Spyware Protect 2009

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Solved Spyware Protect 2009

Post by A_tms on Tue Jan 20, 2009 9:01 am

Suddenly I have started getting pop-ups with infiltration alerts, security alerts, system scanning (I suspect all fake) but I don't know how to stop them. They pop up every few minutes. It seems something called Spyware Protect 2009 is sitting in my system tray, a pale blue shield with a white diagonal bar.

My HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:51:37, on 20/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\PROGRA~1\Wanadoo\CnxMon.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SkypeIntegration\SkypeIntegration\SkypeClient.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Ann\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\sysguard.exe
C:\Temp\Hijack(GP)This.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\Wanadoo\SEARCH~1.DLL
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,
O1 - Hosts: 91.207.117.244 browser-security.microsoft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\Wanadoo\CnxMon.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NielsenOnline] C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SkypeClient] "C:\Program Files\PDT\VoIPVoiceIntegration\VoIPVoice Integration.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Ann\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Wanadoo - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - [You must be registered and logged in to see this link.] (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - [You must be registered and logged in to see this link.]
O16 - DPF: {A9FD89D6-C839-11D3-B0FE-0050044B8FE9} (OBInstallRunner Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - [You must be registered and logged in to see this link.]
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - [You must be registered and logged in to see this link.]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 14278 bytes

A_tms
Novice
Novice

Status :
Online
Offline

Posts Posts : 36
Joined Joined : 2009-01-20
OS OS : XP

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by A_tms on Tue Jan 20, 2009 9:37 am

Spybot Teatimer did prevent some registry settings, at least when it first started.

It looks very like Total Protect 2009. I was thinking to run Malwarebytes but since I have no idea what I'm doing, I thought I'd wait for instructions.

A_tms
Novice
Novice

Status :
Online
Offline

Posts Posts : 36
Joined Joined : 2009-01-20
OS OS : XP

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by Belahzur on Tue Jan 20, 2009 12:32 pm


  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,
    O1 - Hosts: 91.207.117.244 browser-security.microsoft.com
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\Wanadoo\CnxMon.exe
    O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
    O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Wanadoo - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - [You must be registered and logged in to see this link.] (file missing) (HKCU)
    O15 - Trusted Zone: [You must be registered and logged in to see this link.]

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.


Please update and run MBAM, post the log when done.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by A_tms on Tue Jan 20, 2009 1:34 pm

MBAM log as follows:

Malwarebytes' Anti-Malware 1.33
Database version: 1670
Windows 5.1.2600 Service Pack 3

20/01/2009 14:32:23
mbam-log-2009-01-20 (14-32-23).txt

Scan type: Quick Scan
Objects scanned: 73956
Time elapsed: 18 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Looks good I think?

A_tms
Novice
Novice

Status :
Online
Offline

Posts Posts : 36
Joined Joined : 2009-01-20
OS OS : XP

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by Belahzur on Tue Jan 20, 2009 2:05 pm

Not sure.
Lets take a look around before I flag the all clear.


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Click No for Optional Scan.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by A_tms on Tue Jan 20, 2009 2:42 pm

DDS.txt

DDS (Ver_09-01-18.01) - NTFSx86
Run by Ann at 15:40:14.71 on 20/01/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2558.1558 [GMT 1:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\PROGRA~1\Wanadoo\CnxMon.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SkypeIntegration\SkypeIntegration\SkypeClient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Ann\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Ann\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = [You must be registered and logged in to see this link.]
uDefault_Page_URL = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uWindow Title = Wanadoo
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
uURLSearchHooks: Search Class: {08c06d61-f1f3-4799-86f8-be1a89362c85} - c:\progra~1\wanadoo\SEARCH~1.DLL
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [SkypeClient] "c:\program files\pdt\voipvoiceintegration\VoIPVoice Integration.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\ann\local settings\application data\google\update\GoogleUpdate.exe" /c
uRunOnce: [SpybotDeletingB2374] command /c del "c:\windows\system32\twain32\user.ds"
uRunOnce: [SpybotDeletingD1907] cmd /c del "c:\windows\system32\twain32\user.ds"
uRunOnce: [SpybotDeletingB1430] command /c del "c:\windows\system32\twain32\local.ds"
uRunOnce: [SpybotDeletingD9467] cmd /c del "c:\windows\system32\twain32\local.ds"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [EPSON Stylus C82 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [WooCnxMon] c:\progra~1\wanadoo\CnxMon.exe
mRun: [WOOWATCH] c:\progra~1\wanadoo\Watch.exe
mRun: [WOOTASKBARICON] c:\progra~1\wanadoo\TaskbarIcon.exe
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NielsenOnline] c:\program files\netratingsnetsight\netsight\NielsenOnline.exe
mRunOnce: [SpybotDeletingA8403] command /c del "c:\windows\system32\twain32\user.ds"
mRunOnce: [SpybotDeletingC8371] cmd /c del "c:\windows\system32\twain32\user.ds"
mRunOnce: [SpybotDeletingA2621] command /c del "c:\windows\system32\twain32\local.ds"
mRunOnce: [SpybotDeletingC341] cmd /c del "c:\windows\system32\twain32\local.ds"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: { - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: bookcrossing.com\www
Trusted Zone: dyndns.org\yinionlinereg
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ann\applic~1\mozilla\firefox\profiles\ytw812uo.default\
FF - prefs.js: browser.search.selectedEngine - GoogleCOM
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\program files\mozilla firefox\components\nsgkff30_meter1.dll
FF - plugin: c:\documents and settings\ann\local settings\application data\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - GoogleCOM
FF - user.js: keyword.URL - [You must be registered and logged in to see this link.]

============= SERVICES / DRIVERS ===============

R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [2006-9-28 11000]
R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2007-1-11 3968]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2002-2-11 33496]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.SYS [2000-9-11 10816]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R1 nnrnstdi;nnrnstdi;c:\windows\system32\drivers\nnrnstdi.sys [2009-1-14 14336]
R3 km_filter;km_filter;c:\windows\system32\drivers\km_filter.sys [2009-1-14 8832]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-9-10 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-9-10 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-9-10 168776]
R4 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [2006-9-28 312880]
R4 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2005-5-17 104000]
R4 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960]
R4 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\AWHOST32.EXE [2002-2-15 114749]
S3 uac4pdt;PDT USB Composite Class Filter Driver;c:\windows\system32\drivers\uac4pdt.sys [2006-9-18 15232]

=============== Created Last 30 ================

2009-01-20 14:12 788 a------- c:\temp\fix.reg
2009-01-20 09:50 401,720 a------- c:\temp\Hijack(GP)This.exe
2009-01-20 09:35 9,216 a------- c:\windows\system32\iehelper.dll
2009-01-20 09:35 441 a------- c:\windows\system32\TDSSosvd.dat
2009-01-14 14:34 12,273 a------- c:\temp\Ser-PhotoBlogger-SerTurista-com.zip
2009-01-14 12:20 14,336 a------- c:\windows\system32\drivers\nnrnstdi.sys
2009-01-14 12:20 8,832 a------- c:\windows\system32\drivers\km_filter.sys
2009-01-14 12:17 53,248 a------- c:\windows\nswatchdog.exe
2009-01-14 12:17 --d----- c:\program files\NetRatingsNetSight
2009-01-14 12:16 501,912 a------- c:\temp\netsight_setup_5.1.3.20_MP_Production_New_Recruitment_UK_mid53015730615_p.exe
2009-01-05 23:33 3,751,995 a------- c:\windows\system32\GPhotos.scr

==================== Find3M ====================

2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-31 12:04 104,659 a------- c:\windows\hpoins04.dat
2008-12-20 14:37 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-13 07:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 11:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 11:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-10-24 12:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 13:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-09-08 06:43 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090820080909\index.dat

============= FINISH: 15:41:23.31 ===============

A_tms
Novice
Novice

Status :
Online
Offline

Posts Posts : 36
Joined Joined : 2009-01-20
OS OS : XP

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by Belahzur on Tue Jan 20, 2009 2:52 pm

I want to run a rootkit scan.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Files to delete:
c:\windows\system32\iehelper.dll
c:\windows\system32\TDSSosvd.dat

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by A_tms on Tue Jan 20, 2009 3:24 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\windows\system32\iehelper.dll" deleted successfully.
File "c:\windows\system32\TDSSosvd.dat" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

-----------------------------------------

I have now got a message saying
Windows - No Disk
Exception Processing message c0000013 Parameters etc.
Cancel/Try Again/Continue

A_tms
Novice
Novice

Status :
Online
Offline

Posts Posts : 36
Joined Joined : 2009-01-20
OS OS : XP

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by Belahzur on Tue Jan 20, 2009 3:38 pm

Have you been using a USB stick alot without removing it safely?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by A_tms on Tue Jan 20, 2009 3:53 pm

Not a lot, but I did remove one today.

A_tms
Novice
Novice

Status :
Online
Offline

Posts Posts : 36
Joined Joined : 2009-01-20
OS OS : XP

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by Belahzur on Tue Jan 20, 2009 3:57 pm

I bet you just pulled it out without right clicking the little green arrow in the tray?

To repair this, just plug it back in and unplug it safely by removing it by the little green arrow.

Just pulling them okay will cause damage, luckily we may be able to fix it, but it can and will cause serious damage.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by A_tms on Tue Jan 20, 2009 4:09 pm

I think it's just dawned on me what it must be. It's not the memory stick but the digital photo card that is read through the printer. Anyway, I've clicked on the green arrow and removed the memory stick, and done the same with the card.

A_tms
Novice
Novice

Status :
Online
Offline

Posts Posts : 36
Joined Joined : 2009-01-20
OS OS : XP

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by Belahzur on Tue Jan 20, 2009 4:11 pm

Yeah, was probably that, I think it's your boot order that caused that error.
You had that card plugged in when it booted back after the avenger run, the boot order has USB first, then hardrive second/third, and it didn't find an OS at the USB and threw up that error.

Anyway, the two files the avenger had deleted are gone and the rest looks good, what problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by A_tms on Tue Jan 20, 2009 4:14 pm

I don't think there are any problems remaining. Thank you very much for all your help.

A_tms
Novice
Novice

Status :
Online
Offline

Posts Posts : 36
Joined Joined : 2009-01-20
OS OS : XP

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by Belahzur on Tue Jan 20, 2009 4:23 pm

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved The nightmare continues

Post by A_tms on Wed Jan 21, 2009 8:08 am

Last night I ran ad-aware and spybot. This morning I come to start up and it went to the Windows login screen. I chose my name as usual and it flashed to a blank blue screen and it immediately logged me off. The same happens in Safe mode, safe mode with command prompt. I tried restoring to last restore point and still the same.

It is an old Dell machine from work with no boot disk as such, but I see there is a Dell utilities disk that is bootable.

Nightmare. I have no idea what to do now, and I'm having to use a different machine to send this.

A_tms
Novice
Novice

Status :
Online
Offline

Posts Posts : 36
Joined Joined : 2009-01-20
OS OS : XP

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by Belahzur on Wed Jan 21, 2009 2:59 pm

If it's old, chances are the hardware is old, and needs upgrading.

Nothing you or I can do now, until we get a hardware upgrade, sounds like the RAM is probably slow.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by A_tms on Wed Jan 21, 2009 3:16 pm

It's maybe 4 years old and I put in extra RAM just a few months ago. Should be fine.

A_tms
Novice
Novice

Status :
Online
Offline

Posts Posts : 36
Joined Joined : 2009-01-20
OS OS : XP

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by Belahzur on Wed Jan 21, 2009 3:18 pm

Okay.
When you said "I tried restoring to last restore point" is that system restore or last known good?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by A_tms on Wed Jan 21, 2009 3:22 pm

last known good

A_tms
Novice
Novice

Status :
Online
Offline

Posts Posts : 36
Joined Joined : 2009-01-20
OS OS : XP

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by Belahzur on Wed Jan 21, 2009 3:31 pm

"Last night I ran ad-aware and spybot. This morning..."

You ran both at the same time?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by A_tms on Wed Jan 21, 2009 3:37 pm

No first Spybot which I already had on the machine, then I downloaded Ad aware and ran it. It found some things but I can't remember the details. Mostly just privacy, but that was after Spybot had said it was all clear.

A_tms
Novice
Novice

Status :
Online
Offline

Posts Posts : 36
Joined Joined : 2009-01-20
OS OS : XP

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by Belahzur on Wed Jan 21, 2009 3:40 pm

Ah.
Adaware often finds MRU cache items/tracking cookies, nothing to be alarmed about.

I don't know why the machine won't logon anymore, perhaps one of the legit files were damages somehow.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by A_tms on Wed Jan 21, 2009 3:44 pm

When I ran Ad aware, a teakettle warning came up about a file called userinit or something similar. I'm thinking that was overwritten with something it shouldn't - but how to restore it? Am I going to have to reinstall XP?

A_tms
Novice
Novice

Status :
Online
Offline

Posts Posts : 36
Joined Joined : 2009-01-20
OS OS : XP

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by Belahzur on Wed Jan 21, 2009 3:46 pm

Ah.
Now we have something.

I don't know just yet, are you able to access the recovery console from the boot disc?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by A_tms on Wed Jan 21, 2009 3:57 pm

yes I am.

A_tms
Novice
Novice

Status :
Online
Offline

Posts Posts : 36
Joined Joined : 2009-01-20
OS OS : XP

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by Belahzur on Wed Jan 21, 2009 4:01 pm

Awesome.
If it lets you do any commands, type this out.

expand X:\i386\userinit.ex_ C:\WINDOWS\system32\userinit.exe

****Note****

Replace "X" with whatever letter your CD drive is.
There is a space between the _ and C, make sure that space is there or this won't work.


Last edited by Belahzur on Wed Jan 21, 2009 4:19 pm; edited 1 time in total


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by A_tms on Wed Jan 21, 2009 4:17 pm

It says "the system cannot find the file or directory specified".

A_tms
Novice
Novice

Status :
Online
Offline

Posts Posts : 36
Joined Joined : 2009-01-20
OS OS : XP

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by Belahzur on Wed Jan 21, 2009 4:20 pm

Hmmm, maybe case sensitive.
I typed out the file path and only used a capital W in windows, when your HJT log displays WINDOWS in all capitals.

Try again with it in caps, I have edited my post to reflect this.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by A_tms on Wed Jan 21, 2009 4:23 pm

Actually, I put in d: as the cd drive, which is normally what it is, and it showed the usb key. So the drive letters seem changed. Could it be E:? There is an autorun and a setup on it

A_tms
Novice
Novice

Status :
Online
Offline

Posts Posts : 36
Joined Joined : 2009-01-20
OS OS : XP

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by Belahzur on Wed Jan 21, 2009 4:25 pm

Yes, that's it.
That's how the CD works when you boot from it.
Windows finds the autorun, which launches the setup when formatting.

Try it with the letter E this time.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by A_tms on Wed Jan 21, 2009 4:26 pm

I tried E and it came up with the message "Unable to create file userinit.exe. 0 files expanded.

A_tms
Novice
Novice

Status :
Online
Offline

Posts Posts : 36
Joined Joined : 2009-01-20
OS OS : XP

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by Belahzur on Wed Jan 21, 2009 4:33 pm

I wonder if that is because it's trying to overwrite it.
Lets see if this works and if not, we can try a repair install.

Type this command in:
sfc /scannow <== note the space between the c and /

Allow it to scan and it should get the userinit file from the CD automatically.
Reboot normally and try to login, see if that made any difference once the system file checker is done.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by A_tms on Wed Jan 21, 2009 4:35 pm

It's not recognising the command

A_tms
Novice
Novice

Status :
Online
Offline

Posts Posts : 36
Joined Joined : 2009-01-20
OS OS : XP

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by Belahzur on Wed Jan 21, 2009 4:38 pm

Okay, lets use repair install.
See this guide:

[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by A_tms on Wed Jan 21, 2009 4:58 pm

Well, it's looking different. It did the repair and has rebooted, loaded Windows, and come up with a screen that says Setup will complete in approximately 39 minutes.

A_tms
Novice
Novice

Status :
Online
Offline

Posts Posts : 36
Joined Joined : 2009-01-20
OS OS : XP

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by Belahzur on Wed Jan 21, 2009 5:00 pm

Okay, allow it to do the setup.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by A_tms on Wed Jan 21, 2009 6:33 pm

Yes!! Success. Spybot is asking a lot of questions though.

A_tms
Novice
Novice

Status :
Online
Offline

Posts Posts : 36
Joined Joined : 2009-01-20
OS OS : XP

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by Belahzur on Wed Jan 21, 2009 6:34 pm

Like what? registry changes?
Does it say what is trying to happen?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by A_tms on Wed Jan 21, 2009 6:39 pm

It says:
category- System startup gobal entry
Change - value deleted
Entry SpybotDeletingA2274
Old data - Command /cdel "c:\windows\system32\
if that went on further, I couldn't see it

A_tms
Novice
Novice

Status :
Online
Offline

Posts Posts : 36
Joined Joined : 2009-01-20
OS OS : XP

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by A_tms on Wed Jan 21, 2009 6:39 pm

Then asked to alow changes or not

A_tms
Novice
Novice

Status :
Online
Offline

Posts Posts : 36
Joined Joined : 2009-01-20
OS OS : XP

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by Belahzur on Wed Jan 21, 2009 6:40 pm

Disallow it, what could be what was causing the problem in the first place and why this happened.

Run a new DDS scan for me so we can see why Spybot wants to change something.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by A_tms on Wed Jan 21, 2009 6:44 pm

There have been a lot of them now. Some just browser pages but this latest is:
Session manager
Value deleted
BootExecute
autocheck autochk *\lsdelete

Deny that too?

A_tms
Novice
Novice

Status :
Online
Offline

Posts Posts : 36
Joined Joined : 2009-01-20
OS OS : XP

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by Belahzur on Wed Jan 21, 2009 6:45 pm

Yes, deny everything, and run the DDS scan again. Wink


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by A_tms on Wed Jan 21, 2009 6:51 pm

Back on my own machine again!!


DDS (Ver_09-01-18.01) - NTFSx86
Run by Ann at 19:47:35.50 on 21/01/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2558.1895 [GMT 1:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)

============== Running Processes ===============

svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\PROGRA~1\Wanadoo\CnxMon.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SkypeIntegration\SkypeIntegration\SkypeClient.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Ann\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Documents and Settings\Ann\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = [You must be registered and logged in to see this link.]
uDefault_Page_URL = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uWindow Title = Wanadoo
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mDefault_Search_URL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
uURLSearchHooks: Search Class: {08c06d61-f1f3-4799-86f8-be1a89362c85} - c:\progra~1\wanadoo\SEARCH~1.DLL
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [SkypeClient] "c:\program files\pdt\voipvoiceintegration\VoIPVoice Integration.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\ann\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [EPSON Stylus C82 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [WooCnxMon] c:\progra~1\wanadoo\CnxMon.exe
mRun: [WOOWATCH] c:\progra~1\wanadoo\Watch.exe
mRun: [WOOTASKBARICON] c:\progra~1\wanadoo\TaskbarIcon.exe
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NielsenOnline] c:\program files\netratingsnetsight\netsight\NielsenOnline.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRunOnce: [SpybotDeletingA2274] command /c del "c:\windows\system32\twain32\local.ds"
mRunOnce: [SpybotDeletingC8732] cmd /c del "c:\windows\system32\twain32\local.ds"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: { - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: bookcrossing.com\www
Trusted Zone: dyndns.org\yinionlinereg
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ann\applic~1\mozilla\firefox\profiles\ytw812uo.default\
FF - prefs.js: browser.search.selectedEngine - GoogleCOM
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\program files\mozilla firefox\components\nsgkff30_meter1.dll
FF - plugin: c:\documents and settings\ann\local settings\application data\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - GoogleCOM
FF - user.js: keyword.URL - [You must be registered and logged in to see this link.]

============= SERVICES / DRIVERS ===============

R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [2006-9-28 11000]
R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2007-1-11 3968]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2002-2-11 33496]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.SYS [2000-9-11 10816]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R1 nnrnstdi;nnrnstdi;c:\windows\system32\drivers\nnrnstdi.sys [2009-1-14 14336]
R3 km_filter;km_filter;c:\windows\system32\drivers\km_filter.sys [2009-1-14 8832]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-9-10 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-9-10 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-9-10 168776]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [2006-9-28 312880]
R4 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2005-5-17 104000]
R4 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960]
R4 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\AWHOST32.EXE [2002-2-15 114749]
S3 uac4pdt;PDT USB Composite Class Filter Driver;c:\windows\system32\drivers\uac4pdt.sys [2006-9-18 15232]

=============== Created Last 30 ================

2009-01-21 18:52 57,856 ac------ c:\windows\system32\dllcache\EXCH_scripto.dll
2009-01-21 18:51 10,096,640 ac------ c:\windows\system32\dllcache\hwxcht.dll
2009-01-21 18:50 19,456 ac------ c:\windows\system32\dllcache\agt040d.dll
2009-01-21 18:48 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-01-21 18:48 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-01-21 18:48 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-01-21 18:48 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-01-21 18:48 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-01-21 18:48 16,384 ac------ c:\windows\system32\dllcache\isignup.exe
2009-01-21 18:46 --d----- c:\windows\dell
2009-01-20 21:53 --d----- c:\program files\Lavasoft
2009-01-20 21:53 --d----- c:\program files\common files\Wise Installation Wizard
2009-01-20 21:50 23,804,784 a------- c:\temp\aaw2008-7.1.0.7.exe
2009-01-20 17:40 9,216 a------- c:\windows\system32\iehelper.dll
2009-01-20 14:12 788 a------- c:\temp\fix.reg
2009-01-20 09:50 401,720 a------- c:\temp\Hijack(GP)This.exe
2009-01-14 14:34 12,273 a------- c:\temp\Ser-PhotoBlogger-SerTurista-com.zip
2009-01-14 12:20 14,336 a------- c:\windows\system32\drivers\nnrnstdi.sys
2009-01-14 12:20 8,832 a------- c:\windows\system32\drivers\km_filter.sys
2009-01-14 12:17 53,248 a------- c:\windows\nswatchdog.exe
2009-01-14 12:17 --d----- c:\program files\NetRatingsNetSight
2009-01-14 12:16 501,912 a------- c:\temp\netsight_setup_5.1.3.20_MP_Production_New_Recruitment_UK_mid53015730615_p.exe
2009-01-05 23:33 3,751,995 a------- c:\windows\system32\GPhotos.scr

==================== Find3M ====================

2009-01-21 19:23 77,915 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-21 18:47 23,444 a------- c:\windows\system32\emptyregdb.dat
2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-31 12:04 104,659 a------- c:\windows\hpoins04.dat
2008-12-20 14:37 410,984 a------- c:\windows\system32\deploytk.dll

============= FINISH: 19:48:38.04 ===============

A_tms
Novice
Novice

Status :
Online
Offline

Posts Posts : 36
Joined Joined : 2009-01-20
OS OS : XP

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by Belahzur on Wed Jan 21, 2009 7:04 pm


  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Please disable your local AV (Anti-virus) by right clicking it's icon in the tray, and exit it.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by A_tms on Wed Jan 21, 2009 7:46 pm

Finished.

ComboFix 09-01-21.01 - Ann 2009-01-21 20:24:31.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2558.1909 [GMT 1:00]
Running from: c:\temp\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\iehelper.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-12-21 to 2009-01-21 )))))))))))))))))))))))))))))))
.

2009-01-21 20:17 . 2009-01-21 20:17 3,048,283 -ra------ c:\temp\ComboFix.exe
2009-01-21 18:52 . 2004-08-12 14:58 482,304 --a--c--- c:\windows\SYSTEM32\DLLCACHE\pintlgnt.ime
2009-01-21 18:51 . 2004-08-12 14:58 10,096,640 --a--c--- c:\windows\SYSTEM32\DLLCACHE\hwxcht.dll
2009-01-21 18:50 . 2004-05-13 00:39 876,653 --a--c--- c:\windows\SYSTEM32\DLLCACHE\fp4awel.dll
2009-01-21 18:48 . 2004-08-12 14:58 16,384 --a--c--- c:\windows\SYSTEM32\DLLCACHE\isignup.exe
2009-01-21 18:48 . 2009-01-21 18:48 749 -rah----- c:\windows\WindowsShell.Manifest
2009-01-21 18:48 . 2009-01-21 18:48 749 -rah----- c:\windows\SYSTEM32\wuaucpl.cpl.manifest
2009-01-21 18:48 . 2009-01-21 18:48 749 -rah----- c:\windows\SYSTEM32\sapi.cpl.manifest
2009-01-21 18:48 . 2009-01-21 18:48 749 -rah----- c:\windows\SYSTEM32\ncpa.cpl.manifest
2009-01-21 18:48 . 2009-01-21 18:48 488 -rah----- c:\windows\SYSTEM32\logonui.exe.manifest
2009-01-21 18:46 . 2009-01-21 18:46 d-------- c:\windows\dell
2009-01-21 08:26 . 2004-12-21 10:20 d-------- c:\documents and settings\Administrator\Application Data\You've Got Pictures Screensaver
2009-01-21 08:26 . 2004-12-21 10:23 d-------- c:\documents and settings\Administrator\Application Data\Sonic
2009-01-21 08:26 . 2004-12-21 10:18 d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2009-01-21 08:25 . 2009-01-21 08:26 d-------- c:\documents and settings\Administrator
2009-01-20 21:53 . 2009-01-20 21:53 d-------- c:\program files\Lavasoft
2009-01-20 21:53 . 2009-01-20 21:53 d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-20 21:53 . 2009-01-20 21:55 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-20 21:50 . 2009-01-20 21:52 23,804,784 --a------ c:\temp\aaw2008-7.1.0.7.exe
2009-01-20 14:12 . 2009-01-20 14:12 788 --a------ c:\temp\fix.reg
2009-01-20 09:50 . 2009-01-20 09:51 401,720 --a------ c:\temp\Hijack(GP)This.exe
2009-01-14 14:34 . 2009-01-14 14:34 12,273 --a------ c:\temp\Ser-PhotoBlogger-SerTurista-com.zip
2009-01-14 12:20 . 2008-06-27 14:58 14,336 --a------ c:\windows\SYSTEM32\DRIVERS\nnrnstdi.sys
2009-01-14 12:20 . 2008-06-27 14:59 8,832 --a------ c:\windows\SYSTEM32\DRIVERS\km_filter.sys
2009-01-14 12:17 . 2009-01-14 12:17 d-------- c:\program files\NetRatingsNetSight
2009-01-14 12:17 . 2008-10-10 13:32 53,248 --a------ c:\windows\nswatchdog.exe
2009-01-14 12:16 . 2009-01-14 12:17 501,912 --a------ c:\temp\netsight_setup_5.1.3.20_MP_Production_New_Recruitment_UK_mid53015730615_p.exe
2009-01-10 14:57 . 2009-01-10 14:58 d-------- c:\documents and settings\Ann\Application Data\CyberLink
2009-01-05 23:33 . 2009-01-05 23:33 3,751,995 --a------ c:\windows\SYSTEM32\GPhotos.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-21 19:03 --------- d-----w c:\documents and settings\Ann\Application Data\Skype
2009-01-21 18:09 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-20 15:04 --------- d-----w c:\program files\ZipCentral
2009-01-20 13:24 --------- d-----w c:\program files\Google
2009-01-20 12:47 --------- d-----w c:\documents and settings\Ann\Application Data\skypePM
2009-01-20 12:20 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-14 23:11 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-14 15:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 15:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-12 18:41 --------- d-----w c:\program files\Skype
2008-12-28 07:37 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-20 22:55 --------- d-----w c:\program files\iTunes
2008-12-20 22:55 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-20 22:54 --------- d-----w c:\program files\iPod
2008-12-20 22:54 --------- d-----w c:\program files\Common Files\Apple
2008-12-20 22:52 --------- d-----w c:\program files\QuickTime
2008-12-20 13:37 --------- d-----w c:\program files\Java
2008-06-27 13:59 163,840 ----a-w c:\program files\mozilla firefox\components\nsgkff30_meter1.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"SkypeClient"="c:\program files\PDT\VoIPVoiceIntegration\VoIPVoice Integration.exe" [2005-05-06 57344]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-12 15360]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-05 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"Google Update"="c:\documents and settings\Ann\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-28 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-20 136600]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-23 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"EPSON Stylus C82 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE" [2003-10-15 99840]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"WooCnxMon"="c:\progra~1\Wanadoo\CnxMon.exe" [2004-10-13 24576]
"WOOWATCH"="c:\progra~1\Wanadoo\Watch.exe" [2004-10-13 24576]
"WOOTASKBARICON"="c:\progra~1\Wanadoo\TaskbarIcon.exe" [2004-10-13 49152]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-03 185896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"NielsenOnline"="c:\program files\NetRatingsNetSight\NetSight\NielsenOnline.exe" [2008-10-10 45056]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-12 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2002-02-15 11:51 24638 c:\windows\SYSTEM32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=
"c:\\Program Files\\Dell Computer\\Dell Picture Studio v2.0\\launch.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Foxit Software\\PDF Editor\\PDFEdit.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"2599:TCP"= 2599:TCP:Labyrinth

R1 nnrnstdi;nnrnstdi;c:\windows\SYSTEM32\DRIVERS\nnrnstdi.sys [2009-01-14 14336]
R3 km_filter;km_filter;c:\windows\SYSTEM32\DRIVERS\km_filter.sys [2009-01-14 8832]
S3 uac4pdt;PDT USB Composite Class Filter Driver;c:\windows\SYSTEM32\DRIVERS\uac4pdt.sys [2006-09-18 15232]
.
Contents of the 'Scheduled Tasks' folder

2009-01-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3853566490-61804741-1186382756-1006.job
- c:\documents and settings\Ann\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-28 14:49]

2009-01-21 c:\windows\Tasks\User_Feed_Synchronization-{D877F16F-C7CB-4182-839C-34F334AD37DD}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 12:58]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe


.
------- Supplementary Scan -------
.
uSearch Page = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
mDefault_Search_URL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: { - c:\program files\Messenger\msmsgs.exe
Trusted Zone: bookcrossing.com\www
Trusted Zone: dyndns.org\yinionlinereg
DPF: {A9FD89D6-C839-11D3-B0FE-0050044B8FE9} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Ann\Application Data\Mozilla\Firefox\Profiles\ytw812uo.default\
FF - prefs.js: browser.search.selectedEngine - GoogleCOM
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\program files\Mozilla Firefox\components\nsgkff30_meter1.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Ann\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - GoogleCOM
FF - user.js: keyword.URL - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-01-21 20:32:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

A_tms
Novice
Novice

Status :
Online
Offline

Posts Posts : 36
Joined Joined : 2009-01-20
OS OS : XP

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by A_tms on Wed Jan 21, 2009 7:47 pm

Last part:

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\Common Framework\Mctray.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\SkypeIntegration\SkypeIntegration\SkypeClient.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\SYSTEM32\msiexec.exe
.
**************************************************************************
.
Completion time: 2009-01-21 20:39:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-21 19:39:11

Pre-Run: 87,808,077,824 bytes free
Post-Run: 88,158,326,784 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=2 Default=2 Failed=0 LastKnownGood=4 Sets=1,2,3,4
232 --- E O F --- 2009-01-14 23:11:47


Spybot has popped up again with the Spybot Deleting A2274 message.

A_tms
Novice
Novice

Status :
Online
Offline

Posts Posts : 36
Joined Joined : 2009-01-20
OS OS : XP

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by Belahzur on Wed Jan 21, 2009 7:56 pm

Hello. We need to remove a Firefox Hijack.
Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Wanadoo


Now open a new notepad file.
Input this into the notepad file:

File::
c:\documents and settings\Ann\Application Data\Mozilla\Firefox\Profiles\ytw812uo.default\user.js

Folder::
c:\program files\Wanadoo

Domains::

Firefox::
FF - user.js: keyword.URL - [You must be registered and logged in to see this link.]

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WooCnxMon"=-
"WOOWATCH"=-
"WOOTASKBARICON"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Spyware Protect 2009

Post by A_tms on Wed Jan 21, 2009 8:25 pm

ComboFix 09-01-21.01 - Ann 2009-01-21 21:09:01.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2558.2037 [GMT 1:00]
Running from: c:\documents and settings\Ann\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ann\Desktop\CFscript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\documents and settings\Ann\Application Data\Mozilla\Firefox\Profiles\ytw812uo.default\user.js
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Ann\Application Data\Mozilla\Firefox\Profiles\ytw812uo.default\user.js
c:\program files\Wanadoo
c:\program files\Wanadoo\alan.milne.pc
c:\program files\Wanadoo\SafeInstall\KitWanadoo.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-12-21 to 2009-01-21 )))))))))))))))))))))))))))))))
.

2009-01-21 20:17 . 2009-01-21 20:17 3,048,283 -ra------ c:\temp\ComboFix.exe
2009-01-21 18:52 . 2004-08-12 14:58 482,304 --a--c--- c:\windows\SYSTEM32\DLLCACHE\pintlgnt.ime
2009-01-21 18:51 . 2004-08-12 14:58 10,096,640 --a--c--- c:\windows\SYSTEM32\DLLCACHE\hwxcht.dll
2009-01-21 18:50 . 2004-05-13 00:39 876,653 --a--c--- c:\windows\SYSTEM32\DLLCACHE\fp4awel.dll
2009-01-21 18:48 . 2004-08-12 14:58 16,384 --a--c--- c:\windows\SYSTEM32\DLLCACHE\isignup.exe
2009-01-21 18:48 . 2009-01-21 18:48 749 -rah----- c:\windows\WindowsShell.Manifest
2009-01-21 18:48 . 2009-01-21 18:48 749 -rah----- c:\windows\SYSTEM32\wuaucpl.cpl.manifest
2009-01-21 18:48 . 2009-01-21 18:48 749 -rah----- c:\windows\SYSTEM32\sapi.cpl.manifest
2009-01-21 18:48 . 2009-01-21 18:48 749 -rah----- c:\windows\SYSTEM32\ncpa.cpl.manifest
2009-01-21 18:48 . 2009-01-21 18:48 488 -rah----- c:\windows\SYSTEM32\logonui.exe.manifest
2009-01-21 18:46 . 2009-01-21 18:46 d-------- c:\windows\dell
2009-01-21 08:26 . 2004-12-21 10:20 d-------- c:\documents and settings\Administrator\Application Data\You've Got Pictures Screensaver
2009-01-21 08:26 . 2004-12-21 10:23 d-------- c:\documents and settings\Administrator\Application Data\Sonic
2009-01-21 08:26 . 2004-12-21 10:18 d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2009-01-21 08:25 . 2009-01-21 08:26 d-------- c:\documents and settings\Administrator
2009-01-20 21:53 . 2009-01-20 21:53 d-------- c:\program files\Lavasoft
2009-01-20 21:53 . 2009-01-20 21:53 d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-20 21:53 . 2009-01-20 21:55 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-20 21:50 . 2009-01-20 21:52 23,804,784 --a------ c:\temp\aaw2008-7.1.0.7.exe
2009-01-20 14:12 . 2009-01-20 14:12 788 --a------ c:\temp\fix.reg
2009-01-20 09:50 . 2009-01-20 09:51 401,720 --a------ c:\temp\Hijack(GP)This.exe
2009-01-14 14:34 . 2009-01-14 14:34 12,273 --a------ c:\temp\Ser-PhotoBlogger-SerTurista-com.zip
2009-01-14 12:20 . 2008-06-27 14:58 14,336 --a------ c:\windows\SYSTEM32\DRIVERS\nnrnstdi.sys
2009-01-14 12:20 . 2008-06-27 14:59 8,832 --a------ c:\windows\SYSTEM32\DRIVERS\km_filter.sys
2009-01-14 12:17 . 2009-01-14 12:17 d-------- c:\program files\NetRatingsNetSight
2009-01-14 12:17 . 2008-10-10 13:32 53,248 --a------ c:\windows\nswatchdog.exe
2009-01-14 12:16 . 2009-01-14 12:17 501,912 --a------ c:\temp\netsight_setup_5.1.3.20_MP_Production_New_Recruitment_UK_mid53015730615_p.exe
2009-01-10 14:57 . 2009-01-10 14:58 d-------- c:\documents and settings\Ann\Application Data\CyberLink
2009-01-05 23:33 . 2009-01-05 23:33 3,751,995 --a------ c:\windows\SYSTEM32\GPhotos.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-21 19:03 --------- d-----w c:\documents and settings\Ann\Application Data\Skype
2009-01-21 18:09 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-20 15:04 --------- d-----w c:\program files\ZipCentral
2009-01-20 13:24 --------- d-----w c:\program files\Google
2009-01-20 12:47 --------- d-----w c:\documents and settings\Ann\Application Data\skypePM
2009-01-20 12:20 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-14 23:11 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-14 15:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 15:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-12 18:41 --------- d-----w c:\program files\Skype
2008-12-28 07:37 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-20 22:55 --------- d-----w c:\program files\iTunes
2008-12-20 22:55 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-20 22:54 --------- d-----w c:\program files\iPod
2008-12-20 22:54 --------- d-----w c:\program files\Common Files\Apple
2008-12-20 22:52 --------- d-----w c:\program files\QuickTime
2008-12-20 13:37 --------- d-----w c:\program files\Java
2008-06-27 13:59 163,840 ----a-w c:\program files\mozilla firefox\components\nsgkff30_meter1.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-21 20:13:24 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_770.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"SkypeClient"="c:\program files\PDT\VoIPVoiceIntegration\VoIPVoice Integration.exe" [2005-05-06 57344]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-12 15360]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-05 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"Google Update"="c:\documents and settings\Ann\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-28 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-20 136600]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-23 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"EPSON Stylus C82 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE" [2003-10-15 99840]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-03 185896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"NielsenOnline"="c:\program files\NetRatingsNetSight\NetSight\NielsenOnline.exe" [2008-10-10 45056]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-12 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2002-02-15 11:51 24638 c:\windows\SYSTEM32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=
"c:\\Program Files\\Dell Computer\\Dell Picture Studio v2.0\\launch.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Foxit Software\\PDF Editor\\PDFEdit.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"2599:TCP"= 2599:TCP:Labyrinth

R1 nnrnstdi;nnrnstdi;c:\windows\SYSTEM32\DRIVERS\nnrnstdi.sys [2009-01-14 14336]
R3 km_filter;km_filter;c:\windows\SYSTEM32\DRIVERS\km_filter.sys [2009-01-14 8832]
S3 uac4pdt;PDT USB Composite Class Filter Driver;c:\windows\SYSTEM32\DRIVERS\uac4pdt.sys [2006-09-18 15232]
.
Contents of the 'Scheduled Tasks' folder

2009-01-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3853566490-61804741-1186382756-1006.job
- c:\documents and settings\Ann\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-28 14:49]

2009-01-21 c:\windows\Tasks\User_Feed_Synchronization-{D877F16F-C7CB-4182-839C-34F334AD37DD}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 12:58]
.
.
------- Supplementary Scan -------
.
uSearch Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
mDefault_Search_URL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {A9FD89D6-C839-11D3-B0FE-0050044B8FE9} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Ann\Application Data\Mozilla\Firefox\Profiles\ytw812uo.default\
FF - prefs.js: browser.search.selectedEngine - GoogleCOM
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\program files\Mozilla Firefox\components\nsgkff30_meter1.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Ann\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-01-21 21:15:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

A_tms
Novice
Novice

Status :
Online
Offline

Posts Posts : 36
Joined Joined : 2009-01-20
OS OS : XP

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum