Spyware.ISpynow

View previous topic View next topic Go down

Solved Spyware.ISpynow

Post by nopc on 2nd December 2008, 5:51 am

Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:22 PM, on 2008-12-01
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdkserv.exe
C:\WINDOWS\system32\lxdkcoms.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\Lexmark 5300 Series\lxdkmon.exe
C:\Program Files\Lexmark 5300 Series\lxdkamon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\Imgtask.exe
C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [lxdkmon.exe] "C:\Program Files\Lexmark 5300 Series\lxdkmon.exe"
O4 - HKLM\..\Run: [lxdkamon] "C:\Program Files\Lexmark 5300 Series\lxdkamon.exe"
O4 - HKLM\..\Run: [Lexmark 5300 Series Fax Server] "C:\Program Files\Lexmark 5300 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ImgTask] C:\WINDOWS\Imgtask.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [You must be registered and logged in to see this link.]
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - [You must be registered and logged in to see this link.]
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxdkCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdkserv.exe
O23 - Service: lxdk_device - - C:\WINDOWS\system32\lxdkcoms.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9599 bytes

Uninstall list:

ABBYY FineReader 6.0 Sprint
Actiontec Gateway
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Reader 7.1.0
Adobe Shockwave Player 11
Apple Software Update
AVG 7.5
CCleaner (remove only)
Digital Media Reader
getPlus(R)_ocx
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Image Zone 4.7
HP PSC & OfficeJet 4.7
HP Update
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Adapters and Drivers
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 10
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Learn2 Player (Uninstall Only)
Lexmark 5300 Series
Lexmark Toolbar
Lexmark X73
LiveUpdate 3.0 (Symantec Corporation)
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Money 2005
Microsoft Office 2000 Premium
Microsoft Office Standard Edition 2003
Microsoft Picture It! Premium 10
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Multimedia Keyboard Driver
Napster Burn Engine
Nero BurnRights
Nero OEM
Norton Security Center
Norton Security Scan
OpenMG Secure Module 4.7.00
Picture Package Music Transfer
PowerDVD
QuickConnect
QuickTime
RealArcade
RealPlayer Basic
Realtek High Definition Audio Driver
Recovery Software Suite Gateway
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
SoftV92 Data Fax Modem with SmartCP
Sonic Encoders
Sony Picture Utility
Sony USB Driver
SUPERAntiSpyware Free Edition
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
Yahoo! Install Manager
Yahoo! Messenger
Yahtzee Download Edition
ZoneAlarm


If we have to use it down the line, is it possible to not use ComboFix? The last time someone tried to help me with ComboFix (another site like this one, awhile ago) the program did not work though I let it sit for 12 hours. I can certainly try again but I just wanted to give a heads up to you once you read this thread and if we have to use it. I believe we ended up using OTViewit instead, if I'm remembering correctly and that worked fine.

I see this is a common problem, which makes me feel a little better. I'll be able to check this thread again tomorrow 12-2-08 at around 6:30 EST.

nopc
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-02
OS OS : xp
Points Points : 29310
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Spyware.ISpynow

Post by Belahzur on 2nd December 2008, 9:59 am

Hello.
Sorry that whatever website wrecked your hopes, but trust me, I want to try combofix first before I reach for something else.


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe


  • Press "Fix Checked"
  • Close Hijack This.


Delete this file in bold:
C:\WINDOWS\system32\drivers\svchost.exe


  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Spyware.ISpynow

Post by nopc on 2nd December 2008, 11:07 pm

I did the HJT part but I can't download CF. It says "page cannot be displayed" for both of the top two links. Should I try the bottom ones?

nopc
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-02
OS OS : xp
Points Points : 29310
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Spyware.ISpynow

Post by Belahzur on 2nd December 2008, 11:11 pm

No, we'll use something else.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Files to delete:
C:\WINDOWS\system32\drivers\svchost.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Don't tick the box below.
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Spyware.ISpynow

Post by nopc on 2nd December 2008, 11:15 pm

The link for Avenger is also doing "page cannot be displayed"

nopc
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-02
OS OS : xp
Points Points : 29310
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Spyware.ISpynow

Post by Belahzur on 2nd December 2008, 11:20 pm

Hello.
Have uploaded it to a mirror, here:
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Spyware.ISpynow

Post by nopc on 3rd December 2008, 12:06 am

When the computer restarted a message came up that says:
"Windows-No Disk
Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6bf7c "
And there are three things I can click on for this message: cancel, try again or continue. Is this message normal and what do I do?

Here's the Avenger log:

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "TDSSserv.sys" found!
ImagePath: \systemroot\system32\drivers\TDSSmqlt.sys
Start Type: 1 (System)

Rootkit scan completed.


Error: file "C:\WINDOWS\system32\drivers\svchost.exe" not found!
Deletion of file "C:\WINDOWS\system32\drivers\svchost.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

nopc
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-02
OS OS : xp
Points Points : 29310
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Spyware.ISpynow

Post by Belahzur on 3rd December 2008, 12:14 am

Hello.
Ignore the warning, that's the rootkit trying to stop us.
But the avenger has uncovered now, we can see it now, so we can take it down.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Drivers to delete:
TDSSserv.sys

Files to delete:
C:\windows\system32\drivers\TDSSmqlt.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Don't tick the box below.
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.


Last edited by Belahzur on 3rd December 2008, 1:13 am; edited 1 time in total


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Spyware.ISpynow

Post by nopc on 3rd December 2008, 1:02 am

Okay, another problem. When it restarted from doing the above with Avenger, a blue screen came up. The computer did not load up all the way.

This is what the blue screen said:
"A problem has been detected and windows has been shut down to prevent damage to your computer. If this is the first time you've seen this stop error, restart computer (I did that but it came up again). If this screen appears again follow these steps:

Check to be sure you have adequate disk space (my C: drive has 206 GB of space free, not sure if it meant that). If a driver is identified in the stop message, disable the driver or check with the manufacturer for driver updates. Try changing video adpators.

Check with your hardware vendor for any BIOS updates. Disable BIOS memory options such as caching or shadowing. If you need to use safe mode to remove or disable components, restart, press F8 to select advanced startup options and then select safe mode

Tech info:
*** STOP 0x0000008e (0xc0000005, 0x806264A8, 0xF89B0ABC, 0x00000000)"


I hit F8 and prayed basically. There was an option to restart the computer in the last mode that it worked (I can't remember how it worded it and that doesn't sound right). How about...there was an option to restart the computer from when it last worked right, under those settings. I don't know if that makes sense. Anyway, I did that so I could hopefully come back here and that worked.

Any ideas and should I try to do the second Avenger post again (I'm pretty sure it didn't work because of the blue screen and no log popped up)?

nopc
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-02
OS OS : xp
Points Points : 29310
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Spyware.ISpynow

Post by Belahzur on 3rd December 2008, 1:14 am

Lets try running again, but this time slightly different.
When you re-do the script again, leave out "Drivers to disable" and tick the "Automatically disable any rootkits found" box.

The script now should start with "Drivers to delete"

Try it that way.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Spyware.ISpynow

Post by nopc on 3rd December 2008, 1:38 am

Nope, the same blue screen came up on startup so I had to reboot to previous configuration.

nopc
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-02
OS OS : xp
Points Points : 29310
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Spyware.ISpynow

Post by Belahzur on 3rd December 2008, 1:49 am

Are you still able to get into your system? Sad tearing


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Spyware.ISpynow

Post by nopc on 3rd December 2008, 1:59 am

Yes, as long as I restart it (using F8). I can make windows open under a previous configuration that worked, which is what I am running it off right now. It gives a ton of options (in the F8 mode), that I don't remember being there before when I've had to do it for other reasons, other than safe mode.

nopc
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-02
OS OS : xp
Points Points : 29310
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Spyware.ISpynow

Post by Belahzur on 3rd December 2008, 2:03 am

Okay, lets not use the avenger right now, too powerful.

Download combofix from here and see if you can get it runninng.
[You must be registered and logged in to see this link.]
Then follow the instructions I left above.
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Spyware.ISpynow

Post by nopc on 3rd December 2008, 2:09 am

Well, it is called Avenger! Open Grin

Anyway, I thought I would post to say that CF did download so I'm going to try that right now.

nopc
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-02
OS OS : xp
Points Points : 29310
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Spyware.ISpynow

Post by Belahzur on 3rd December 2008, 2:11 am

I'm sorry for that happening. tdssserv is horrible and can be hard to remove, and there's only maybe 3 tools I know that can take it down.
Avenger being one of them.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Spyware.ISpynow

Post by nopc on 3rd December 2008, 2:33 am

Hey, no problem. I greatly appreciate your help on this.

Good news: It worked! I've never had it work so I'm greatly amazed right now. No blue screens when it restarted. SuperAntiSpyware loaded up without error for the first time in days.

nopc
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-02
OS OS : xp
Points Points : 29310
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Spyware.ISpynow

Post by Belahzur on 3rd December 2008, 2:35 am

Can you post the report please? there maybe leftovers we need to take out.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Spyware.ISpynow

Post by nopc on 3rd December 2008, 2:36 am

Okay, here's the log. It's big so I'll do two posts

Here's the log:

ComboFix 08-12-01.03 - Owner 2008-12-02 20:15:44.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.173 [GMT -6:00]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\google\runhh6110411.exe
c:\documents and settings\Owner\nah_skrr.exe
c:\recycler\ADAPT_Installer.exe
c:\windows\system32\drivers\TDSSmqlt.sys
c:\windows\system32\TDSShrsr.dll
c:\windows\system32\TDSSkkbu.log
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoiqn.dll
c:\windows\system32\TDSSorvd.dat
c:\windows\system32\TDSSrhyp.log
c:\windows\system32\TDSSrtqp.dll
c:\windows\system32\TDSSsihc.dll
c:\windows\system32\TDSSxfum.dll
.
---- Previous Run -------
.
c:\windows\Downloaded Program Files\setup.inf
D:\Autorun.inf

c:\windows\system32\winlogon.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2008-11-03 to 2008-12-03 )))))))))))))))))))))))))))))))
.

2100-03-04 11:41 . 2001-05-10 09:36 17,020 --a------ c:\windows\system32\drivers\Lxarscan.sys
2100-02-23 17:55 . 2001-04-02 15:30 821 --a------ c:\windows\Lexmark_ICM.ini
2100-02-23 13:35 . 2001-02-22 08:54 768 --a------ c:\windows\x73_lut.dat
2100-02-08 14:53 . 2001-04-23 13:22 1,437 --a------ c:\windows\GtX73.ini
2008-12-02 19:17 . 2008-12-02 19:17 61,440 --a------ c:\windows\system32\drivers\gobtuqi.sys
2008-12-02 18:19 . 2008-12-02 18:19 61,440 --a------ c:\windows\system32\drivers\ncvmz.sys
2008-12-02 18:01 . 2008-07-18 21:09 1,811,656 --a------ c:\windows\system32\wuaueng.dll
2008-12-02 18:01 . 2008-07-18 21:09 563,912 --a------ c:\windows\system32\wuapi.dll
2008-12-02 18:01 . 2008-07-18 21:09 325,832 --a------ c:\windows\system32\wucltui.dll
2008-12-02 18:01 . 2008-07-18 21:09 215,752 --a------ c:\windows\system32\wuaucpl.cpl
2008-12-02 18:01 . 2008-07-18 21:09 205,000 --a------ c:\windows\system32\wuweb.dll
2008-12-02 18:01 . 2008-07-18 21:10 94,920 --a------ c:\windows\system32\cdm.dll
2008-12-02 18:01 . 2008-07-18 21:10 53,448 --a------ c:\windows\system32\wuauclt.exe
2008-12-02 18:01 . 2008-10-16 14:09 43,544 --a------ c:\windows\system32\wups2.dll
2008-12-02 18:01 . 2008-10-16 14:08 34,328 --a------ c:\windows\system32\wups.dll
2008-12-02 18:01 . 2008-10-16 14:08 34,328 --a--c--- c:\windows\system32\dllcache\wups.dll
2008-12-01 22:21 . 2008-12-01 22:22 1,917 --a------ c:\windows\imsins.BAK
2008-11-23 17:42 . 2008-11-23 17:42 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-12 17:16 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 17:15 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-09 17:33 . 2008-11-09 17:33 d-------- c:\documents and settings\LocalService\Application Data\Symantec
2008-11-09 13:34 . 2008-11-18 21:14 d-------- c:\program files\SUPERAntiSpyware
2008-11-09 13:34 . 2008-11-09 13:34 d-------- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2008-11-09 13:34 . 2008-11-09 13:34 d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-05 18:34 . 2008-12-02 20:10 d-------- C:\ComboFix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-02 23:46 2,012,160 ----a-w c:\windows\Internet Logs\xDB2C.tmp
2008-12-02 22:55 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2008-12-02 04:57 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-02 04:28 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-01 05:17 --------- d-----w c:\program files\Norton Security Scan
2008-12-01 03:58 17,681,900 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-01 03:58 1,508,763,680 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-01 03:56 --------- d-----w c:\documents and settings\Owner\Application Data\Hamachi
2008-12-01 03:56 --------- d-----w c:\documents and settings\Owner\Application Data\AVG7
2008-12-01 03:56 --------- d-----w c:\documents and settings\Owner\Application Data\Apple Computer
2008-12-01 03:56 --------- d-----w c:\documents and settings\Owner\Application Data\AdobeUM
2008-12-01 03:56 --------- d-----w c:\documents and settings\Owner\Application Data\5300 Series
2008-12-01 03:52 295,424 ----a-w c:\windows\system32\termsrv.dll
2008-11-27 04:30 --------- d-----w c:\documents and settings\Owner\Application Data\Move Networks
2008-11-23 23:42 --------- d-----w c:\program files\Java
2008-11-22 16:30 --------- d-----w c:\program files\Lexmark Toolbar
2008-11-15 02:47 12,359,816 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-11-10 00:21 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-10 00:17 --------- d-----w c:\program files\Symantec
2008-11-09 23:31 --------- d-----w c:\program files\BigFix
2008-11-09 19:33 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 04:05 --------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2008-10-23 04:05 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-22 21:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 21:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-05 00:30 --------- d-----w c:\program files\Microsoft Silverlight
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-10 19:32 2,228,534 ----a-w c:\program files\audacity-win-1.2.6.exe
2007-10-04 02:59 28,556,584 ----a-w c:\program files\avgantivirus75free_488a1138.exe
2007-10-04 02:48 2,614,072 ----a-w c:\program files\ccleanersetup200.exe
2007-10-04 02:22 210,416 ----a-w c:\program files\zonealarmSetup_en.exe
2007-10-03 04:39 436,360 ----a-w c:\program files\msgr8us.exe
2007-10-03 02:34 18,895,728 ----a-w c:\program files\Install_Messenger.exe
2006-12-17 23:41 136 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
.

------- Sigcheck -------

2005-03-10 01:49 295424 c29a5286e64d97385178452d5f307b98 c:\windows\$NtServicePackUninstall$\termsrv.dll
2004-08-10 13:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\$NtUninstallKB895961$\termsrv.dll
2008-04-13 18:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll
2008-11-30 21:52 295424 63999d0abd8dabfd76a9c07f6e104868 c:\windows\system32\termsrv.dll
.

nopc
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-02
OS OS : xp
Points Points : 29310
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Spyware.ISpynow

Post by nopc on 3rd December 2008, 2:36 am

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-18 1805552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-23 136600]
"SSC_UserPrompt"="c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 218240]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-01 126976]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-16 590848]
"Lexmark X73 Button Monitor"="c:\progra~1\LEXMAR~1\ACMonitor_X73.exe" [2001-05-11 53248]
"Lexmark X73 Button Manager"="c:\progra~1\LEXMAR~1\AcBtnMgr_X73.exe" [2001-05-11 53248]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\2\printray.exe" [2001-01-30 36352]
"lxdkmon.exe"="c:\program files\Lexmark 5300 Series\lxdkmon.exe" [2007-06-21 455344]
"lxdkamon"="c:\program files\Lexmark 5300 Series\lxdkamon.exe" [2007-06-01 20480]
"Lexmark 5300 Series Fax Server"="c:\program files\Lexmark 5300 Series\fm3032.exe" [2007-06-21 307888]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-09 966656]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ImgTask"="c:\windows\Imgtask.exe" [2006-12-12 20480]
"MCUpdateExe"="c:\progra~1\McAfee.com\Agent\McUpdate.exe" [2006-01-11 212992]
"MCAgentExe"="c:\progra~1\McAfee.com\Agent\McAgent.exe" [2005-09-22 303104]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"CHotkey"="zHotkey.exe" [2004-05-17 c:\windows\zHotkey.exe]
"ShowWnd"="ShowWnd.exe" [2003-09-19 c:\windows\ShowWnd.exe]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-21 c:\windows\ALCWZRD.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-04-28 171448]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2005-09-22 17:29 303104 c:\progra~1\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
--a------ 2004-07-29 14:55 139264 c:\progra~1\McAfee.com\Agent\McRegWiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2006-01-11 11:05 212992 c:\progra~1\McAfee.com\Agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 21:24 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
--a------ 2004-11-15 16:04 135168 c:\program files\Digital Media Reader\shwiconEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-10-21 16:20 77824 c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\lxdkcoms.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\lxdkamon.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\frun.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\lxdkmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdktime.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\LXDKFax.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkwbgw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-09-03 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-09-03 55024]
R2 lxdk_device;lxdk_device;c:\windows\system32\lxdkcoms.exe -service []
R2 lxdkCATSCustConnectService;lxdkCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdkserv.exe [2008-01-22 99248]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]
S0 xxismgt;xxismgt;c:\windows\system32\drivers\rmkxmmdi.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dedca087-463a-11dd-903e-00095b8cf353}]
\Shell\AutoRun\command - J:\Imageviewer.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2006-10-15 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-13 18:12]

2006-10-15 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-13 18:12]

2006-10-15 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-13 18:12]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-IS CfgWiz - c:\program files\Norton Internet Security\cfgwiz.exe
MSConfigStartUp-URLLSTCK - c:\program files\Norton Internet Security\UrlLstCk.exe



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-02 20:22:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(604)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\LexBceS.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\spool\drivers\w32x86\3\lxdkserv.exe
c:\windows\system32\lxdkcoms.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\ehome\mcrdsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Symantec Shared\Security Center\symwsc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2008-12-02 20:27:45 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-12-03 02:27:41

Pre-Run: 221,283,840,000 bytes free
Post-Run: 221,251,309,568 bytes free

259 --- E O F --- 2008-11-13 02:53:39

nopc
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-02
OS OS : xp
Points Points : 29310
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Spyware.ISpynow

Post by Belahzur on 3rd December 2008, 2:43 am

Hello.
No malware showing, but just something I want CF to throw out.
You too have seen the horrible powers this rootkit has, nearly crashing your system. Sad tearing

Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\Internet Logs\xDB2C.tmp

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dedca087-463a-11dd-903e-00095b8cf353}]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

Heading to bed now, please keep this machine offline until I return in the morning. Use another non-infected machine if you have one.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Spyware.ISpynow

Post by nopc on 3rd December 2008, 2:54 am

Alright, I won't touch it. I'd probably jinx it anyway! I'll be around again tomorrow at the same time (6 EST or so).

Here's the new CF log:

ComboFix 08-12-01.03 - Owner 2008-12-02 20:47:04.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.232 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFscript.txt
* Created a new restore point

FILE ::
c:\windows\Internet Logs\xDB2C.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Internet Logs\xDB2C.tmp

.
((((((((((((((((((((((((( Files Created from 2008-11-03 to 2008-12-03 )))))))))))))))))))))))))))))))
.

2100-03-04 11:41 . 2001-05-10 09:36 17,020 --a------ c:\windows\system32\drivers\Lxarscan.sys
2100-02-23 17:55 . 2001-04-02 15:30 821 --a------ c:\windows\Lexmark_ICM.ini
2100-02-23 13:35 . 2001-02-22 08:54 768 --a------ c:\windows\x73_lut.dat
2100-02-08 14:53 . 2001-04-23 13:22 1,437 --a------ c:\windows\GtX73.ini
2008-12-02 19:17 . 2008-12-02 19:17 61,440 --a------ c:\windows\system32\drivers\gobtuqi.sys
2008-12-02 18:19 . 2008-12-02 18:19 61,440 --a------ c:\windows\system32\drivers\ncvmz.sys
2008-12-02 18:01 . 2008-07-18 21:09 1,811,656 --a------ c:\windows\system32\wuaueng.dll
2008-12-02 18:01 . 2008-07-18 21:09 563,912 --a------ c:\windows\system32\wuapi.dll
2008-12-02 18:01 . 2008-07-18 21:09 325,832 --a------ c:\windows\system32\wucltui.dll
2008-12-02 18:01 . 2008-07-18 21:09 215,752 --a------ c:\windows\system32\wuaucpl.cpl
2008-12-02 18:01 . 2008-07-18 21:09 205,000 --a------ c:\windows\system32\wuweb.dll
2008-12-02 18:01 . 2008-07-18 21:10 94,920 --a------ c:\windows\system32\cdm.dll
2008-12-02 18:01 . 2008-07-18 21:10 53,448 --a------ c:\windows\system32\wuauclt.exe
2008-12-02 18:01 . 2008-10-16 14:09 43,544 --a------ c:\windows\system32\wups2.dll
2008-12-02 18:01 . 2008-10-16 14:08 34,328 --a------ c:\windows\system32\wups.dll
2008-12-02 18:01 . 2008-10-16 14:08 34,328 --a--c--- c:\windows\system32\dllcache\wups.dll
2008-12-01 22:21 . 2008-12-01 22:22 1,917 --a------ c:\windows\imsins.BAK
2008-11-23 17:42 . 2008-11-23 17:42 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-12 17:16 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 17:15 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-09 17:33 . 2008-11-09 17:33 d-------- c:\documents and settings\LocalService\Application Data\Symantec
2008-11-09 13:34 . 2008-11-18 21:14 d-------- c:\program files\SUPERAntiSpyware
2008-11-09 13:34 . 2008-11-09 13:34 d-------- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2008-11-09 13:34 . 2008-11-09 13:34 d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-05 18:34 . 2008-12-02 20:10 d-------- C:\ComboFix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-02 22:55 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2008-12-02 04:57 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-02 04:28 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-01 05:17 --------- d-----w c:\program files\Norton Security Scan
2008-12-01 03:58 17,681,900 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-01 03:58 1,508,763,680 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-01 03:56 --------- d-----w c:\documents and settings\Owner\Application Data\Hamachi
2008-12-01 03:56 --------- d-----w c:\documents and settings\Owner\Application Data\AVG7
2008-12-01 03:56 --------- d-----w c:\documents and settings\Owner\Application Data\Apple Computer
2008-12-01 03:56 --------- d-----w c:\documents and settings\Owner\Application Data\AdobeUM
2008-12-01 03:56 --------- d-----w c:\documents and settings\Owner\Application Data\5300 Series
2008-12-01 03:52 295,424 ----a-w c:\windows\system32\termsrv.dll
2008-11-27 04:30 --------- d-----w c:\documents and settings\Owner\Application Data\Move Networks
2008-11-23 23:42 --------- d-----w c:\program files\Java
2008-11-22 16:30 --------- d-----w c:\program files\Lexmark Toolbar
2008-11-15 02:47 12,359,816 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-11-10 00:21 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-10 00:17 --------- d-----w c:\program files\Symantec
2008-11-09 23:31 --------- d-----w c:\program files\BigFix
2008-11-09 19:33 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 04:05 --------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2008-10-23 04:05 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-22 21:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 21:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-05 00:30 --------- d-----w c:\program files\Microsoft Silverlight
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-10 19:32 2,228,534 ----a-w c:\program files\audacity-win-1.2.6.exe
2007-10-04 02:59 28,556,584 ----a-w c:\program files\avgantivirus75free_488a1138.exe
2007-10-04 02:48 2,614,072 ----a-w c:\program files\ccleanersetup200.exe
2007-10-04 02:22 210,416 ----a-w c:\program files\zonealarmSetup_en.exe
2007-10-03 04:39 436,360 ----a-w c:\program files\msgr8us.exe
2007-10-03 02:34 18,895,728 ----a-w c:\program files\Install_Messenger.exe
2006-12-17 23:41 136 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
.

------- Sigcheck -------

2005-03-10 01:49 295424 c29a5286e64d97385178452d5f307b98 c:\windows\$NtServicePackUninstall$\termsrv.dll
2004-08-10 13:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\$NtUninstallKB895961$\termsrv.dll
2008-04-13 18:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll
2008-11-30 21:52 295424 63999d0abd8dabfd76a9c07f6e104868 c:\windows\system32\termsrv.dll
.

nopc
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-02
OS OS : xp
Points Points : 29310
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Spyware.ISpynow

Post by nopc on 3rd December 2008, 2:54 am

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-18 1805552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-23 136600]
"SSC_UserPrompt"="c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 218240]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-01 126976]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-16 590848]
"Lexmark X73 Button Monitor"="c:\progra~1\LEXMAR~1\ACMonitor_X73.exe" [2001-05-11 53248]
"Lexmark X73 Button Manager"="c:\progra~1\LEXMAR~1\AcBtnMgr_X73.exe" [2001-05-11 53248]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\2\printray.exe" [2001-01-30 36352]
"lxdkmon.exe"="c:\program files\Lexmark 5300 Series\lxdkmon.exe" [2007-06-21 455344]
"lxdkamon"="c:\program files\Lexmark 5300 Series\lxdkamon.exe" [2007-06-01 20480]
"Lexmark 5300 Series Fax Server"="c:\program files\Lexmark 5300 Series\fm3032.exe" [2007-06-21 307888]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-09 966656]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ImgTask"="c:\windows\Imgtask.exe" [2006-12-12 20480]
"MCUpdateExe"="c:\progra~1\McAfee.com\Agent\McUpdate.exe" [2006-01-11 212992]
"MCAgentExe"="c:\progra~1\McAfee.com\Agent\McAgent.exe" [2005-09-22 303104]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"CHotkey"="zHotkey.exe" [2004-05-17 c:\windows\zHotkey.exe]
"ShowWnd"="ShowWnd.exe" [2003-09-19 c:\windows\ShowWnd.exe]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-21 c:\windows\ALCWZRD.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-04-28 171448]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2005-09-22 17:29 303104 c:\progra~1\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
--a------ 2004-07-29 14:55 139264 c:\progra~1\McAfee.com\Agent\McRegWiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2006-01-11 11:05 212992 c:\progra~1\McAfee.com\Agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 21:24 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
--a------ 2004-11-15 16:04 135168 c:\program files\Digital Media Reader\shwiconEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-10-21 16:20 77824 c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\lxdkcoms.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\lxdkamon.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\frun.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\lxdkmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdktime.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\LXDKFax.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkwbgw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-09-03 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-09-03 55024]
R2 lxdk_device;lxdk_device;c:\windows\system32\lxdkcoms.exe -service []
R2 lxdkCATSCustConnectService;lxdkCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdkserv.exe [2008-01-22 99248]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]
S0 xxismgt;xxismgt;c:\windows\system32\drivers\rmkxmmdi.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-11-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2006-10-15 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-13 18:12]

2006-10-15 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-13 18:12]

2006-10-15 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-13 18:12]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-02 20:49:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(604)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2008-12-02 20:50:54
ComboFix-quarantined-files.txt 2008-12-03 02:50:48
ComboFix2.txt 2008-12-03 02:27:46

Pre-Run: 221,222,502,400 bytes free
Post-Run: 221,196,906,496 bytes free

216 --- E O F --- 2008-11-13 02:53:39

nopc
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-02
OS OS : xp
Points Points : 29310
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Spyware.ISpynow

Post by Belahzur on 3rd December 2008, 12:23 pm

Morning.
Hello.

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.
====

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Spyware.ISpynow

Post by nopc on 4th December 2008, 12:04 am

Man, I got scared just a minute ago. Just turned on my computer and my AVG started running and found 13 threats but the threats all had the same file name's as what we just got rid of. It healed them all when it was done scanning though, so I think I'm good. I think it's okay though, probably just picking up the extra leftovers and deleting them. I'm running a manual scan right now to see if they come up again. When it scanned the first time it ran by itself. If you think I should post a new HJT, I can.

I'm going to make that new restore point when it's done scanning again. Thank you for your help and the other info too. It definitely helps, though I feel like I protect myself pretty well (learned from previous mistakes), but I still get them anyway sometimes. I update like crazy now. And I really need to use FireFox. I've only heard good things and better safety.

I can't stress enough, how much I appreciate the help. This seems like the problem of the month and you took care of it so easily and just looking at all the other threads that have it..you've got your work cut out. We're all thankful I'm sure.

Okay, I'll stop rambling you have more important things to read!


Last edited by nopc on 4th December 2008, 12:10 am; edited 1 time in total

nopc
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-02
OS OS : xp
Points Points : 29310
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Spyware.ISpynow

Post by Belahzur on 4th December 2008, 12:06 am

If they were the same name, chances are it was finding them inside C:\Qoobox?
Delete this folder: C:\Qoobox


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Spyware.ISpynow

Post by nopc on 4th December 2008, 12:12 am

Man, you're quick.

That folder existed and it is now deleted! Thank you! So far on the manual AVG scan, nothing is coming up and I believe it's almost done.

One more thing: Does Zonealarm do anything useful? This computer is a hand-me-down and I don't know how to use it or even know what it does really. It was already on it before I got it. I'd rather not have it if I don't need it for anything.

nopc
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-02
OS OS : xp
Points Points : 29310
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Spyware.ISpynow

Post by Belahzur on 4th December 2008, 12:17 am

Zonealarm is very useful Firewall.
But from my experience, zonealam is a bigger product firewall than others I recommend, and sometimes causes slowness on older machines that have low amount of RAM.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Spyware.ISpynow

Post by nopc on 4th December 2008, 12:20 am

Okay, I'll probably just keep it rather than mess around with stuff. Thank you for the hundredth time! No more questions.

nopc
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-02
OS OS : xp
Points Points : 29310
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Spyware.ISpynow

Post by Doctor Inferno on 11th December 2008, 9:06 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104650
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum