exe" = ""C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"" ["Lexmark International, Inc."]
"hpsysdrv" = "c:\hp\support\hpsysdrv.exe" ["Hewlett-Packard Company"]
"hpqSRMon" = "C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe" ["Hewlett-Packard"]
"HP Software Update" = "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."]
"DPService" = ""C:\Program Files\HP\DVDPlay\DPService.exe"" ["CyberLink Corp."]
"ccApp" = ""c:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"CanonMyPrinter" = "C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon" ["CANON INC."]
"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"Launcher" = "C:\Windows\SMINST\launcher.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{1E8A6170-7264-4D0F-BEAE-D42A53123C75}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll" ["Symantec Corporation"]

johnm

Newbie Surfer
Newbie Surfer

Posts: 12
Joined: 2008-12-02
Operating System: Vista Home Basic Version 6.0.6001 Service Pack 1 Build 6001

View user profile

Back to top Go down

Solved Re: Spyware.Ispynow

Post by Belahzur on Tue 02 Dec 2008, 3:49 pm


  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "nah_Shell"=-
    "SVCHOST.EXE"=-
    "HPseti"=-

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.




1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE.

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Files to delete:
C:\Users\john\nah_qrqd.exe
C:\Users\john\AppData\Roaming\Google\dvvm.exe
C:\WINDOWS\system32\drivers\svchost.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Don't tick the box below.
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.



If I have helped you, please consider donating to me.

Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts: 34919
Joined: 2008-08-03
Operating System: XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Spyware.Ispynow

Post by johnm on Wed 03 Dec 2008, 12:08 am

I created the fix.reg file, ran, received from the registry editor "the keys and values contained in /fix.reg have been added to the registry"

Unable to download The Avenger by Swandog46, still getting page load error screen "This program cannot display the webpage"
that seems to goes for most antivirus sites symantec.com,etc
when I downloaded HijackThis I needed to use the Backup Link.

johnm

Newbie Surfer
Newbie Surfer

Posts: 12
Joined: 2008-12-02
Operating System: Vista Home Basic Version 6.0.6001 Service Pack 1 Build 6001

View user profile

Back to top Go down

Solved Re: Spyware.Ispynow

Post by Belahzur on Wed 03 Dec 2008, 12:14 am

Hello.
Mirror site:
[You must be registered and logged in to see this link.]
Download from there and follow instructions.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.



If I have helped you, please consider donating to me.

Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts: 34919
Joined: 2008-08-03
Operating System: XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Spyware.Ispynow

Post by johnm on Wed 03 Dec 2008, 1:45 am

Hello,

Ran Avenger program and fresh HJT log.
Thanks for all your help with this monster.

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "TDSSserv.sys" found!
ImagePath: \systemroot\system32\drivers\TDSSnbcb.sys
Start Type: 1 (System)

Rootkit scan completed.

File "C:\Users\john\nah_qrqd.exe" deleted successfully.
File "C:\Users\john\AppData\Roaming\Google\dvvm.exe" deleted successfully.
File "C:\WINDOWS\system32\drivers\svchost.exe" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:58 PM, on 12/2/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe
C:\Program Files\Maxtor\OneTouch\Utils\OneTouch.exe
C:\Program Files\Lexmark X1100 Series\LXBKbmgr.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\AceBIT\WISE-FTP\WF_Scheduler.exe
C:\Program Files\earthlink totalaccess\TaskPanl.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\Users\john\Desktop\Hijack(GP)This.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SnapfishMediaDetector] C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [lxbkbmgr.exe] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DPService] "C:\Program Files\HP\DVDPlay\DPService.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Wise-FTP Scheduler] C:\Program Files\AceBIT\WISE-FTP\WF_Scheduler.exe
O4 - HKCU\..\Run: [HPseti] "C:\Users\john\AppData\Roaming\Google\dvvm.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\earthlink totalaccess\TaskPanl.exe" -winstart
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{4427A92D-3B4C-4ECD-A716-7CDF0BFE08FC}: NameServer = 207.69.188.187 207.69.188.186
O17 - HKLM\System\CS1\Services\Tcpip\..\{4427A92D-3B4C-4ECD-A716-7CDF0BFE08FC}: NameServer = 207.69.188.187 207.69.188.186
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxbk_device - - C:\Windows\system32\lxbkcoms.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9710 bytes

johnm

Newbie Surfer
Newbie Surfer

Posts: 12
Joined: 2008-12-02
Operating System: Vista Home Basic Version 6.0.6001 Service Pack 1 Build 6001

View user profile

Back to top Go down

Solved Re: Spyware.Ispynow

Post by Belahzur on Wed 03 Dec 2008, 1:48 am

Lets see if we can take it down now.


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKCU\..\Run: [HPseti] "C:\Users\john\AppData\Roaming\Google\dvvm.exe"
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


  • Press "Fix Checked"
  • Close Hijack This.

===

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Drivers to disable:
TDSSserv.sys

Drivers to delete:
TDSSserv.sys

Files to delete:
C:\windows\system32\drivers\TDSSnbcb.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Don't tick the box below.
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.



If I have helped you, please consider donating to me.

Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts: 34919
Joined: 2008-08-03
Operating System: XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Spyware.Ispynow

Post by johnm on Wed 03 Dec 2008, 2:18 am

I think that ugly popups gone

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "TDSSserv.sys" found!
ImagePath: \systemroot\system32\drivers\TDSSnbcb.sys
Start Type: 4 (Disabled)

Rootkit scan completed.

Driver "TDSSserv.sys" disabled successfully.
Driver "TDSSserv.sys" deleted successfully.
File "C:\windows\system32\drivers\TDSSnbcb.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

johnm

Newbie Surfer
Newbie Surfer

Posts: 12
Joined: 2008-12-02
Operating System: Vista Home Basic Version 6.0.6001 Service Pack 1 Build 6001

View user profile

Back to top Go down

Solved Re: Spyware.Ispynow

Post by Belahzur on Wed 03 Dec 2008, 2:20 am

Hello.
The rootkit is gone now, you should be able to access combofix.

[You must be registered and logged in to see this link.]


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.



If I have helped you, please consider donating to me.

Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts: 34919
Joined: 2008-08-03
Operating System: XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Spyware.Ispynow

Post by johnm on Wed 03 Dec 2008, 3:06 am

Hello,
I need to send the combofix in 2 parts

ComboFix 08-12-01.03 - john 2008-12-02 21:37:31.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.1301 [GMT -5:00]
Running from: c:\users\john\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\john\AppData\Local\Microsoft\Windows\Temporary Internet Files\temp.dmf
c:\users\john\nah_log.dat
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\DelSelf.bat
c:\windows\system32\digeste.dll
c:\windows\system32\paso.el
c:\windows\system32\TDSScrrx.dll
c:\windows\system32\TDSSntlv.dll
c:\windows\system32\TDSSrfpp.dll
c:\windows\system32\TDSSsbxq.log
c:\windows\system32\TDSStmei.dll
c:\windows\system32\TDSSwqsc.dat
c:\windows\system32\twain_32
c:\windows\system32\twain_32\local.ds
c:\windows\system32\twain_32\user.ds
c:\windows\system32\twain_32\user.ds.cla
c:\windows\Sysvxd.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-11-03 to 2008-12-03 )))))))))))))))))))))))))))))))
.

2008-12-01 04:30 . 2008-12-01 04:32 d-------- c:\users\All Users\Lavasoft
2008-12-01 04:30 . 2008-12-01 04:32 d-------- c:\programdata\Lavasoft
2008-12-01 04:30 . 2008-12-01 04:30 d-------- c:\program files\Lavasoft
2008-12-01 04:29 . 2008-12-01 04:29 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-01 00:36 . 2008-12-01 00:36 d-------- c:\program files\Panda Security
2008-12-01 00:36 . 2008-06-19 17:24 28,544 --a------ c:\windows\System32\drivers\pavboot.sys
2008-11-30 06:33 . 2008-12-02 20:41 2,274 --a------ c:\windows\System32\TDSSfopt.dll
2008-11-27 14:33 . 2008-08-27 22:40 712,704 --a------ c:\windows\System32\WindowsCodecs.dll
2008-11-27 14:33 . 2008-08-27 22:40 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll
2008-11-27 14:33 . 2008-08-27 22:40 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll
2008-11-27 14:33 . 2008-10-21 22:57 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2008-11-27 14:32 . 2008-10-21 00:25 1,645,568 --a------ c:\windows\System32\connect.dll
2008-11-27 12:39 . 2008-11-27 12:39 d-------- c:\users\All Users\CanonIJPLM
2008-11-27 12:39 . 2008-11-27 12:39 d-------- c:\programdata\CanonIJPLM
2008-11-27 12:33 . 2008-11-27 12:33 d--h----- c:\users\All Users\CanonBJ
2008-11-27 12:33 . 2008-11-27 12:33 d--h----- c:\programdata\CanonBJ
2008-11-27 12:32 . 2008-11-27 12:32 d--h----- c:\windows\System32\CanonIJ Uninstaller Information
2008-11-27 12:30 . 2008-11-27 12:30 d--h----- c:\program files\CanonBJ
2008-11-27 12:30 . 2008-11-27 12:39 d-------- c:\program files\Canon
2008-11-27 04:24 . 2008-10-16 16:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-11-27 04:24 . 2008-10-16 15:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-11-27 04:24 . 2008-10-16 16:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-11-27 04:24 . 2008-10-16 16:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-11-27 04:23 . 2008-10-16 16:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-11-27 04:23 . 2008-10-16 15:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-11-27 04:23 . 2008-10-16 16:08 34,328 --a------ c:\windows\System32\wups.dll
2008-11-27 04:22 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-11-27 04:22 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
2008-11-26 19:17 . 2008-11-30 19:28 d-------- c:\program files\Windows Live Safety Center
2008-11-23 05:49 . 2008-11-23 05:49 25,887 --a------ c:\windows\System32\ef6b26db-344d-4ad3-ba24-aca0bdaa999a.cab
2008-11-23 05:49 . 2008-11-23 05:49 19,775 --a------ c:\windows\System32\f04d289f-c60a-422b-8396-6c372047042e.cab
2008-11-23 05:17 . 2008-11-23 05:17 dr------- c:\users\john\Searches
2008-11-23 05:07 . 2008-11-25 03:08 d-------- C:\MGADiagToolOutput
2008-11-23 05:05 . 2008-11-23 05:05 d-------- c:\users\All Users\Office Genuine Advantage
2008-11-23 05:05 . 2008-11-23 05:05 d-------- c:\programdata\Office Genuine Advantage
2008-11-23 04:02 . 2008-11-23 04:02 d-------- c:\users\All Users\Windows Genuine Advantage
2008-11-20 01:10 . 2008-11-20 01:10 d-------- c:\users\john\Documents
2008-11-19 04:18 . 2008-11-19 04:18 0 --a------ c:\windows\ynh.dx
2008-11-15 14:49 . 2008-11-23 04:22 d-------- c:\program files\Flipz4Flash
2008-11-12 04:49 . 2008-09-09 22:40 1,334,272 --a------ c:\windows\System32\msxml6.dll
2008-11-12 04:48 . 2008-08-26 20:05 212,480 --a------ c:\windows\System32\drivers\mrxsmb10.sys
2008-11-12 04:47 . 2008-09-05 00:14 1,191,936 --a------ c:\windows\System32\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-03 01:34 --------- d-----w c:\program files\ZipCentral
2008-11-30 11:37 --------- d-----w c:\users\john\AppData\Roaming\Hewlett-Packard
2008-11-30 11:37 --------- d-----w c:\users\john\AppData\Roaming\EbkReader
2008-11-30 11:37 --------- d-----w c:\users\john\AppData\Roaming\Earthlink
2008-11-30 11:37 --------- d-----w c:\users\john\AppData\Roaming\Downloaded Installations
2008-11-30 11:37 --------- d-----w c:\users\john\AppData\Roaming\CyberLink
2008-11-29 14:44 --------- d-----w c:\program files\Google
2008-11-27 11:49 --------- d-----w c:\users\john\AppData\Roaming\uTorrent
2008-11-26 08:53 --------- d-----w c:\program files\Windows Mail
2008-11-26 08:53 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-25 23:02 --------- d-----w c:\program files\Directory Buzz
2008-11-23 17:02 --------- d-----w c:\program files\Norton Internet Security
2008-11-23 16:58 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-11-23 16:58 123,952 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2008-11-23 16:58 10,671 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-11-23 16:58 --------- d-----w c:\program files\Symantec
2008-11-22 18:38 737,280 ----a-w c:\windows\iun6002.exe
2008-10-11 01:45 --------- d-----w c:\program files\Directory Buzz2
2008-10-05 14:45 --------- d-----w c:\program files\earthlink totalaccess
2008-10-03 19:14 39,984 ----a-w c:\windows\system32\drivers\symids.sys
2008-10-03 19:14 37,936 ----a-w c:\windows\system32\drivers\symndisv.sys
2008-10-03 19:14 27,696 ----a-w c:\windows\system32\drivers\symredrv.sys
2008-10-03 19:14 187,952 ----a-w c:\windows\system32\drivers\symtdi.sys
2008-10-03 19:14 146,096 ----a-w c:\windows\system32\drivers\symfw.sys
2008-10-03 19:14 12,848 ----a-w c:\windows\system32\drivers\symdns.sys
2008-10-03 19:14 10,804 ----a-w c:\windows\system32\drivers\SymRedir.cat
2008-10-03 19:14 1,358 ----a-w c:\windows\system32\drivers\SymRedir.inf
2008-10-02 03:49 827,392 ----a-w c:\windows\System32\wininet.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 04:56 147,456 ----a-w c:\windows\System32\Faultrep.dll
2008-09-18 04:56 125,952 ----a-w c:\windows\System32\wersvc.dll
2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys
2008-07-03 22:38 174 --sha-w c:\program files\desktop.ini
2008-04-07 22:15 514 ----a-w c:\users\john\AppData\Roaming\wklnhst.dat
.

johnm

Newbie Surfer
Newbie Surfer

Posts: 12
Joined: 2008-12-02
Operating System: Vista Home Basic Version 6.0.6001 Service Pack 1 Build 6001

View user profile

Back to top Go down

Solved Re: Spyware.Ispynow

Post by johnm on Wed 03 Dec 2008, 3:07 am

part 2


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Wise-FTP Scheduler"="c:\program files\AceBIT\WISE-FTP\WF_Scheduler.exe" [2003-08-29 1246720]
"E6TaskPanel"="c:\program files\earthlink totalaccess\TaskPanl.exe" [2006-08-30 952088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-04-23 185896]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 583048]
"SnapfishMediaDetector"="c:\program files\Snapfish Media Detector\SnapfishMediaDetector.exe" [2007-03-02 1441792]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-07-06 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-06 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-06 8466432]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 81920]
"MaxtorOneTouch"="c:\program files\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-27 712704]
"lxbkbmgr.exe"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2007-01-25 74672]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"DPService"="c:\program files\HP\DVDPlay\DPService.exe" [2007-02-13 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-16 1197648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-01 c:\windows\RtHDVCpl.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-03-07 44168]

c:\users\john\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders credssp.dll, msansspc.dll, digeste.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{393AC102-C8B4-464D-82A7-D52ECDBFB020}"= c:\program files\HP\DVDPlay\DVDPlay.exe:DVD Play
"{34E9B1EE-BA15-4415-8429-2013856E6C86}"= c:\program files\HP\DVDPlay\DPService.exe:DVD Play Resident Program
"{A2BA7BB0-0A5D-4AD1-A567-9CDB56C66DA4}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{B7CFD448-8992-4C98-A715-056437C829ED}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{883B765C-92CD-4879-8402-E0FC1F059436}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{4FA0E868-3BCF-4380-A754-A522F3EC9FE5}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B1A873B2-04D8-4433-9227-4B0E81AA9A49}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{3B844328-D30C-4F0D-B0E2-4A50DC50570D}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{8C61405D-C85F-4BBE-A6A5-5A1BD6819583}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{4378B205-0E33-461A-B353-842AAF0C3B03}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{7C5897EC-486D-4495-ACFC-36ED124028A2}"= UDP:c:\windows\System32\lxbkcoms.exe:Lexmark Communications System
"{4EC2DDF9-2F89-4D8E-8743-05EC1D7E8E51}"= TCP:c:\windows\System32\lxbkcoms.exe:Lexmark Communications System
"{5F9FF86E-AB92-4E0A-A236-DF4567E16BB1}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxbkpswx.exe:Printer Status Window
"{9E4DAFD2-CAE2-45E2-983F-B5F63B4C5192}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxbkpswx.exe:Printer Status Window
"{CBB4C67A-003A-456B-91B6-C5FAD6BC56BE}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{937A54E9-5172-47F9-8DB2-94E3417C91B5}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{086D8BF5-C370-44CF-944D-FF5005DD0E76}"= UDP:8097:EarthLink UHP Modem Support
"{F382520D-A6A2-459D-82E8-96DB16BDBA0D}"= UDP:8097:EarthLink UHP Modem Support
"{3ECA3EF0-C387-43D1-8E96-E101504764D9}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{A10C5D12-65FE-46C3-B03F-C1B03B761554}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{0A90CAD5-5511-43B3-9480-55EE36A55208}"= UDP:c:\windows\explorer.exe:Windows Explorer
"{472C90F9-B81F-43A8-B06F-87FD639D32FA}"= TCP:c:\windows\explorer.exe:Windows Explorer

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-01 28544]
R1 IDSvix86;Symantec Intrusion Prevention Driver;\??\c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20071220.001\IDSvix86.sys [2007-12-31 180272]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2007-11-03 112688]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\Drivers\SYMNDISV.SYS [2008-10-03 37936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-12-02 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - john.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-13 20:09]

2008-12-02 c:\windows\Tasks\User_Feed_Synchronization-{B6B33A22-9B8E-4651-87A4-EF9FFF42C9D0}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 02:33]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-HPseti - c:\users\john\AppData\Roaming\Google\dvvm.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\users\john\AppData\Roaming\Mozilla\Firefox\Profiles\17trz7bn.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - [You must be registered and logged in to see this link.]
FireFox -: prefs.js - STARTUP.HOMEPAGE - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-02 21:49:39
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2316)
c:\windows\system32\we.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Lexmark X1100 Series\LXBKbmon.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Canon\IJPLM\ijplmsvc.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\System32\lxbkcoms.exe
c:\program files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
c:\program files\Maxtor\OneTouch\Utils\SyncServices.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-12-02 21:55:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-03 02:54:55

Pre-Run: 61,183,066,112 bytes free
Post-Run: 62,535,438,336 bytes free

259 --- E O F --- 2008-11-29 12:13:09

johnm

Newbie Surfer
Newbie Surfer

Posts: 12
Joined: 2008-12-02
Operating System: Vista Home Basic Version 6.0.6001 Service Pack 1 Build 6001

View user profile

Back to top Go down

Solved Re: Spyware.Ispynow

Post by Belahzur on Wed 03 Dec 2008, 12:33 pm

Hello.
Just a leftover to get.

Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\System32\TDSSfopt.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000000
"InternetSettingsDisableNotify"=dword:00000000
"AutoUpdateDisableNotify"=dword:00000000
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"=dword:00000001
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="credssp.dll,msansspc.dll,digeste.dll"

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.



If I have helped you, please consider donating to me.

Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts: 34919
Joined: 2008-08-03
Operating System: XP SP3 Media Centre

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top


Permissions in this forum:
You cannot reply to topics in this forum