ISpynow Infection

View previous topic View next topic Go down

Solved ISpynow Infection

Post by Ryouta on 2nd December 2008, 5:49 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:43 AM, on 12/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: ZoneAlarm Spy Blocker Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7317 bytes

I kept getting a warning in my firewall mentioning Ispynow and taking me to a website.
my computer also boots up very slower than usual now. It takes like 2o mins to load my icons and junk. I did some virus scans and I think i got rid off the firewall warnings. Any help to get my pc back up to speed?

Ryouta
Novice
Novice

Posts Posts : 7
Joined Joined : 2008-12-02
OS OS : Microsoft Windows Xp Profesional Service Pack 3
Points Points : 29300
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: ISpynow Infection

Post by Belahzur on 2nd December 2008, 9:57 am

Hello.
Nothing harmful showing in the log.


  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: ISpynow Infection

Post by Ryouta on 2nd December 2008, 10:49 pm

ComboFix 08-12-01.03 - Administrator 2008-12-02 14:50:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.589 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\TDSSosvd.dat

c:\windows\system32\winlogon.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))
.

2008-12-02 00:20 . 2008-12-02 00:20 d-------- c:\program files\Bazooka Scanner
2008-12-02 00:11 . 2001-08-17 12:12 117,760 --a------ c:\windows\system32\drivers\e100b325.sys
2008-12-02 00:11 . 2001-08-17 12:12 117,760 --a--c--- c:\windows\system32\dllcache\e100b325.sys
2008-12-01 21:40 . 2008-12-01 21:41 d-------- c:\program files\Spybot - Search & Destroy
2008-12-01 21:40 . 2008-12-01 23:42 d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-01 21:18 . 2008-12-01 21:20 d-------- c:\program files\Spyware Doctor
2008-12-01 21:18 . 2008-12-01 21:38 d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-01 21:18 . 2008-12-01 21:18 d-------- c:\documents and settings\Administrator\Application Data\PC Tools
2008-12-01 21:18 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-12-01 21:18 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-12-01 21:18 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-12-01 21:18 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-12-01 18:04 . 2008-12-01 18:04 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-01 18:04 . 2008-12-01 18:04 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-01 18:04 . 2008-12-01 18:04 d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-01 18:04 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-01 18:04 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-01 16:37 . 2008-12-01 16:37 d-------- c:\program files\SUPERAntiSpyware
2008-12-01 16:37 . 2008-12-01 16:37 d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-01 16:37 . 2008-12-01 16:37 d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-12-01 04:07 . 2008-12-01 16:45 1,113 --a------ C:\rollback.ini
2008-12-01 00:29 . 2008-12-01 00:29 d-------- c:\documents and settings\Administrator\Application Data\MailFrontier
2008-12-01 00:26 . 2008-12-01 06:22 6,763,040 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-01 00:26 . 2008-12-01 06:22 92,696 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-11-30 23:13 . 2008-11-30 23:14 d-------- c:\program files\AskBarDis
2008-11-30 23:12 . 2008-12-01 14:59 d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2008-11-30 23:12 . 2008-11-13 15:18 73,104 --a------ c:\windows\zllsputility.exe
2008-11-30 23:12 . 2008-12-01 14:58 4,212 --ah----- c:\windows\system32\zllictbl.dat
2008-11-30 23:11 . 2008-12-01 04:07 d-------- c:\windows\system32\ZoneLabs
2008-11-30 23:11 . 2008-11-30 23:11 d-------- c:\program files\Zone Labs
2008-11-30 23:11 . 2008-11-13 15:18 1,221,008 --a------ c:\windows\system32\zpeng25.dll
2008-11-30 23:11 . 2008-12-02 14:54 348,389 --a------ c:\windows\system32\vsconfig.xml
2008-11-30 23:09 . 2008-12-02 00:15 d-------- c:\windows\Internet Logs
2008-11-30 22:30 . 2008-11-30 22:30 d-------- c:\program files\uTorrent
2008-11-30 22:30 . 2008-12-01 23:42 d-------- c:\documents and settings\Administrator\Application Data\uTorrent
2008-11-29 22:27 . 2008-11-29 22:27 d-------- c:\program files\WiFiConnector
2008-11-29 19:31 . 2008-11-29 19:31 d-------- c:\program files\Panasonic
2008-11-29 19:31 . 2006-02-27 11:45 36,864 --a------ c:\windows\system32\SDDEVMGR.dll
2008-11-27 17:44 . 2008-11-30 14:09 363 --a------ c:\windows\kaillera.ini
2008-11-21 23:24 . 2008-11-21 23:24 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01001_Coinstaller_Critical.Wdf
2008-11-21 23:24 . 2008-11-21 23:24 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_xusb21_01001.Wdf
2008-11-21 23:22 . 2008-11-21 23:22 d----c--- c:\windows\system32\DRVSTORE
2008-11-21 23:22 . 2008-11-21 23:22 d-------- c:\program files\Microsoft Xbox 360 Accessories
2008-11-21 23:22 . 2007-02-26 18:15 1,421,216 --a------ c:\windows\system32\WdfCoInstaller01001.dll
2008-11-21 23:22 . 2007-02-26 18:15 61,984 --a------ c:\windows\system32\drivers\xusb21.sys
2008-11-21 22:48 . 2008-11-21 22:48 d-------- c:\documents and settings\Administrator\Application Data\Damdai
2008-11-12 20:35 . 2008-04-13 14:45 26,368 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2008-11-12 14:46 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 14:46 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-05 15:34 . 2008-11-05 15:34 d-------- c:\program files\Veoh Networks
2008-11-05 15:05 . 2008-11-05 15:05 d-------- c:\program files\E.M. PowerPoint Video Converter
2008-11-03 15:56 . 2008-11-04 21:25 d-------- c:\program files\Total Video Converter
2008-11-03 15:56 . 2000-05-22 22:58 608,448 --a------ c:\windows\system32\comctl32.ocx
2008-11-02 00:24 . 2008-12-02 14:50 d-------- C:\QUARANTINE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-01 21:36 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-30 00:31 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-30 00:31 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-13 03:35 --------- d-----w c:\documents and settings\Administrator\Application Data\LimeWire
2008-11-13 03:27 --------- d-----w c:\program files\LimeWire
2008-11-12 20:05 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-29 22:46 --------- d-----w c:\program files\Java
2008-10-29 22:28 --------- d-----w c:\program files\Audacity
2008-10-29 01:34 --------- d-----w c:\program files\MSBuild
2008-10-29 01:33 --------- d-----w c:\program files\Reference Assemblies
2008-10-29 01:26 --------- d-----w c:\program files\alaplaya
2008-10-29 00:42 --------- d-----w c:\program files\CyberLink
2008-10-29 00:41 --------- d-----w c:\program files\Common Files\Ahead
2008-10-25 02:27 --------- d-----w c:\program files\Sierra On-Line
2008-10-25 02:22 --------- d-----w c:\program files\WON
2008-10-25 02:19 --------- d-----w c:\program files\Common Files\LightScribe
2008-10-25 02:17 --------- d-----w c:\documents and settings\Administrator\Application Data\Ahead
2008-10-25 02:13 --------- d-----w c:\program files\Nero
2008-10-25 01:52 --------- d-----w c:\program files\Microsoft Works
2008-10-25 01:31 --------- d-----w c:\program files\Common Files\Adobe
2008-10-25 01:26 --------- d-----w c:\program files\Lavasoft
2008-10-25 01:26 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-25 01:21 --------- d-----w c:\program files\McAfee
2008-10-25 01:21 --------- d-----w c:\program files\Common Files\Cisco Systems
2008-10-25 01:21 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-10-25 01:20 --------- d-----w c:\program files\Common Files\McAfee
2008-10-25 01:06 --------- d-----w c:\program files\microsoft frontpage
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
.

------- Sigcheck -------

2004-08-04 07:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-13 19:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll
2008-11-30 22:05 295424 63999d0abd8dabfd76a9c07f6e104868 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-10-16 18:22 333192 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-16 333192]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2008-10-09 3502840]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-17 1805552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-29 136600]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2008-11-29 1073152]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\alaplaya\\S4League\\S4Client.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Apps\\2.0\\T9V82KWT.EA6\\RT6EWYD4.2OM\\2dff..tion_fcdf29b345c9098a_0001.0000_89b83da73a004bb4\\2DF FreePlay Client.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"28008:TCP"= 28008:TCP:S4 league 1
"28012:TCP"= 28012:TCP:S4 League 2
"28013:TCP"= 28013:TCP:S4 League 3

.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bgfomptb.default\
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF -: plugin - c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-02 14:54:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\WgaTray.exe
.
**************************************************************************
.
Completion time: 2008-12-02 14:56:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-02 19:56:32

Pre-Run: 23,195,394,048 bytes free
Post-Run: 23,276,613,632 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

196 --- E O F --- 2008-11-25 20:42:42

Ryouta
Novice
Novice

Posts Posts : 7
Joined Joined : 2008-12-02
OS OS : Microsoft Windows Xp Profesional Service Pack 3
Points Points : 29300
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: ISpynow Infection

Post by Belahzur on 2nd December 2008, 11:10 pm

Hello.
Just a leftover to remove.

Now open a new notepad file.
Input this into the notepad file:

Folder::
c:\program files\AskBarDis

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

EDIT
I need you to scan this file.
Upload this file in bold:
c:\windows\system32\drivers\e100b325.sys
To here for a scna:
[You must be registered and logged in to see this link.]
Copy and paste the results back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: ISpynow Infection

Post by Ryouta on 2nd December 2008, 11:54 pm

Scan taken on 02 Dec 2008 23:50:26 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

ComboFix 08-12-01.03 - Administrator 2008-12-02 19:02:57.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.596 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFscript.txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AskBarDis
c:\program files\AskBarDis\bar\bin\askBar.dll
c:\program files\AskBarDis\bar\bin\askPopStp.dll
c:\program files\AskBarDis\bar\bin\AskService.exe
c:\program files\AskBarDis\bar\bin\psvince.dll
c:\program files\AskBarDis\bar\Settings\config.dat
c:\program files\AskBarDis\bar\Settings\config.dat.bak
c:\program files\AskBarDis\bar\Settings\prevCfg2.htm
c:\program files\AskBarDis\unins000.dat
c:\program files\AskBarDis\unins000.exe
c:\program files\AskBarDis\zonealarm.ico

.
((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))
.

2008-12-02 00:20 . 2008-12-02 00:20 d-------- c:\program files\Bazooka Scanner
2008-12-02 00:11 . 2001-08-17 12:12 117,760 --a------ c:\windows\system32\drivers\e100b325.sys
2008-12-02 00:11 . 2001-08-17 12:12 117,760 --a--c--- c:\windows\system32\dllcache\e100b325.sys
2008-12-01 21:40 . 2008-12-01 21:41 d-------- c:\program files\Spybot - Search & Destroy
2008-12-01 21:40 . 2008-12-01 23:42 d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-01 21:18 . 2008-12-01 21:20 d-------- c:\program files\Spyware Doctor
2008-12-01 21:18 . 2008-12-01 21:38 d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-01 21:18 . 2008-12-01 21:18 d-------- c:\documents and settings\Administrator\Application Data\PC Tools
2008-12-01 21:18 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-12-01 21:18 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-12-01 21:18 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-12-01 21:18 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-12-01 18:04 . 2008-12-01 18:04 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-01 18:04 . 2008-12-01 18:04 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-01 18:04 . 2008-12-01 18:04 d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-01 18:04 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-01 18:04 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-01 16:37 . 2008-12-01 16:37 d-------- c:\program files\SUPERAntiSpyware
2008-12-01 16:37 . 2008-12-01 16:37 d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-01 16:37 . 2008-12-01 16:37 d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-12-01 04:07 . 2008-12-01 16:45 1,113 --a------ C:\rollback.ini
2008-12-01 00:29 . 2008-12-01 00:29 d-------- c:\documents and settings\Administrator\Application Data\MailFrontier
2008-12-01 00:26 . 2008-12-01 06:22 6,763,040 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-01 00:26 . 2008-12-01 06:22 92,696 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-11-30 23:12 . 2008-12-01 14:59 d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2008-11-30 23:12 . 2008-11-13 15:18 73,104 --a------ c:\windows\zllsputility.exe
2008-11-30 23:12 . 2008-12-01 14:58 4,212 --ah----- c:\windows\system32\zllictbl.dat
2008-11-30 23:11 . 2008-12-01 04:07 d-------- c:\windows\system32\ZoneLabs
2008-11-30 23:11 . 2008-11-30 23:11 d-------- c:\program files\Zone Labs
2008-11-30 23:11 . 2008-11-13 15:18 1,221,008 --a------ c:\windows\system32\zpeng25.dll
2008-11-30 23:11 . 2008-12-02 17:29 348,389 --a------ c:\windows\system32\vsconfig.xml
2008-11-30 23:09 . 2008-12-02 17:41 d-------- c:\windows\Internet Logs
2008-11-30 22:30 . 2008-11-30 22:30 d-------- c:\program files\uTorrent
2008-11-30 22:30 . 2008-12-01 23:42 d-------- c:\documents and settings\Administrator\Application Data\uTorrent
2008-11-29 22:27 . 2008-11-29 22:27 d-------- c:\program files\WiFiConnector
2008-11-29 19:31 . 2008-11-29 19:31 d-------- c:\program files\Panasonic
2008-11-29 19:31 . 2006-02-27 11:45 36,864 --a------ c:\windows\system32\SDDEVMGR.dll
2008-11-27 17:44 . 2008-11-30 14:09 363 --a------ c:\windows\kaillera.ini
2008-11-21 23:24 . 2008-11-21 23:24 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01001_Coinstaller_Critical.Wdf
2008-11-21 23:24 . 2008-11-21 23:24 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_xusb21_01001.Wdf
2008-11-21 23:22 . 2008-11-21 23:22 d----c--- c:\windows\system32\DRVSTORE
2008-11-21 23:22 . 2008-11-21 23:22 d-------- c:\program files\Microsoft Xbox 360 Accessories
2008-11-21 23:22 . 2007-02-26 18:15 1,421,216 --a------ c:\windows\system32\WdfCoInstaller01001.dll
2008-11-21 23:22 . 2007-02-26 18:15 61,984 --a------ c:\windows\system32\drivers\xusb21.sys
2008-11-21 22:48 . 2008-11-21 22:48 d-------- c:\documents and settings\Administrator\Application Data\Damdai
2008-11-12 20:35 . 2008-04-13 14:45 26,368 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2008-11-12 14:46 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 14:46 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-05 15:34 . 2008-11-05 15:34 d-------- c:\program files\Veoh Networks
2008-11-05 15:05 . 2008-11-05 15:05 d-------- c:\program files\E.M. PowerPoint Video Converter
2008-11-03 15:56 . 2008-11-04 21:25 d-------- c:\program files\Total Video Converter
2008-11-03 15:56 . 2000-05-22 22:58 608,448 --a------ c:\windows\system32\comctl32.ocx
2008-11-02 00:24 . 2008-12-02 19:02 d-------- C:\QUARANTINE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-01 22:45 3,097,088 ----a-w c:\windows\Internet Logs\xDB1.tmp
2008-12-01 21:36 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-01 03:05 295,424 ----a-w c:\windows\system32\termsrv.dll
2008-11-30 00:31 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-30 00:31 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-13 03:35 --------- d-----w c:\documents and settings\Administrator\Application Data\LimeWire
2008-11-13 03:27 --------- d-----w c:\program files\LimeWire
2008-11-12 20:05 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-29 22:46 410,976 ----a-w c:\windows\system32\deploytk.dll
2008-10-29 22:46 --------- d-----w c:\program files\Java
2008-10-29 22:28 --------- d-----w c:\program files\Audacity
2008-10-29 01:34 --------- d-----w c:\program files\MSBuild
2008-10-29 01:33 --------- d-----w c:\program files\Reference Assemblies
2008-10-29 01:26 --------- d-----w c:\program files\alaplaya
2008-10-29 00:42 --------- d-----w c:\program files\CyberLink
2008-10-29 00:41 --------- d-----w c:\program files\Common Files\Ahead
2008-10-25 02:27 --------- d-----w c:\program files\Sierra On-Line
2008-10-25 02:22 --------- d-----w c:\program files\WON
2008-10-25 02:19 --------- d-----w c:\program files\Common Files\LightScribe
2008-10-25 02:17 --------- d-----w c:\documents and settings\Administrator\Application Data\Ahead
2008-10-25 02:13 --------- d-----w c:\program files\Nero
2008-10-25 01:52 --------- d-----w c:\program files\Microsoft Works
2008-10-25 01:31 --------- d-----w c:\program files\Common Files\Adobe
2008-10-25 01:26 --------- d-----w c:\program files\Lavasoft
2008-10-25 01:26 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-25 01:21 --------- d-----w c:\program files\McAfee
2008-10-25 01:21 --------- d-----w c:\program files\Common Files\Cisco Systems
2008-10-25 01:21 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-10-25 01:20 --------- d-----w c:\program files\Common Files\McAfee
2008-10-25 01:06 --------- d-----w c:\program files\microsoft frontpage
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll

Ryouta
Novice
Novice

Posts Posts : 7
Joined Joined : 2008-12-02
OS OS : Microsoft Windows Xp Profesional Service Pack 3
Points Points : 29300
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: ISpynow Infection

Post by Belahzur on 3rd December 2008, 12:22 am

Looks good, what problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: ISpynow Infection

Post by Ryouta on 3rd December 2008, 12:31 am

It still boots up extremely slow.

Ryouta
Novice
Novice

Posts Posts : 7
Joined Joined : 2008-12-02
OS OS : Microsoft Windows Xp Profesional Service Pack 3
Points Points : 29300
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: ISpynow Infection

Post by Belahzur on 3rd December 2008, 12:34 am

Post a new Hijack This log and we'll see what we can do.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: ISpynow Infection

Post by Ryouta on 3rd December 2008, 12:39 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:38:02 PM, on 12/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6698 bytes

Ryouta
Novice
Novice

Posts Posts : 7
Joined Joined : 2008-12-02
OS OS : Microsoft Windows Xp Profesional Service Pack 3
Points Points : 29300
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: ISpynow Infection

Post by Belahzur on 3rd December 2008, 12:45 am


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
    O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
    O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe (file missing)
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe


  • Press "Fix Checked"
  • Close Hijack This.


Reboot and see if startup is any faster.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: ISpynow Infection

Post by Ryouta on 3rd December 2008, 12:59 am

Rebooted and no changes. It still takes like 20 mins for the icons to even show up.

Ryouta
Novice
Novice

Posts Posts : 7
Joined Joined : 2008-12-02
OS OS : Microsoft Windows Xp Profesional Service Pack 3
Points Points : 29300
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: ISpynow Infection

Post by Belahzur on 3rd December 2008, 1:11 am

It could be Zonealarm.
Uninstall that and see if there is any change.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: ISpynow Infection

Post by Ryouta on 3rd December 2008, 1:41 am

It was zone alarm slowing it down, thanks dude your amazing.

Ryouta
Novice
Novice

Posts Posts : 7
Joined Joined : 2008-12-02
OS OS : Microsoft Windows Xp Profesional Service Pack 3
Points Points : 29300
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: ISpynow Infection

Post by Belahzur on 3rd December 2008, 1:48 am

Glad I could help. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: ISpynow Infection

Post by Doctor Inferno on 17th December 2008, 1:55 pm

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104640
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum