WinSpywareProtect

View previous topic View next topic Go down

WinSpywareProtect

Post by Paperhouse on 9th April 2009, 8:09 am

Came home from work to find my brother on my computer and it infected with WinSpywareProtect, I ran Spybot Search & Destroy and Malwarebytes' and they both removed the pop-ups and alerts it had been displaying, but I still feel it may have not been completely removed.

Also, I noticed this earlier: 2009-04-07 18:39 . 2009-04-07 18:45 d-------- c:\documents and settings\HP_Owner\uspy; what is it, and is it a threat to my computer?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:07:24 AM, on 4/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\hp\drivers\keyboard\PS2.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.65.127 browser-security.microsoft.com
O1 - Hosts: 91.212.65.127 spywareprotector-2009.com
O1 - Hosts: 91.212.65.127 [You must be registered and logged in to see this link.]
O1 - Hosts: 91.212.65.127 secure.spywareprotector-2009.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E5E3A1E7-9E9D-41EE-A64A-546F6EC1CE9F} - c:\windows\system32\opsalel.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\hp\drivers\keyboard\PS2.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Lpecelehizuqazaq] rundll32.exe "C:\WINDOWS\esevubeqo.dll",e
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - [You must be registered and logged in to see this link.] Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - [You must be registered and logged in to see this link.]
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - [You must be registered and logged in to see this link.]
O20 - Winlogon Notify: etgfloyx - C:\WINDOWS\SYSTEM32\opsalel.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - FirebirdSQL Project - C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - FirebirdSQL Project - C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe
O23 - Service: Google Update Service (gupdate1c99b9e8f903320) (gupdate1c99b9e8f903320) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8058 bytes

Paperhouse
Intermediate
Intermediate

Posts Posts : 142
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : Windows 10 Home
Protection Protection : Advanced SystemCare Pro
Points Points : 29517
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Belahzur on 9th April 2009, 1:13 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
    O1 - Hosts: ::1 localhost
    O1 - Hosts: 91.212.65.127 browser-security.microsoft.com
    O1 - Hosts: 91.212.65.127 spywareprotector-2009.com
    O1 - Hosts: 91.212.65.127 [You must be registered and logged in to see this link.]
    O1 - Hosts: 91.212.65.127 secure.spywareprotector-2009.com
    O2 - BHO: (no name) - {E5E3A1E7-9E9D-41EE-A64A-546F6EC1CE9F} - c:\windows\system32\opsalel.dll
    O4 - HKLM\..\Run: [Lpecelehizuqazaq] rundll32.exe "C:\WINDOWS\esevubeqo.dll",e
    O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe
    O20 - Winlogon Notify: etgfloyx - C:\WINDOWS\SYSTEM32\opsalel.dll
    O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Paperhouse on 9th April 2009, 10:03 pm

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e5e3a1e7-9e9d-41ee-a64a-546f6ec1ce9f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\etgfloyx (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e5e3a1e7-9e9d-41ee-a64a-546f6ec1ce9f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ynyzpmhp (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ynyzpmhp (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ynyzpmhp (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e5e3a1e7-9e9d-41ee-a64a-546f6ec1ce9f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lpecelehizuqazaq (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Spyware.StolenData) -> Delete on reboot.

Files Infected:
c:\WINDOWS\system32\opsalel.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\local.ds (Spyware.StolenData) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Spyware.StolenData) -> Delete on reboot.
C:\WINDOWS\esevubeqo.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.

Paperhouse
Intermediate
Intermediate

Posts Posts : 142
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : Windows 10 Home
Protection Protection : Advanced SystemCare Pro
Points Points : 29517
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Belahzur on 9th April 2009, 10:12 pm

Hello.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Paperhouse on 10th April 2009, 6:11 am

DDS (Ver_09-03-16.01) - NTFSx86
Run by HP_Owner at 23:09:48.17 on Thu 04/09/2009
Internet Explorer: 8.0.6001.18241 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.283 [GMT -7:00]

FW: Norton Internet Worm Protection *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\hp\drivers\keyboard\PS2.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\HP_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {71AAABE5-1F0F-11D7-BD6F-004854603DCE} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PS2] c:\hp\drivers\keyboard\PS2.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Lpecelehizuqazaq] rundll32.exe "c:\windows\asasafoxoqoyamu.dll",e
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10a.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - [You must be registered and logged in to see this link.]
DPF: {32505657-9980-0010-8000-00AA00389B71} - [You must be registered and logged in to see this link.]
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - [You must be registered and logged in to see this link.]
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli wnprt580.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_owner\applic~1\mozilla\firefox\profiles\6rwwrgi5.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: XUL Cache: {8C9D03A7-7AA1-403A-B141-5A4804D35B65} - c:\documents and settings\hp_owner\local settings\application data\{8C9D03A7-7AA1-403A-B141-5A4804D35B65}

============= SERVICES / DRIVERS ===============

R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2006-5-12 3744]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbguard.exe -s defaultinstance --> c:\program files\firebird\firebird_2_1\bin\fbguard.exe -s DefaultInstance [?]
R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2006-5-12 3904]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2008-12-5 935208]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-5-12 1174152]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbserver.exe -s defaultinstance --> c:\program files\firebird\firebird_2_1\bin\fbserver.exe -s DefaultInstance [?]
R3 rtl8180;Realtek RTL8180 Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\drivers\RTL8180.sys [2004-3-18 185216]
S2 gupdate1c99b9e8f903320;Google Update Service (gupdate1c99b9e8f903320);c:\program files\google\update\GoogleUpdate.exe [2009-3-2 133104]
S3 BCM42U;USB HPNA 10 Mbps Network Adapter Driver;c:\windows\system32\drivers\bcm42u.sys [2008-4-4 66557]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
SUnknown ynyzpmhp;ynyzpmhp; [x]

=============== Created Last 30 ================

2009-04-09 04:54 --d----- c:\docume~1\hp_owner\applic~1\rbizaono
2009-04-09 01:15 --d----- c:\program files\SoulseekNS
2009-04-08 03:49 0 a------- c:\windows\Ttufesepefoqesod.bin
2009-04-08 03:49 408 a------- c:\windows\Opitecer.dat
2009-04-07 18:39 --d----- c:\documents and settings\hp_owner\uspy
2009-04-07 18:38 --d----- c:\program files\Between the Worlds
2009-04-05 23:05 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-05 23:05 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 23:05 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-05 20:13 --d----- c:\docume~1\alluse~1\applic~1\Black Blob Studios
2009-04-05 17:07 --d----- c:\docume~1\hp_owner\applic~1\Deckadance
2009-04-05 02:41 225,280 a------- c:\windows\system32\rewire.dll
2009-04-05 02:41 --d----- c:\program files\VstPlugins
2009-04-05 02:40 1,294,336 a------- c:\windows\system32\vorbis.acm
2009-04-05 02:40 --d----- c:\program files\Outsim
2009-04-05 02:36 --d----- c:\program files\Image-Line
2009-04-04 06:07 162,616 -------- C:\RegDelNull.exe
2009-04-02 02:55 1,193 a------- C:\net_save.dna
2009-04-02 02:55 --d----- c:\program files\support.com
2009-04-02 02:55 --d----- c:\program files\common files\SupportSoft
2009-03-31 18:01 --d----- c:\program files\Echo - Secret of the Lost Cavern
2009-03-30 12:50 --d----- c:\program files\Foxit Software
2009-03-30 12:50 --d----- c:\docume~1\hp_owner\applic~1\Foxit
2009-03-29 01:50 --d----- c:\program files\Flip Words 2
2009-03-28 18:17 --d----- c:\docume~1\hp_owner\applic~1\Pogo Games
2009-03-27 21:14 --d----- c:\program files\ReflexiveArcade
2009-03-27 17:57 --d----- c:\docume~1\alluse~1\applic~1\Intenium
2009-03-27 00:21 --d----- c:\program files\iWin.com
2009-03-27 00:21 --d----- c:\docume~1\alluse~1\applic~1\iWin Games
2009-03-25 00:56 --d----- c:\program files\Oberon Media
2009-03-25 00:56 --d----- c:\program files\MSN Games
2009-03-24 23:54 --d----- c:\docume~1\alluse~1\applic~1\Shockwave
2009-03-24 21:04 --d----- c:\docume~1\alluse~1\applic~1\HipSoft
2009-03-24 18:22 --d----- c:\docume~1\hp_owner\applic~1\Dreamsdwell Stories
2009-03-23 01:48 4,767 a------- c:\windows\Irremote.ini
2009-03-23 01:11 --d----- c:\program files\Nero
2009-03-23 01:10 --d----- c:\docume~1\alluse~1\applic~1\Nero
2009-03-21 22:50 --d----- c:\docume~1\alluse~1\applic~1\IJJIGame
2009-03-21 13:25 --d----- c:\docume~1\hp_owner\applic~1\Burdaloo
2009-03-17 19:03 --d----- c:\docume~1\hp_owner\applic~1\Lost in the City
2009-03-15 21:18 2,736,890 a------- c:\windows\system32\GameMon.des
2009-03-14 18:25 16 a------- c:\windows\popcinfo.dat
2009-03-14 15:57 --d----- c:\documents and settings\hp_owner\Saved Games
2009-03-14 15:57 --d----- c:\docume~1\hp_owner\applic~1\Flood Light Games
2009-03-14 15:57 --d----- c:\docume~1\alluse~1\applic~1\Flood Light Games
2009-03-12 19:36 --d----- C:\ProgramData

==================== Find3M ====================

2009-04-08 23:58 34 a------- c:\documents and settings\hp_owner\jagex_runescape_preferences.dat
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-02 18:26 499,712 a------- c:\windows\system32\msvcp71.dll
2009-02-28 17:59 98,304 a------- c:\windows\system32\CmdLineExt.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-24 04:30 2,560 a------- c:\windows\_MSRSTRT.EXE
2005-12-16 09:11 996,968 a------- c:\program files\aolsetup.exe
2005-05-27 19:15 0 ac-sh--- c:\windows\sminst\HPCD.sys

============= FINISH: 23:09:59.10 ===============

Paperhouse
Intermediate
Intermediate

Posts Posts : 142
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : Windows 10 Home
Protection Protection : Advanced SystemCare Pro
Points Points : 29517
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Belahzur on 10th April 2009, 1:46 pm

Hello.

You don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: [You must be registered and logged in to see this link.]
This is a free Antivirus.

Please install it and update, but do not run a scan yet.

Please download [You must be registered and logged in to see this link.] and save it to your Desktop. Please double-click GooredFix.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Paperhouse on 10th April 2009, 9:32 pm

GooredFix v1.92 by jpshortstuff
Log created at 14:32 on 10/04/2009 running Option #2 (HP_Owner)
Firefox version 3.0.8 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{8C9D03A7-7AA1-403A-B141-5A4804D35B65}"="C:\Documents and Settings\HP_Owner\Local Settings\Application Data\{8C9D03A7-7AA1-403A-B141-5A4804D35B65}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\HP_Owner\Local Settings\Application Data\{8C9D03A7-7AA1-403A-B141-5A4804D35B65}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

Paperhouse
Intermediate
Intermediate

Posts Posts : 142
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : Windows 10 Home
Protection Protection : Advanced SystemCare Pro
Points Points : 29517
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Belahzur on 10th April 2009, 9:36 pm

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :services
    npggsvc
    ynyzpmhp

    :files
    C:\RegDelNull.exe
    C:\net_save.dna
    c:\docume~1\alluse~1\applic~1\iWin Games
    c:\program files\iWin.com
    c:\windows\system32\GameMon.des
    c:\windows\popcinfo.dat

    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Lpecelehizuqazaq"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    "NoViewOnDrive"=-
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Paperhouse on 10th April 2009, 9:49 pm

========== SERVICES/DRIVERS ==========

Service\Driver npggsvc deleted successfully.
Service\Driver ynyzpmhp not found.
Service\Driver ynyzpmhp not found.
========== FILES ==========
C:\RegDelNull.exe moved successfully.
C:\net_save.dna moved successfully.
c:\docume~1\alluse~1\applic~1\iWin Games\opal moved successfully.
c:\docume~1\alluse~1\applic~1\iWin Games\drm\data moved successfully.
c:\docume~1\alluse~1\applic~1\iWin Games\drm moved successfully.
c:\docume~1\alluse~1\applic~1\iWin Games moved successfully.
c:\program files\iWin.com moved successfully.
c:\windows\system32\GameMon.des moved successfully.
c:\windows\popcinfo.dat moved successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Lpecelehizuqazaq deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoViewOnDrive deleted successfully.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\\"Notification Packages"|hex(7):73,63,65,63,6c,69,00,00 /E : value set successfully!

OTMoveIt3 by OldTimer - Version 1.0.10.0 log created on 04102009_144900

Paperhouse
Intermediate
Intermediate

Posts Posts : 142
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : Windows 10 Home
Protection Protection : Advanced SystemCare Pro
Points Points : 29517
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Belahzur on 10th April 2009, 9:52 pm

Hello.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.

I missed two files when making the OTMoveIt script for you, so we'll need to re-run that.

  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    C:\Documents and Settings\HP_Owner\Desktop\dds.scr
    c:\windows\Ttufesepefoqesod.bin
    c:\windows\Opitecer.dat


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log and the uninstall log, use more than one post if you need to.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Paperhouse on 11th April 2009, 8:27 am

AC3Filter (remove only)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
Adobe Shockwave Player 11
Agere Systems PCI Soft Modem
Alabama Smith: Escape from Pompeii
Apple Mobile Device Support
Apple Software Update
Art of Murder: FBI Confidential
AviSynth 2.5
Between the Worlds
Big Fish Games Client
Bonjour
CCleaner (remove only)
Critical Update for Windows Media Player 11 (KB959772)
Diablo II
DivX Web Player
Echo: Secret of the Lost Cavern
Firebird 2.1.0.16780 (Win32)
Flip Words 2
Foxit Reader
Google Update Helper
Help and Support Additions
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Deskjet 3900 series
HP Deskjet Preloaded Printer Drivers
HP Image Zone Express
HP Imaging Device Functions 5.0
HP Photo & Imaging 3.5 - HP Devices
HP Software Update
HP Solution Center & Imaging Support Tools 5.0
Intel(R) Extreme Graphics Driver
InterVideo WinDVD Player
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 13
Java(TM) 6 Update 6
Java(TM) 6 Update 7
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Works 7.0
Miss Teri Tale: Vote 4 Me
Mozilla Firefox (3.0.8)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Mystery Case Files: Return to Ravenhearst
Nero 9 Trial
neroxml
QuickTime
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB960714)
Security Update for Windows Internet Explorer 8 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
SoulSeek 157 NS 13c
Spybot - Search & Destroy
Syberia
Syberia II
Symantec KB-DocID:2003093015493306
System Requirements Lab
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Internet Explorer 8 Beta 2
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver

========== FILES ==========
C:\Documents and Settings\HP_Owner\Desktop\dds.scr moved successfully.
c:\windows\Ttufesepefoqesod.bin moved successfully.
c:\windows\Opitecer.dat moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.10.0 log created on 04112009_012744

Paperhouse
Intermediate
Intermediate

Posts Posts : 142
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : Windows 10 Home
Protection Protection : Advanced SystemCare Pro
Points Points : 29517
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Belahzur on 11th April 2009, 1:44 pm

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

  • Java 2 Runtime Environment, SE v1.4.2_03
  • Java(TM) 6 Update 6
  • Java(TM) 6 Update 7

    We can remove OTMoveIt now.

  • Please double-click OTMoveIt3.exe to run it again.
  • Press the green CleanUp! button.
  • Press Yes cleanup process prompt, do the same for the reboot prompt.
How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Paperhouse on 11th April 2009, 7:18 pm

Performance wise, the computer is perfect, but as of Thursday whenever I click on a link in a Google/Yahoo! search I am sent to a Lowpriceshopper.com search page instead of the intended link and I have to click back and search again for the correct page to load.

Paperhouse
Intermediate
Intermediate

Posts Posts : 142
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : Windows 10 Home
Protection Protection : Advanced SystemCare Pro
Points Points : 29517
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Belahzur on 11th April 2009, 7:20 pm

Download DDS again and post the new log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Paperhouse on 12th April 2009, 3:19 am

DDS (Ver_09-03-16.01) - NTFSx86
Run by HP_Owner at 20:15:28.01 on Sat 04/11/2009
Internet Explorer: 8.0.6001.18241 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.341 [GMT -7]

FW: Norton Internet Worm Protection *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\hp\drivers\keyboard\PS2.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe
C:\Documents and Settings\HP_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {71AAABE5-1F0F-11D7-BD6F-004854603DCE} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PS2] c:\hp\drivers\keyboard\PS2.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Lpecelehizuqazaq] rundll32.exe "c:\windows\asasafoxoqoyamu.dll",e
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10a.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - [You must be registered and logged in to see this link.]
DPF: {32505657-9980-0010-8000-00AA00389B71} - [You must be registered and logged in to see this link.]
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - [You must be registered and logged in to see this link.]
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli wnprt580.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_owner\applic~1\mozilla\firefox\profiles\6rwwrgi5.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: XUL Cache: {3851221E-BE15-430A-9639-1C051BAAA5F9} - c:\documents and settings\hp_owner\local settings\application data\{3851221E-BE15-430A-9639-1C051BAAA5F9}

============= SERVICES / DRIVERS ===============

R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2006-5-12 3744]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbguard.exe -s defaultinstance --> c:\program files\firebird\firebird_2_1\bin\fbguard.exe -s DefaultInstance [?]
R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2006-5-12 3904]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2008-12-5 935208]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-5-12 1174152]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbserver.exe -s defaultinstance --> c:\program files\firebird\firebird_2_1\bin\fbserver.exe -s DefaultInstance [?]
S2 gupdate1c99b9e8f903320;Google Update Service (gupdate1c99b9e8f903320);c:\program files\google\update\GoogleUpdate.exe [2009-3-2 133104]
S3 BCM42U;USB HPNA 10 Mbps Network Adapter Driver;c:\windows\system32\drivers\bcm42u.sys [2008-4-4 66557]
S3 rtl8180;Realtek RTL8180 Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\drivers\RTL8180.sys [2004-3-18 185216]

=============== Created Last 30 ================

2009-04-11 01:48 0 a------- c:\windows\Ttufesepefoqesod.bin
2009-04-11 01:48 408 a------- c:\windows\Opitecer.dat
2009-04-09 04:54 --d----- c:\docume~1\hp_owner\applic~1\rbizaono
2009-04-09 01:15 --d----- c:\program files\SoulseekNS
2009-04-07 18:39 --d----- c:\documents and settings\hp_owner\uspy
2009-04-07 18:38 --d----- c:\program files\Between the Worlds
2009-04-05 23:05 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-05 23:05 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 23:05 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-05 20:13 --d----- c:\docume~1\alluse~1\applic~1\Black Blob Studios
2009-04-05 17:07 --d----- c:\docume~1\hp_owner\applic~1\Deckadance
2009-04-05 02:41 225,280 a------- c:\windows\system32\rewire.dll
2009-04-05 02:41 --d----- c:\program files\VstPlugins
2009-04-05 02:40 1,294,336 a------- c:\windows\system32\vorbis.acm
2009-04-05 02:40 --d----- c:\program files\Outsim
2009-04-05 02:36 --d----- c:\program files\Image-Line
2009-04-02 02:55 --d----- c:\program files\support.com
2009-04-02 02:55 --d----- c:\program files\common files\SupportSoft
2009-03-31 18:01 --d----- c:\program files\Echo - Secret of the Lost Cavern
2009-03-30 12:50 --d----- c:\program files\Foxit Software
2009-03-30 12:50 --d----- c:\docume~1\hp_owner\applic~1\Foxit
2009-03-29 01:50 --d----- c:\program files\Flip Words 2
2009-03-28 18:17 --d----- c:\docume~1\hp_owner\applic~1\Pogo Games
2009-03-27 21:14 --d----- c:\program files\ReflexiveArcade
2009-03-27 17:57 --d----- c:\docume~1\alluse~1\applic~1\Intenium
2009-03-25 00:56 --d----- c:\program files\Oberon Media
2009-03-25 00:56 --d----- c:\program files\MSN Games
2009-03-24 23:54 --d----- c:\docume~1\alluse~1\applic~1\Shockwave
2009-03-24 21:04 --d----- c:\docume~1\alluse~1\applic~1\HipSoft
2009-03-24 18:22 --d----- c:\docume~1\hp_owner\applic~1\Dreamsdwell Stories
2009-03-23 01:48 4,767 a------- c:\windows\Irremote.ini
2009-03-23 01:11 --d----- c:\program files\Nero
2009-03-23 01:10 --d----- c:\docume~1\alluse~1\applic~1\Nero
2009-03-21 22:50 --d----- c:\docume~1\alluse~1\applic~1\IJJIGame
2009-03-21 13:25 --d----- c:\docume~1\hp_owner\applic~1\Burdaloo
2009-03-17 19:03 --d----- c:\docume~1\hp_owner\applic~1\Lost in the City
2009-03-14 15:57 --d----- c:\documents and settings\hp_owner\Saved Games
2009-03-14 15:57 --d----- c:\docume~1\hp_owner\applic~1\Flood Light Games
2009-03-14 15:57 --d----- c:\docume~1\alluse~1\applic~1\Flood Light Games

==================== Find3M ====================

2009-04-08 23:58 34 a------- c:\documents and settings\hp_owner\jagex_runescape_preferences.dat
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-02 18:26 499,712 a------- c:\windows\system32\msvcp71.dll
2009-02-28 17:59 98,304 a------- c:\windows\system32\CmdLineExt.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-24 04:30 2,560 a------- c:\windows\_MSRSTRT.EXE
2005-12-16 09:11 996,968 a------- c:\program files\aolsetup.exe
2005-05-27 19:15 0 ac-sh--- c:\windows\sminst\HPCD.sys

============= FINISH: 20:16:27.68 ===============

Edit: Also, I forgot to mention my default search engine is stuck on FastBrowserSearch and that I would like to be able to change it back to Google.

Paperhouse
Intermediate
Intermediate

Posts Posts : 142
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : Windows 10 Home
Protection Protection : Advanced SystemCare Pro
Points Points : 29517
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Belahzur on 12th April 2009, 2:31 pm


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Paperhouse on 12th April 2009, 7:29 pm

ComboFix 09-04-13.03 - HP_Owner 2009-04-12 12:10.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.215 [GMT -7:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-13 to 2009-04-13 )))))))))))))))))))))))))))))))
.

2009-04-11 08:48 . 2009-04-12 09:26 0 ----a-w c:\windows\Ttufesepefoqesod.bin
2009-04-11 08:48 . 2009-04-12 09:26 408 ----a-w c:\windows\Opitecer.dat
2009-04-09 11:54 . 2009-04-09 11:54 -------- d-----w c:\documents and settings\HP_Owner\Application Data\rbizaono
2009-04-09 11:24 . 2009-04-09 11:24 -------- d-----w c:\documents and settings\NetworkService\Application Data\rbizaono
2009-04-09 08:15 . 2009-04-09 08:15 -------- d-----w c:\program files\SoulseekNS
2009-04-08 01:39 . 2009-04-08 01:45 -------- d-----w c:\documents and settings\HP_Owner\uspy
2009-04-08 01:38 . 2009-04-10 01:36 -------- d-----w c:\program files\Between the Worlds
2009-04-06 06:05 . 2009-03-26 23:49 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-06 06:05 . 2009-03-26 23:49 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 06:05 . 2009-04-06 06:05 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 03:13 . 2009-04-06 03:13 -------- d-----w c:\documents and settings\All Users\Application Data\Black Blob Studios
2009-04-06 00:07 . 2009-04-06 00:07 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Deckadance
2009-04-05 09:41 . 2009-04-09 10:06 -------- d-----w c:\program files\VstPlugins
2009-04-05 09:41 . 2006-06-20 08:56 225280 ----a-w c:\windows\system32\rewire.dll
2009-04-05 09:40 . 2002-07-07 22:14 1294336 ----a-w c:\windows\system32\vorbis.acm
2009-04-05 09:40 . 2009-04-05 09:40 -------- d-----w c:\program files\Outsim
2009-04-05 09:36 . 2009-04-09 10:24 -------- d-----w c:\program files\Image-Line
2009-04-02 09:55 . 2009-04-02 09:56 -------- d-----w c:\program files\support.com
2009-04-02 09:55 . 2009-04-02 09:55 -------- d-----w c:\program files\Common Files\SupportSoft
2009-04-01 01:01 . 2009-04-03 03:34 -------- d-----w c:\program files\Echo - Secret of the Lost Cavern
2009-03-30 19:50 . 2009-03-30 19:50 -------- d-----w c:\program files\Foxit Software
2009-03-30 19:50 . 2009-03-30 19:50 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Foxit
2009-03-29 08:50 . 2009-03-29 09:23 -------- d-----w c:\program files\Flip Words 2
2009-03-29 01:17 . 2009-03-29 01:17 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Pogo Games
2009-03-28 04:14 . 2009-03-28 04:14 -------- d-----w c:\program files\ReflexiveArcade
2009-03-28 00:57 . 2009-03-28 00:57 -------- d-----w c:\documents and settings\All Users\Application Data\Intenium
2009-03-25 07:56 . 2009-03-25 11:03 -------- d-----w c:\program files\MSN Games
2009-03-25 07:56 . 2009-03-25 07:56 -------- d-----w c:\program files\Oberon Media
2009-03-25 06:54 . 2009-03-25 06:54 -------- d-----w c:\documents and settings\All Users\Application Data\Shockwave
2009-03-25 04:04 . 2009-03-25 04:04 -------- d-----w c:\documents and settings\All Users\Application Data\HipSoft
2009-03-25 01:22 . 2009-03-25 01:22 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Dreamsdwell Stories
2009-03-23 20:00 . 2009-03-23 20:08 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Nero
2009-03-23 08:48 . 2009-03-23 08:48 4767 ----a-w c:\windows\Irremote.ini
2009-03-23 08:43 . 2009-03-23 08:43 -------- d-----w c:\program files\Windows Sidebar
2009-03-23 08:11 . 2009-03-23 08:46 -------- d-----w c:\program files\Nero
2009-03-23 08:10 . 2009-03-23 08:30 -------- d-----w c:\documents and settings\All Users\Application Data\Nero
2009-03-23 08:10 . 2009-03-23 09:13 -------- d-----w c:\program files\Common Files\Nero
2009-03-22 05:50 . 2009-03-22 07:49 -------- d-----w c:\documents and settings\All Users\Application Data\IJJIGame
2009-03-21 20:25 . 2009-03-21 20:31 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Burdaloo
2009-03-18 02:03 . 2009-03-21 03:55 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Lost in the City
2009-03-14 22:57 . 2009-03-14 22:57 -------- d-----w c:\documents and settings\HP_Owner\Saved Games
2009-03-14 22:57 . 2009-03-14 22:57 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Flood Light Games
2009-03-14 22:57 . 2009-03-14 22:57 -------- d-----w c:\documents and settings\All Users\Application Data\Flood Light Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-11 19:01 . 2004-08-12 02:36 -------- d-----w c:\program files\Java
2009-04-10 01:36 . 2008-12-09 01:23 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-09 06:58 . 2008-08-30 02:53 34 ----a-w c:\documents and settings\HP_Owner\jagex_runescape_preferences.dat
2009-04-06 06:32 . 2009-03-01 00:05 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-06 02:58 . 2008-12-09 01:18 -------- d-----w c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-04-04 13:06 . 2009-04-03 01:02 0 ----a-w C:\look.txt
2009-04-03 01:03 . 2009-04-03 01:03 966 ----a-w C:\look1.txt
2009-04-01 10:13 . 2009-03-02 10:21 -------- d-----w c:\program files\Trend Micro
2009-03-28 11:48 . 2004-08-12 03:57 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-26 08:52 . 2008-10-11 16:01 -------- d-----w c:\program files\MySpace
2009-03-25 01:11 . 2008-12-09 01:29 -------- d-----w c:\documents and settings\HP_Owner\Application Data\PlayFirst
2009-03-25 01:11 . 2008-12-09 01:29 -------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2009-03-23 08:33 . 2008-10-25 18:02 -------- d-----w c:\program files\WarRock
2009-03-19 08:49 . 2008-10-05 22:01 -------- d-----w c:\program files\Diablo II
2009-03-16 04:13 . 2008-07-26 03:28 -------- d--h--w c:\documents and settings\HP_Owner\Application Data\ijjigame
2009-03-12 14:22 . 2009-02-03 23:01 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-03-12 14:22 . 2009-02-03 23:01 -------- d-----w c:\program files\NOS
2009-03-12 12:48 . 2004-12-31 21:04 -------- d-----w c:\program files\Common Files\Adobe
2009-03-11 02:43 . 2009-03-11 02:43 -------- d-----w c:\documents and settings\HP_Owner\Application Data\SerpentOfIsis
2009-03-10 02:39 . 2009-03-10 02:39 -------- d-----w c:\documents and settings\HP_Owner\Application Data\ZEMNOTT
2009-03-10 02:39 . 2009-03-10 02:39 -------- d-----w c:\documents and settings\All Users\Application Data\ZEMNOTT
2009-03-09 12:19 . 2008-12-22 15:40 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-05 04:14 . 2009-03-05 04:14 -------- d-----w c:\documents and settings\HP_Owner\Application Data\BrandX Games
2009-03-04 21:34 . 2009-03-02 03:41 -------- d-----w c:\program files\Lavasoft
2009-03-04 21:34 . 2009-03-02 03:41 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-04 15:10 . 2009-03-02 05:02 2742 ----a-w C:\aaw7boot.log
2009-03-03 06:35 . 2004-08-12 03:52 -------- d-----w c:\program files\Common Files\Real
2009-03-03 06:16 . 2009-03-03 01:22 -------- d-----w c:\program files\Google
2009-03-03 01:26 . 2003-08-13 01:17 499712 ----a-w c:\windows\system32\msvcp71.dll
2009-03-02 04:40 . 2009-03-01 00:05 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-01 01:20 . 2008-10-17 00:17 -------- d-----w c:\program files\SpacialAudio
2009-03-01 00:59 . 2009-03-01 00:59 98304 ----a-w c:\windows\system32\CmdLineExt.dll
2009-03-01 00:43 . 2009-03-01 00:43 -------- d-----w c:\program files\UBISOFT
2009-02-26 03:45 . 2009-02-13 02:52 -------- d-----w c:\documents and settings\All Users\Application Data\MysteryChronicles
2009-02-25 03:28 . 2008-12-12 03:06 -------- d-----w c:\program files\Mystery Case Files - Return to Ravenhearst
2009-02-19 02:01 . 2009-02-19 02:01 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Dragon Altar Games
2009-02-18 19:30 . 2004-08-12 04:07 -------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-13 07:13 . 2009-02-13 07:13 -------- d-----w c:\program files\AviSynth 2.5
2009-02-13 07:13 . 2009-02-13 07:13 -------- d-----w c:\program files\Red Kawa
2009-02-13 03:29 . 2009-02-13 03:24 -------- d-----w c:\program files\Art of Murder - FBI Confidential
2009-02-09 11:13 . 2004-09-20 02:21 1846784 ----a-w c:\windows\system32\win32k.sys
2009-01-24 11:30 . 2009-01-24 11:30 2560 ----a-w c:\windows\_MSRSTRT.EXE
2009-01-23 15:58 . 2008-11-03 09:38 268 ---ha-w C:\sqmdata12.sqm
2009-01-23 15:58 . 2008-11-03 09:38 244 ---ha-w C:\sqmnoopt12.sqm
2009-01-22 23:46 . 2008-11-03 01:31 268 ---ha-w C:\sqmdata11.sqm
2009-01-22 23:46 . 2008-11-03 01:31 244 ---ha-w C:\sqmnoopt11.sqm
2009-01-22 20:48 . 2008-11-02 23:58 268 ---ha-w C:\sqmdata10.sqm
2009-01-22 20:48 . 2008-11-02 23:58 244 ---ha-w C:\sqmnoopt10.sqm
2009-01-21 19:21 . 2008-11-02 18:28 268 ---ha-w C:\sqmdata09.sqm
2009-01-21 19:21 . 2008-11-02 18:28 244 ---ha-w C:\sqmnoopt09.sqm
2009-01-21 05:31 . 2008-10-05 06:16 268 ---ha-w C:\sqmdata08.sqm
2009-01-21 05:31 . 2008-10-05 06:16 244 ---ha-w C:\sqmnoopt08.sqm
2009-01-20 21:39 . 2008-08-22 05:04 268 ---ha-w C:\sqmdata07.sqm
2009-01-20 21:39 . 2008-08-22 05:04 244 ---ha-w C:\sqmnoopt07.sqm
2009-01-20 21:37 . 2008-07-26 00:25 268 ---ha-w C:\sqmdata06.sqm
2009-01-20 21:37 . 2008-07-26 00:25 244 ---ha-w C:\sqmnoopt06.sqm
2009-01-19 20:56 . 2008-07-21 08:58 268 ---ha-w C:\sqmdata05.sqm
2009-01-19 20:56 . 2008-07-21 08:58 244 ---ha-w C:\sqmnoopt05.sqm
2009-01-18 06:17 . 2008-07-21 07:05 268 ---ha-w C:\sqmdata04.sqm
2009-01-18 06:17 . 2008-07-21 07:05 244 ---ha-w C:\sqmnoopt04.sqm
2009-01-17 21:21 . 2008-07-21 06:24 268 ---ha-w C:\sqmdata03.sqm
2009-01-17 21:21 . 2008-07-21 06:24 244 ---ha-w C:\sqmnoopt03.sqm
2009-01-16 19:40 . 2008-07-15 07:16 268 ---ha-w C:\sqmdata02.sqm
2009-01-16 19:40 . 2008-07-15 07:16 244 ---ha-w C:\sqmnoopt02.sqm
2009-01-16 14:16 . 2008-07-15 06:23 268 ---ha-w C:\sqmdata01.sqm
2009-01-16 14:16 . 2008-07-15 06:23 244 ---ha-w C:\sqmnoopt01.sqm
2009-01-16 14:01 . 2008-06-07 13:26 268 ---ha-w C:\sqmdata00.sqm
2009-01-16 14:00 . 2008-06-07 13:26 244 ---ha-w C:\sqmnoopt00.sqm
2009-01-15 15:49 . 2008-11-05 06:49 268 ---ha-w C:\sqmdata19.sqm
2009-01-15 15:49 . 2008-11-05 06:49 244 ---ha-w C:\sqmnoopt19.sqm
2009-01-15 12:44 . 2008-11-05 05:37 268 ---ha-w C:\sqmdata18.sqm
2009-01-15 12:44 . 2008-11-05 05:37 244 ---ha-w C:\sqmnoopt18.sqm
2009-01-14 01:23 . 2008-11-05 04:00 268 ---ha-w C:\sqmdata17.sqm
2009-01-14 01:23 . 2008-11-05 04:00 244 ---ha-w C:\sqmnoopt17.sqm
2009-01-13 19:33 . 2008-11-04 21:29 268 ---ha-w C:\sqmdata16.sqm
2009-01-13 19:33 . 2008-11-04 21:29 244 ---ha-w C:\sqmnoopt16.sqm
2005-12-16 16:11 . 2005-12-16 16:11 996968 ----a-w c:\program files\aolsetup.exe
.

Paperhouse
Intermediate
Intermediate

Posts Posts : 142
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : Windows 10 Home
Protection Protection : Advanced SystemCare Pro
Points Points : 29517
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Paperhouse on 12th April 2009, 7:29 pm

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="c:\hp\drivers\keyboard\PS2.EXE" [2002-10-16 81920]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Lpecelehizuqazaq"="c:\windows\asasafoxoqoyamu.dll" [2008-04-13 157696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 c:\windows\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-04 235936]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli wnprt580.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=c:\windows\pss\HP Organize.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 17:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a--c--- 2004-08-20 16:55 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 10:47 289064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a--c--- 2003-12-17 23:31 118784 c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-03-04 12:01 88209 c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=

R2 gupdate1c99b9e8f903320;Google Update Service (gupdate1c99b9e8f903320);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-02 133104]
R3 BCM42U;USB HPNA 10 Mbps Network Adapter Driver;c:\windows\system32\DRIVERS\BCM42U.SYS [2001-08-17 66557]
R3 rtl8180;Realtek RTL8180 Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\DRIVERS\RTL8180.SYS [2004-03-18 185216]
S2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 3744]
S2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe [2007-10-16 81920]
S2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 3904]
S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe [2007-10-16 2711552]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ynyzpmhp
.
Contents of the 'Scheduled Tasks' folder

2009-04-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2009-04-13 c:\windows\Tasks\At1.job
- c:\windows\system32\opsalel.dll []

2009-04-13 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-02 18:22]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\j2re1.4.2_03\bin\jusched.exe


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\6rwwrgi5.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-04-13 12:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-43142456-temp 8088 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3143176755-2771415027-1815967617-1009\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9C5CB09C-8EC3-CAE6-3765-41C6A2EF45AE}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"ianfmhkainepeeakbp"=hex:6b,61,6f,6f,65,6a,6f,62,66,67,6f,61,6b,67,63,70,65,66,
64,6d,6b,6d,00,00
"hadfocdnehjbaepf"=hex:6a,61,62,6e,64,6a,6e,6e,69,64,61,6a,6e,65,64,67,6f,62,
6b,6f,00,00
"iabhdhohnmmmpmlgef"=hex:63,61,6b,6f,6a,69,00,7c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(584)
c:\windows\wnprt580.dll

- - - - - - - > 'explorer.exe'(2204)
c:\windows\system32\ieframe.dll
c:\windows\wnprt580.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\asasafoxoqoyamu.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\wanmpsvc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-13 12:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-13 19:24

Pre-Run: 13,866,471,424 bytes free
Post-Run: 13,758,812,160 bytes free

288 --- E O F --- 2009-04-07 11:16

Paperhouse
Intermediate
Intermediate

Posts Posts : 142
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : Windows 10 Home
Protection Protection : Advanced SystemCare Pro
Points Points : 29517
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Belahzur on 12th April 2009, 7:35 pm

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

File::
c:\windows\Ttufesepefoqesod.bin
c:\windows\Opitecer.dat
C:\sqmdata12.sqm
C:\sqmnoopt12.sqm
C:\sqmdata11.sqm
C:\sqmnoopt11.sqm
C:\sqmdata10.sqm
C:\sqmnoopt10.sqm
C:\sqmdata09.sqm
C:\sqmnoopt09.sqm
C:\sqmdata08.sqm
C:\sqmnoopt08.sqm
C:\sqmdata07.sqm
C:\sqmnoopt07.sqm
C:\sqmdata06.sqm
C:\sqmnoopt06.sqm
C:\sqmdata05.sqm
C:\sqmnoopt05.sqm
C:\sqmdata04.sqm
C:\sqmnoopt04.sqm
C:\sqmdata03.sqm
C:\sqmnoopt03.sqm
C:\sqmdata02.sqm
C:\sqmnoopt02.sqm
C:\sqmdata01.sqm
C:\sqmnoopt01.sqm
C:\sqmdata00.sqm
C:\sqmnoopt00.sqm
C:\sqmdata19.sqm
C:\sqmnoopt19.sqm
C:\sqmdata18.sqm
C:\sqmnoopt18.sqm
C:\sqmdata17.sqm
C:\sqmnoopt17.sqm
C:\sqmdata16.sqm
C:\sqmnoopt16.sqm
c:\windows\asasafoxoqoyamu.dll
c:\windows\Tasks\At1.job

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lpecelehizuqazaq"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=-

NetSvc::
ynyzpmhp

Domains::

Firefox::
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\6rwwrgi5.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]

RegNull::
[HKEY_USERS\S-1-5-21-3143176755-2771415027-1815967617-1009\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9C5CB09C-8EC3-CAE6-3765-41C6A2EF45AE}*]

RegLock::
[HKEY_USERS\S-1-5-21-3143176755-2771415027-1815967617-1009\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9C5CB09C-8EC3-CAE6-3765-41C6A2EF45AE}*]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Paperhouse on 13th April 2009, 2:54 am

ComboFix 09-04-13.03 - HP_Owner 2009-04-13 19:40.10 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.292 [GMT -7:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point

FILE ::
C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmdata02.sqm
C:\sqmdata03.sqm
C:\sqmdata04.sqm
C:\sqmdata05.sqm
C:\sqmdata06.sqm
C:\sqmdata07.sqm
C:\sqmdata08.sqm
C:\sqmdata09.sqm
C:\sqmdata10.sqm
C:\sqmdata11.sqm
C:\sqmdata12.sqm
C:\sqmdata16.sqm
C:\sqmdata17.sqm
C:\sqmdata18.sqm
C:\sqmdata19.sqm
C:\sqmnoopt00.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt02.sqm
C:\sqmnoopt03.sqm
C:\sqmnoopt04.sqm
C:\sqmnoopt05.sqm
C:\sqmnoopt06.sqm
C:\sqmnoopt07.sqm
C:\sqmnoopt08.sqm
C:\sqmnoopt09.sqm
C:\sqmnoopt10.sqm
C:\sqmnoopt11.sqm
C:\sqmnoopt12.sqm
C:\sqmnoopt16.sqm
C:\sqmnoopt17.sqm
C:\sqmnoopt18.sqm
C:\sqmnoopt19.sqm
c:\windows\asasafoxoqoyamu.dll
c:\windows\Opitecer.dat
c:\windows\Tasks\At1.job
c:\windows\Ttufesepefoqesod.bin
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmdata02.sqm
C:\sqmdata03.sqm
C:\sqmdata04.sqm
C:\sqmdata05.sqm
C:\sqmdata06.sqm
C:\sqmdata07.sqm
C:\sqmdata08.sqm
C:\sqmdata09.sqm
C:\sqmdata10.sqm
C:\sqmdata11.sqm
C:\sqmdata12.sqm
C:\sqmdata16.sqm
C:\sqmdata17.sqm
C:\sqmdata18.sqm
C:\sqmdata19.sqm
C:\sqmnoopt00.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt02.sqm
C:\sqmnoopt03.sqm
C:\sqmnoopt04.sqm
C:\sqmnoopt05.sqm
C:\sqmnoopt06.sqm
C:\sqmnoopt07.sqm
C:\sqmnoopt08.sqm
C:\sqmnoopt09.sqm
C:\sqmnoopt10.sqm
C:\sqmnoopt11.sqm
C:\sqmnoopt12.sqm
C:\sqmnoopt16.sqm
C:\sqmnoopt17.sqm
C:\sqmnoopt18.sqm
C:\sqmnoopt19.sqm
c:\windows\asasafoxoqoyamu.dll
c:\windows\Opitecer.dat
c:\windows\Tasks\At1.job
c:\windows\Ttufesepefoqesod.bin

.
((((((((((((((((((((((((( Files Created from 2009-03-14 to 2009-04-14 )))))))))))))))))))))))))))))))
.

2009-04-14 02:39 . 2006-03-03 07:42 73728 ----a-w C:\pv.exe
2009-04-09 11:54 . 2009-04-09 11:54 -------- d-----w c:\documents and settings\HP_Owner\Application Data\rbizaono
2009-04-09 11:24 . 2009-04-09 11:24 -------- d-----w c:\documents and settings\NetworkService\Application Data\rbizaono
2009-04-09 08:15 . 2009-04-09 08:15 -------- d-----w c:\program files\SoulseekNS
2009-04-08 01:39 . 2009-04-08 01:45 -------- d-----w c:\documents and settings\HP_Owner\uspy
2009-04-08 01:38 . 2009-04-10 01:36 -------- d-----w c:\program files\Between the Worlds
2009-04-06 06:05 . 2009-03-26 23:49 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-06 06:05 . 2009-03-26 23:49 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 06:05 . 2009-04-06 06:05 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 03:13 . 2009-04-06 03:13 -------- d-----w c:\documents and settings\All Users\Application Data\Black Blob Studios
2009-04-06 00:07 . 2009-04-06 00:07 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Deckadance
2009-04-05 09:41 . 2009-04-09 10:06 -------- d-----w c:\program files\VstPlugins
2009-04-05 09:41 . 2006-06-20 08:56 225280 ----a-w c:\windows\system32\rewire.dll
2009-04-05 09:40 . 2002-07-07 22:14 1294336 ----a-w c:\windows\system32\vorbis.acm
2009-04-05 09:40 . 2009-04-05 09:40 -------- d-----w c:\program files\Outsim
2009-04-05 09:36 . 2009-04-09 10:24 -------- d-----w c:\program files\Image-Line
2009-04-02 09:55 . 2009-04-02 09:56 -------- d-----w c:\program files\support.com
2009-04-02 09:55 . 2009-04-02 09:55 -------- d-----w c:\program files\Common Files\SupportSoft
2009-04-01 01:01 . 2009-04-03 03:34 -------- d-----w c:\program files\Echo - Secret of the Lost Cavern
2009-03-30 19:50 . 2009-03-30 19:50 -------- d-----w c:\program files\Foxit Software
2009-03-30 19:50 . 2009-03-30 19:50 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Foxit
2009-03-29 08:50 . 2009-03-29 09:23 -------- d-----w c:\program files\Flip Words 2
2009-03-29 01:17 . 2009-03-29 01:17 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Pogo Games
2009-03-28 04:14 . 2009-03-28 04:14 -------- d-----w c:\program files\ReflexiveArcade
2009-03-28 00:57 . 2009-03-28 00:57 -------- d-----w c:\documents and settings\All Users\Application Data\Intenium
2009-03-25 07:56 . 2009-03-25 11:03 -------- d-----w c:\program files\MSN Games
2009-03-25 07:56 . 2009-03-25 07:56 -------- d-----w c:\program files\Oberon Media
2009-03-25 06:54 . 2009-03-25 06:54 -------- d-----w c:\documents and settings\All Users\Application Data\Shockwave
2009-03-25 04:04 . 2009-03-25 04:04 -------- d-----w c:\documents and settings\All Users\Application Data\HipSoft
2009-03-25 01:22 . 2009-03-25 01:22 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Dreamsdwell Stories
2009-03-23 20:00 . 2009-03-23 20:08 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Nero
2009-03-23 08:48 . 2009-03-23 08:48 4767 ----a-w c:\windows\Irremote.ini
2009-03-23 08:43 . 2009-03-23 08:43 -------- d-----w c:\program files\Windows Sidebar
2009-03-23 08:11 . 2009-03-23 08:46 -------- d-----w c:\program files\Nero
2009-03-23 08:10 . 2009-03-23 08:30 -------- d-----w c:\documents and settings\All Users\Application Data\Nero
2009-03-23 08:10 . 2009-03-23 09:13 -------- d-----w c:\program files\Common Files\Nero
2009-03-22 05:50 . 2009-03-22 07:49 -------- d-----w c:\documents and settings\All Users\Application Data\IJJIGame
2009-03-21 20:25 . 2009-03-21 20:31 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Burdaloo
2009-03-18 02:03 . 2009-03-21 03:55 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Lost in the City

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-11 19:01 . 2004-08-12 02:36 -------- d-----w c:\program files\Java
2009-04-10 01:36 . 2008-12-09 01:23 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-09 06:58 . 2008-08-30 02:53 34 ----a-w c:\documents and settings\HP_Owner\jagex_runescape_preferences.dat
2009-04-06 06:32 . 2009-03-01 00:05 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-06 02:58 . 2008-12-09 01:18 -------- d-----w c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-04-04 13:06 . 2009-04-03 01:02 0 ----a-w C:\look.txt
2009-04-03 01:03 . 2009-04-03 01:03 966 ----a-w C:\look1.txt
2009-04-01 10:13 . 2009-03-02 10:21 -------- d-----w c:\program files\Trend Micro
2009-03-28 11:48 . 2004-08-12 03:57 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-26 08:52 . 2008-10-11 16:01 -------- d-----w c:\program files\MySpace
2009-03-25 01:11 . 2008-12-09 01:29 -------- d-----w c:\documents and settings\HP_Owner\Application Data\PlayFirst
2009-03-25 01:11 . 2008-12-09 01:29 -------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2009-03-23 08:33 . 2008-10-25 18:02 -------- d-----w c:\program files\WarRock
2009-03-19 08:49 . 2008-10-05 22:01 -------- d-----w c:\program files\Diablo II
2009-03-16 04:13 . 2008-07-26 03:28 -------- d--h--w c:\documents and settings\HP_Owner\Application Data\ijjigame
2009-03-14 22:57 . 2009-03-14 22:57 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Flood Light Games
2009-03-14 22:57 . 2009-03-14 22:57 -------- d-----w c:\documents and settings\All Users\Application Data\Flood Light Games
2009-03-12 14:22 . 2009-02-03 23:01 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-03-12 14:22 . 2009-02-03 23:01 -------- d-----w c:\program files\NOS
2009-03-12 12:48 . 2004-12-31 21:04 -------- d-----w c:\program files\Common Files\Adobe
2009-03-11 02:43 . 2009-03-11 02:43 -------- d-----w c:\documents and settings\HP_Owner\Application Data\SerpentOfIsis
2009-03-10 02:39 . 2009-03-10 02:39 -------- d-----w c:\documents and settings\HP_Owner\Application Data\ZEMNOTT
2009-03-10 02:39 . 2009-03-10 02:39 -------- d-----w c:\documents and settings\All Users\Application Data\ZEMNOTT
2009-03-09 12:19 . 2008-12-22 15:40 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-05 04:14 . 2009-03-05 04:14 -------- d-----w c:\documents and settings\HP_Owner\Application Data\BrandX Games
2009-03-04 21:34 . 2009-03-02 03:41 -------- d-----w c:\program files\Lavasoft
2009-03-04 21:34 . 2009-03-02 03:41 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-04 15:10 . 2009-03-02 05:02 2742 ----a-w C:\aaw7boot.log
2009-03-03 06:35 . 2004-08-12 03:52 -------- d-----w c:\program files\Common Files\Real
2009-03-03 06:16 . 2009-03-03 01:22 -------- d-----w c:\program files\Google
2009-03-03 01:26 . 2003-08-13 01:17 499712 ----a-w c:\windows\system32\msvcp71.dll
2009-03-02 04:40 . 2009-03-01 00:05 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-01 01:20 . 2008-10-17 00:17 -------- d-----w c:\program files\SpacialAudio
2009-03-01 00:59 . 2009-03-01 00:59 98304 ----a-w c:\windows\system32\CmdLineExt.dll
2009-03-01 00:43 . 2009-03-01 00:43 -------- d-----w c:\program files\UBISOFT
2009-02-26 03:45 . 2009-02-13 02:52 -------- d-----w c:\documents and settings\All Users\Application Data\MysteryChronicles
2009-02-25 03:28 . 2008-12-12 03:06 -------- d-----w c:\program files\Mystery Case Files - Return to Ravenhearst
2009-02-19 02:01 . 2009-02-19 02:01 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Dragon Altar Games
2009-02-18 19:30 . 2004-08-12 04:07 -------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-13 07:13 . 2009-02-13 07:13 -------- d-----w c:\program files\AviSynth 2.5
2009-02-13 07:13 . 2009-02-13 07:13 -------- d-----w c:\program files\Red Kawa
2009-02-13 03:29 . 2009-02-13 03:24 -------- d-----w c:\program files\Art of Murder - FBI Confidential
2009-02-09 11:13 . 2004-09-20 02:21 1846784 ----a-w c:\windows\system32\win32k.sys
2009-01-24 11:30 . 2009-01-24 11:30 2560 ----a-w c:\windows\_MSRSTRT.EXE
2005-12-16 16:11 . 2005-12-16 16:11 996968 ----a-w c:\program files\aolsetup.exe
.

Paperhouse
Intermediate
Intermediate

Posts Posts : 142
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : Windows 10 Home
Protection Protection : Advanced SystemCare Pro
Points Points : 29517
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Paperhouse on 13th April 2009, 2:55 am

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-14 02:46 . 2009-04-14 02:46 16384 c:\windows\temp\Perflib_Perfdata_104.dat
+ 2009-04-14 02:45 . 2005-10-21 03:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-04-13 19:16 . 2005-10-21 03:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="c:\hp\drivers\keyboard\PS2.EXE" [2002-10-16 81920]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 c:\windows\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-04 235936]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli wnprt580.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=c:\windows\pss\HP Organize.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 17:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a--c--- 2004-08-20 16:55 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 10:47 289064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a--c--- 2003-12-17 23:31 118784 c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-03-04 12:01 88209 c:\windows\AGRSMMSG.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

R2 gupdate1c99b9e8f903320;Google Update Service (gupdate1c99b9e8f903320);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-02 133104]
R3 BCM42U;USB HPNA 10 Mbps Network Adapter Driver;c:\windows\system32\DRIVERS\BCM42U.SYS [2001-08-17 66557]
R3 rtl8180;Realtek RTL8180 Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\DRIVERS\RTL8180.SYS [2004-03-18 185216]
S2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 3744]
S2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe [2007-10-16 81920]
S2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 3904]
S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe [2007-10-16 2711552]

.
Contents of the 'Scheduled Tasks' folder

2009-04-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2009-04-14 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-02 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\6rwwrgi5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-04-13 19:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(580)
c:\windows\wnprt580.dll

- - - - - - - > 'explorer.exe'(1456)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\wnprt580.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\wanmpsvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-13 19:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-14 02:52
ComboFix2.txt 2009-04-13 19:25

Pre-Run: 13,711,806,464 bytes free
Post-Run: 13,696,303,104 bytes free

314 --- E O F --- 2009-04-07 11:16

Paperhouse
Intermediate
Intermediate

Posts Posts : 142
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : Windows 10 Home
Protection Protection : Advanced SystemCare Pro
Points Points : 29517
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Belahzur on 13th April 2009, 12:56 pm

Hmm, this stubborn file in your registry doesn't want to die.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

File::
C:\pv.exe

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Paperhouse on 13th April 2009, 1:59 pm

ComboFix 09-04-13.03 - HP_Owner 2009-04-13 6:44.11 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.244 [GMT -7:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point

FILE ::
C:\pv.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\pv.exe

.
((((((((((((((((((((((((( Files Created from 2009-03-13 to 2009-04-13 )))))))))))))))))))))))))))))))
.

2009-04-14 03:03 . 2009-04-13 10:09 0 ----a-w c:\windows\Ttufesepefoqesod.bin
2009-04-14 03:03 . 2009-04-13 10:09 408 ----a-w c:\windows\Opitecer.dat
2009-04-13 13:42 . 2009-04-13 13:43 -------- d-----w C:\32788R22FWJFW
2009-04-09 11:54 . 2009-04-09 11:54 -------- d-----w c:\documents and settings\HP_Owner\Application Data\rbizaono
2009-04-09 11:24 . 2009-04-09 11:24 -------- d-----w c:\documents and settings\NetworkService\Application Data\rbizaono
2009-04-09 08:15 . 2009-04-09 08:15 -------- d-----w c:\program files\SoulseekNS
2009-04-08 01:39 . 2009-04-08 01:45 -------- d-----w c:\documents and settings\HP_Owner\uspy
2009-04-08 01:38 . 2009-04-10 01:36 -------- d-----w c:\program files\Between the Worlds
2009-04-06 06:05 . 2009-03-26 23:49 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-06 06:05 . 2009-03-26 23:49 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 06:05 . 2009-04-06 06:05 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 03:13 . 2009-04-06 03:13 -------- d-----w c:\documents and settings\All Users\Application Data\Black Blob Studios
2009-04-06 00:07 . 2009-04-06 00:07 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Deckadance
2009-04-05 09:41 . 2009-04-09 10:06 -------- d-----w c:\program files\VstPlugins
2009-04-05 09:41 . 2006-06-20 08:56 225280 ----a-w c:\windows\system32\rewire.dll
2009-04-05 09:40 . 2002-07-07 22:14 1294336 ----a-w c:\windows\system32\vorbis.acm
2009-04-05 09:40 . 2009-04-05 09:40 -------- d-----w c:\program files\Outsim
2009-04-05 09:36 . 2009-04-09 10:24 -------- d-----w c:\program files\Image-Line
2009-04-02 09:55 . 2009-04-02 09:56 -------- d-----w c:\program files\support.com
2009-04-02 09:55 . 2009-04-02 09:55 -------- d-----w c:\program files\Common Files\SupportSoft
2009-04-01 01:01 . 2009-04-03 03:34 -------- d-----w c:\program files\Echo - Secret of the Lost Cavern
2009-03-30 19:50 . 2009-03-30 19:50 -------- d-----w c:\program files\Foxit Software
2009-03-30 19:50 . 2009-03-30 19:50 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Foxit
2009-03-29 08:50 . 2009-03-29 09:23 -------- d-----w c:\program files\Flip Words 2
2009-03-29 01:17 . 2009-03-29 01:17 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Pogo Games
2009-03-28 04:14 . 2009-03-28 04:14 -------- d-----w c:\program files\ReflexiveArcade
2009-03-28 00:57 . 2009-03-28 00:57 -------- d-----w c:\documents and settings\All Users\Application Data\Intenium
2009-03-25 07:56 . 2009-03-25 11:03 -------- d-----w c:\program files\MSN Games
2009-03-25 07:56 . 2009-03-25 07:56 -------- d-----w c:\program files\Oberon Media
2009-03-25 06:54 . 2009-03-25 06:54 -------- d-----w c:\documents and settings\All Users\Application Data\Shockwave
2009-03-25 04:04 . 2009-03-25 04:04 -------- d-----w c:\documents and settings\All Users\Application Data\HipSoft
2009-03-25 01:22 . 2009-03-25 01:22 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Dreamsdwell Stories
2009-03-23 20:00 . 2009-03-23 20:08 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Nero
2009-03-23 08:48 . 2009-03-23 08:48 4767 ----a-w c:\windows\Irremote.ini
2009-03-23 08:43 . 2009-03-23 08:43 -------- d-----w c:\program files\Windows Sidebar
2009-03-23 08:11 . 2009-03-23 08:46 -------- d-----w c:\program files\Nero
2009-03-23 08:10 . 2009-03-23 08:30 -------- d-----w c:\documents and settings\All Users\Application Data\Nero
2009-03-23 08:10 . 2009-03-23 09:13 -------- d-----w c:\program files\Common Files\Nero
2009-03-22 05:50 . 2009-03-22 07:49 -------- d-----w c:\documents and settings\All Users\Application Data\IJJIGame
2009-03-21 20:25 . 2009-03-21 20:31 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Burdaloo
2009-03-18 02:03 . 2009-03-21 03:55 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Lost in the City
2009-03-14 22:57 . 2009-03-14 22:57 -------- d-----w c:\documents and settings\HP_Owner\Saved Games
2009-03-14 22:57 . 2009-03-14 22:57 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Flood Light Games
2009-03-14 22:57 . 2009-03-14 22:57 -------- d-----w c:\documents and settings\All Users\Application Data\Flood Light Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-13 13:43 . 2009-04-13 13:42 1068 ----a-w C:\Bug.txt
2009-04-11 19:01 . 2004-08-12 02:36 -------- d-----w c:\program files\Java
2009-04-10 01:36 . 2008-12-09 01:23 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-09 06:58 . 2008-08-30 02:53 34 ----a-w c:\documents and settings\HP_Owner\jagex_runescape_preferences.dat
2009-04-06 06:32 . 2009-03-01 00:05 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-06 02:58 . 2008-12-09 01:18 -------- d-----w c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-04-04 13:06 . 2009-04-03 01:02 0 ----a-w C:\look.txt
2009-04-03 01:03 . 2009-04-03 01:03 966 ----a-w C:\look1.txt
2009-04-01 10:13 . 2009-03-02 10:21 -------- d-----w c:\program files\Trend Micro
2009-03-28 11:48 . 2004-08-12 03:57 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-26 08:52 . 2008-10-11 16:01 -------- d-----w c:\program files\MySpace
2009-03-25 01:11 . 2008-12-09 01:29 -------- d-----w c:\documents and settings\HP_Owner\Application Data\PlayFirst
2009-03-25 01:11 . 2008-12-09 01:29 -------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2009-03-23 08:33 . 2008-10-25 18:02 -------- d-----w c:\program files\WarRock
2009-03-19 08:49 . 2008-10-05 22:01 -------- d-----w c:\program files\Diablo II
2009-03-16 04:13 . 2008-07-26 03:28 -------- d--h--w c:\documents and settings\HP_Owner\Application Data\ijjigame
2009-03-12 14:22 . 2009-02-03 23:01 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-03-12 14:22 . 2009-02-03 23:01 -------- d-----w c:\program files\NOS
2009-03-12 12:48 . 2004-12-31 21:04 -------- d-----w c:\program files\Common Files\Adobe
2009-03-11 02:43 . 2009-03-11 02:43 -------- d-----w c:\documents and settings\HP_Owner\Application Data\SerpentOfIsis
2009-03-10 02:39 . 2009-03-10 02:39 -------- d-----w c:\documents and settings\HP_Owner\Application Data\ZEMNOTT
2009-03-10 02:39 . 2009-03-10 02:39 -------- d-----w c:\documents and settings\All Users\Application Data\ZEMNOTT
2009-03-09 12:19 . 2008-12-22 15:40 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-05 04:14 . 2009-03-05 04:14 -------- d-----w c:\documents and settings\HP_Owner\Application Data\BrandX Games
2009-03-04 21:34 . 2009-03-02 03:41 -------- d-----w c:\program files\Lavasoft
2009-03-04 21:34 . 2009-03-02 03:41 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-04 15:10 . 2009-03-02 05:02 2742 ----a-w C:\aaw7boot.log
2009-03-03 06:35 . 2004-08-12 03:52 -------- d-----w c:\program files\Common Files\Real
2009-03-03 06:16 . 2009-03-03 01:22 -------- d-----w c:\program files\Google
2009-03-03 01:26 . 2003-08-13 01:17 499712 ----a-w c:\windows\system32\msvcp71.dll
2009-03-02 04:40 . 2009-03-01 00:05 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-01 01:20 . 2008-10-17 00:17 -------- d-----w c:\program files\SpacialAudio
2009-03-01 00:59 . 2009-03-01 00:59 98304 ----a-w c:\windows\system32\CmdLineExt.dll
2009-03-01 00:43 . 2009-03-01 00:43 -------- d-----w c:\program files\UBISOFT
2009-02-26 03:45 . 2009-02-13 02:52 -------- d-----w c:\documents and settings\All Users\Application Data\MysteryChronicles
2009-02-25 03:28 . 2008-12-12 03:06 -------- d-----w c:\program files\Mystery Case Files - Return to Ravenhearst
2009-02-19 02:01 . 2009-02-19 02:01 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Dragon Altar Games
2009-02-18 19:30 . 2004-08-12 04:07 -------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-13 07:13 . 2009-02-13 07:13 -------- d-----w c:\program files\AviSynth 2.5
2009-02-13 07:13 . 2009-02-13 07:13 -------- d-----w c:\program files\Red Kawa
2009-02-13 03:29 . 2009-02-13 03:24 -------- d-----w c:\program files\Art of Murder - FBI Confidential
2009-02-09 11:13 . 2004-09-20 02:21 1846784 ----a-w c:\windows\system32\win32k.sys
2009-01-24 11:30 . 2009-01-24 11:30 2560 ----a-w c:\windows\_MSRSTRT.EXE
2005-12-16 16:11 . 2005-12-16 16:11 996968 ----a-w c:\program files\aolsetup.exe
.

Paperhouse
Intermediate
Intermediate

Posts Posts : 142
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : Windows 10 Home
Protection Protection : Advanced SystemCare Pro
Points Points : 29517
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Paperhouse on 13th April 2009, 1:59 pm

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-13 13:50 . 2009-04-13 13:50 16384 c:\windows\temp\Perflib_Perfdata_114.dat
+ 2004-09-20 02:21 . 2008-04-14 00:12 156160 c:\windows\uqifukinemeroko.dll
+ 2009-04-13 13:48 . 2005-10-21 03:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-04-13 19:16 . 2005-10-21 03:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="c:\hp\drivers\keyboard\PS2.EXE" [2002-10-16 81920]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Lpecelehizuqazaq"="c:\windows\uqifukinemeroko.dll" [2008-04-13 156160]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 c:\windows\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-04 235936]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli wnprt580.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=c:\windows\pss\HP Organize.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 17:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a--c--- 2004-08-20 16:55 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 10:47 289064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a--c--- 2003-12-17 23:31 118784 c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-03-04 12:01 88209 c:\windows\AGRSMMSG.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

R2 gupdate1c99b9e8f903320;Google Update Service (gupdate1c99b9e8f903320);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-02 133104]
R3 BCM42U;USB HPNA 10 Mbps Network Adapter Driver;c:\windows\system32\DRIVERS\BCM42U.SYS [2001-08-17 66557]
R3 rtl8180;Realtek RTL8180 Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\DRIVERS\RTL8180.SYS [2004-03-18 185216]
S2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 3744]
S2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe [2007-10-16 81920]
S2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 3904]
S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe [2007-10-16 2711552]

.
Contents of the 'Scheduled Tasks' folder

2009-04-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2009-04-13 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-02 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\6rwwrgi5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-04-13 06:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(580)
c:\windows\wnprt580.dll

- - - - - - - > 'explorer.exe'(1096)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\wnprt580.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\uqifukinemeroko.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\wanmpsvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-13 6:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-13 13:57
ComboFix2.txt 2009-04-14 02:52
ComboFix3.txt 2009-04-13 19:25

Pre-Run: 13,182,074,880 bytes free
Post-Run: 13,408,329,728 bytes free

248 --- E O F --- 2009-04-07 11:16

Paperhouse
Intermediate
Intermediate

Posts Posts : 142
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : Windows 10 Home
Protection Protection : Advanced SystemCare Pro
Points Points : 29517
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Belahzur on 13th April 2009, 2:05 pm

Hello.
Even more vundo came back.

I'm all in this time. Please disconnect this machine from the internet because something is regenrating it.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

File::
c:\windows\wnprt580.dll
c:\windows\uqifukinemeroko.dll
c:\windows\Ttufesepefoqesod.bin
c:\windows\Opitecer.dat

DirLook::
c:\documents and settings\HP_Owner\Application Data\rbizaono
c:\documents and settings\NetworkService\Application Data\rbizaono

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lpecelehizuqazaq"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


Last edited by Belahzur on 13th April 2009, 10:17 pm; edited 1 time in total


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Paperhouse on 13th April 2009, 10:13 pm

ComboFix 09-04-13.03 - HP_Owner 2009-04-13 14:56.12 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.299 [GMT -7:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt.lnk
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-13 to 2009-04-13 )))))))))))))))))))))))))))))))
.

2009-04-14 03:03 . 2009-04-13 10:09 0 ----a-w c:\windows\Ttufesepefoqesod.bin
2009-04-14 03:03 . 2009-04-13 20:23 408 ----a-w c:\windows\Opitecer.dat
2009-04-13 21:55 . 2006-03-03 07:42 73728 ----a-w C:\pv.exe
2009-04-09 11:54 . 2009-04-09 11:54 -------- d-----w c:\documents and settings\HP_Owner\Application Data\rbizaono
2009-04-09 11:24 . 2009-04-09 11:24 -------- d-----w c:\documents and settings\NetworkService\Application Data\rbizaono
2009-04-09 08:15 . 2009-04-09 08:15 -------- d-----w c:\program files\SoulseekNS
2009-04-08 01:39 . 2009-04-08 01:45 -------- d-----w c:\documents and settings\HP_Owner\uspy
2009-04-08 01:38 . 2009-04-10 01:36 -------- d-----w c:\program files\Between the Worlds
2009-04-06 06:05 . 2009-03-26 23:49 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-06 06:05 . 2009-03-26 23:49 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 06:05 . 2009-04-06 06:05 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 03:13 . 2009-04-06 03:13 -------- d-----w c:\documents and settings\All Users\Application Data\Black Blob Studios
2009-04-06 00:07 . 2009-04-06 00:07 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Deckadance
2009-04-05 09:41 . 2009-04-09 10:06 -------- d-----w c:\program files\VstPlugins
2009-04-05 09:41 . 2006-06-20 08:56 225280 ----a-w c:\windows\system32\rewire.dll
2009-04-05 09:40 . 2002-07-07 22:14 1294336 ----a-w c:\windows\system32\vorbis.acm
2009-04-05 09:40 . 2009-04-05 09:40 -------- d-----w c:\program files\Outsim
2009-04-05 09:36 . 2009-04-09 10:24 -------- d-----w c:\program files\Image-Line
2009-04-02 09:55 . 2009-04-02 09:56 -------- d-----w c:\program files\support.com
2009-04-02 09:55 . 2009-04-02 09:55 -------- d-----w c:\program files\Common Files\SupportSoft
2009-04-01 01:01 . 2009-04-03 03:34 -------- d-----w c:\program files\Echo - Secret of the Lost Cavern
2009-03-30 19:50 . 2009-03-30 19:50 -------- d-----w c:\program files\Foxit Software
2009-03-30 19:50 . 2009-03-30 19:50 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Foxit
2009-03-29 08:50 . 2009-03-29 09:23 -------- d-----w c:\program files\Flip Words 2
2009-03-29 01:17 . 2009-03-29 01:17 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Pogo Games
2009-03-28 04:14 . 2009-03-28 04:14 -------- d-----w c:\program files\ReflexiveArcade
2009-03-28 00:57 . 2009-03-28 00:57 -------- d-----w c:\documents and settings\All Users\Application Data\Intenium
2009-03-25 07:56 . 2009-03-25 11:03 -------- d-----w c:\program files\MSN Games
2009-03-25 07:56 . 2009-03-25 07:56 -------- d-----w c:\program files\Oberon Media
2009-03-25 06:54 . 2009-03-25 06:54 -------- d-----w c:\documents and settings\All Users\Application Data\Shockwave
2009-03-25 04:04 . 2009-03-25 04:04 -------- d-----w c:\documents and settings\All Users\Application Data\HipSoft
2009-03-25 01:22 . 2009-03-25 01:22 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Dreamsdwell Stories
2009-03-23 20:00 . 2009-03-23 20:08 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Nero
2009-03-23 08:48 . 2009-03-23 08:48 4767 ----a-w c:\windows\Irremote.ini
2009-03-23 08:43 . 2009-03-23 08:43 -------- d-----w c:\program files\Windows Sidebar
2009-03-23 08:11 . 2009-03-23 08:46 -------- d-----w c:\program files\Nero
2009-03-23 08:10 . 2009-03-23 08:30 -------- d-----w c:\documents and settings\All Users\Application Data\Nero
2009-03-23 08:10 . 2009-03-23 09:13 -------- d-----w c:\program files\Common Files\Nero
2009-03-22 05:50 . 2009-03-22 07:49 -------- d-----w c:\documents and settings\All Users\Application Data\IJJIGame
2009-03-21 20:25 . 2009-03-21 20:31 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Burdaloo
2009-03-18 02:03 . 2009-03-21 03:55 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Lost in the City
2009-03-14 22:57 . 2009-03-14 22:57 -------- d-----w c:\documents and settings\HP_Owner\Saved Games
2009-03-14 22:57 . 2009-03-14 22:57 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Flood Light Games
2009-03-14 22:57 . 2009-03-14 22:57 -------- d-----w c:\documents and settings\All Users\Application Data\Flood Light Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-11 19:01 . 2004-08-12 02:36 -------- d-----w c:\program files\Java
2009-04-10 01:36 . 2008-12-09 01:23 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-09 06:58 . 2008-08-30 02:53 34 ----a-w c:\documents and settings\HP_Owner\jagex_runescape_preferences.dat
2009-04-06 06:32 . 2009-03-01 00:05 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-06 02:58 . 2008-12-09 01:18 -------- d-----w c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-04-04 13:06 . 2009-04-03 01:02 0 ----a-w C:\look.txt
2009-04-03 01:03 . 2009-04-03 01:03 966 ----a-w C:\look1.txt
2009-04-01 10:13 . 2009-03-02 10:21 -------- d-----w c:\program files\Trend Micro
2009-03-28 11:48 . 2004-08-12 03:57 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-26 08:52 . 2008-10-11 16:01 -------- d-----w c:\program files\MySpace
2009-03-25 01:11 . 2008-12-09 01:29 -------- d-----w c:\documents and settings\HP_Owner\Application Data\PlayFirst
2009-03-25 01:11 . 2008-12-09 01:29 -------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2009-03-23 08:33 . 2008-10-25 18:02 -------- d-----w c:\program files\WarRock
2009-03-19 08:49 . 2008-10-05 22:01 -------- d-----w c:\program files\Diablo II
2009-03-16 04:13 . 2008-07-26 03:28 -------- d--h--w c:\documents and settings\HP_Owner\Application Data\ijjigame
2009-03-12 14:22 . 2009-02-03 23:01 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-03-12 14:22 . 2009-02-03 23:01 -------- d-----w c:\program files\NOS
2009-03-12 12:48 . 2004-12-31 21:04 -------- d-----w c:\program files\Common Files\Adobe
2009-03-11 02:43 . 2009-03-11 02:43 -------- d-----w c:\documents and settings\HP_Owner\Application Data\SerpentOfIsis
2009-03-10 02:39 . 2009-03-10 02:39 -------- d-----w c:\documents and settings\HP_Owner\Application Data\ZEMNOTT
2009-03-10 02:39 . 2009-03-10 02:39 -------- d-----w c:\documents and settings\All Users\Application Data\ZEMNOTT
2009-03-09 12:19 . 2008-12-22 15:40 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-05 04:14 . 2009-03-05 04:14 -------- d-----w c:\documents and settings\HP_Owner\Application Data\BrandX Games
2009-03-04 21:34 . 2009-03-02 03:41 -------- d-----w c:\program files\Lavasoft
2009-03-04 21:34 . 2009-03-02 03:41 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-04 15:10 . 2009-03-02 05:02 2742 ----a-w C:\aaw7boot.log
2009-03-03 06:35 . 2004-08-12 03:52 -------- d-----w c:\program files\Common Files\Real
2009-03-03 06:16 . 2009-03-03 01:22 -------- d-----w c:\program files\Google
2009-03-03 01:26 . 2003-08-13 01:17 499712 ----a-w c:\windows\system32\msvcp71.dll
2009-03-02 04:40 . 2009-03-01 00:05 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-01 01:20 . 2008-10-17 00:17 -------- d-----w c:\program files\SpacialAudio
2009-03-01 00:59 . 2009-03-01 00:59 98304 ----a-w c:\windows\system32\CmdLineExt.dll
2009-03-01 00:43 . 2009-03-01 00:43 -------- d-----w c:\program files\UBISOFT
2009-02-26 03:45 . 2009-02-13 02:52 -------- d-----w c:\documents and settings\All Users\Application Data\MysteryChronicles
2009-02-25 03:28 . 2008-12-12 03:06 -------- d-----w c:\program files\Mystery Case Files - Return to Ravenhearst
2009-02-19 02:01 . 2009-02-19 02:01 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Dragon Altar Games
2009-02-18 19:30 . 2004-08-12 04:07 -------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-13 07:13 . 2009-02-13 07:13 -------- d-----w c:\program files\AviSynth 2.5
2009-02-13 07:13 . 2009-02-13 07:13 -------- d-----w c:\program files\Red Kawa
2009-02-13 03:29 . 2009-02-13 03:24 -------- d-----w c:\program files\Art of Murder - FBI Confidential
2009-02-09 11:13 . 2004-09-20 02:21 1846784 ----a-w c:\windows\system32\win32k.sys
2009-01-24 11:30 . 2009-01-24 11:30 2560 ----a-w c:\windows\_MSRSTRT.EXE
2005-12-16 16:11 . 2005-12-16 16:11 996968 ----a-w c:\program files\aolsetup.exe
.

Paperhouse
Intermediate
Intermediate

Posts Posts : 142
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : Windows 10 Home
Protection Protection : Advanced SystemCare Pro
Points Points : 29517
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Paperhouse on 13th April 2009, 10:14 pm

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-13 22:03 . 2009-04-13 22:03 16384 c:\windows\temp\Perflib_Perfdata_5e4.dat
+ 2004-09-20 02:21 . 2008-04-14 00:12 156160 c:\windows\uqifukinemeroko.dll
+ 2009-04-13 22:01 . 2005-10-21 03:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-04-13 19:16 . 2005-10-21 03:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="c:\hp\drivers\keyboard\PS2.EXE" [2002-10-16 81920]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Lpecelehizuqazaq"="c:\windows\uqifukinemeroko.dll" [2008-04-13 156160]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 c:\windows\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-04 235936]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli wnprt580.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=c:\windows\pss\HP Organize.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 17:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a--c--- 2004-08-20 16:55 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 10:47 289064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a--c--- 2003-12-17 23:31 118784 c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-03-04 12:01 88209 c:\windows\AGRSMMSG.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

R2 gupdate1c99b9e8f903320;Google Update Service (gupdate1c99b9e8f903320);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-02 133104]
R3 BCM42U;USB HPNA 10 Mbps Network Adapter Driver;c:\windows\system32\DRIVERS\BCM42U.SYS [2001-08-17 66557]
R3 rtl8180;Realtek RTL8180 Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\DRIVERS\RTL8180.SYS [2004-03-18 185216]
S2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 3744]
S2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe [2007-10-16 81920]
S2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 3904]
S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe [2007-10-16 2711552]

.
Contents of the 'Scheduled Tasks' folder

2009-04-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2009-04-13 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-02 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\6rwwrgi5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-04-13 15:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(580)
c:\windows\wnprt580.dll

- - - - - - - > 'explorer.exe'(3448)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\wnprt580.dll
c:\windows\uqifukinemeroko.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\wanmpsvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-13 15:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-13 22:09
ComboFix2.txt 2009-04-13 13:57
ComboFix3.txt 2009-04-14 02:52
ComboFix4.txt 2009-04-13 19:25

Pre-Run: 13,463,724,032 bytes free
Post-Run: 13,448,646,656 bytes free

242 --- E O F --- 2009-04-07 11:16

Paperhouse
Intermediate
Intermediate

Posts Posts : 142
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : Windows 10 Home
Protection Protection : Advanced SystemCare Pro
Points Points : 29517
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Belahzur on 13th April 2009, 10:19 pm

Hello.
It didn't work right that time because you made a .ink extension, it was a shortcut to a file and not the actual .txt file:

CFScript.txt.lnk

It needs to be named CFScript.txt without the .ink.

Re-run the script in this post:
[You must be registered and logged in to see this link.]

Make sure it's a proper text file this time.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Paperhouse on 13th April 2009, 11:07 pm

ComboFix 09-04-13.03 - HP_Owner 2009-04-13 15:51.13 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.234 [GMT -7:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point

FILE ::
c:\windows\Opitecer.dat
c:\windows\Ttufesepefoqesod.bin
c:\windows\uqifukinemeroko.dll
c:\windows\wnprt580.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Opitecer.dat
c:\windows\Ttufesepefoqesod.bin
c:\windows\uqifukinemeroko.dll
c:\windows\wnprt580.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-13 to 2009-04-13 )))))))))))))))))))))))))))))))
.

2009-04-09 11:54 . 2009-04-09 11:54 -------- d-----w c:\documents and settings\HP_Owner\Application Data\rbizaono
2009-04-09 11:24 . 2009-04-09 11:24 -------- d-----w c:\documents and settings\NetworkService\Application Data\rbizaono
2009-04-09 08:15 . 2009-04-09 08:15 -------- d-----w c:\program files\SoulseekNS
2009-04-08 01:39 . 2009-04-08 01:45 -------- d-----w c:\documents and settings\HP_Owner\uspy
2009-04-08 01:38 . 2009-04-10 01:36 -------- d-----w c:\program files\Between the Worlds
2009-04-06 06:05 . 2009-03-26 23:49 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-06 06:05 . 2009-03-26 23:49 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 06:05 . 2009-04-06 06:05 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 03:13 . 2009-04-06 03:13 -------- d-----w c:\documents and settings\All Users\Application Data\Black Blob Studios
2009-04-06 00:07 . 2009-04-06 00:07 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Deckadance
2009-04-05 09:41 . 2009-04-09 10:06 -------- d-----w c:\program files\VstPlugins
2009-04-05 09:41 . 2006-06-20 08:56 225280 ----a-w c:\windows\system32\rewire.dll
2009-04-05 09:40 . 2002-07-07 22:14 1294336 ----a-w c:\windows\system32\vorbis.acm
2009-04-05 09:40 . 2009-04-05 09:40 -------- d-----w c:\program files\Outsim
2009-04-05 09:36 . 2009-04-09 10:24 -------- d-----w c:\program files\Image-Line
2009-04-02 09:55 . 2009-04-02 09:56 -------- d-----w c:\program files\support.com
2009-04-02 09:55 . 2009-04-02 09:55 -------- d-----w c:\program files\Common Files\SupportSoft
2009-04-01 01:01 . 2009-04-03 03:34 -------- d-----w c:\program files\Echo - Secret of the Lost Cavern
2009-03-30 19:50 . 2009-03-30 19:50 -------- d-----w c:\program files\Foxit Software
2009-03-30 19:50 . 2009-03-30 19:50 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Foxit
2009-03-29 08:50 . 2009-03-29 09:23 -------- d-----w c:\program files\Flip Words 2
2009-03-29 01:17 . 2009-03-29 01:17 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Pogo Games
2009-03-28 04:14 . 2009-03-28 04:14 -------- d-----w c:\program files\ReflexiveArcade
2009-03-28 00:57 . 2009-03-28 00:57 -------- d-----w c:\documents and settings\All Users\Application Data\Intenium
2009-03-25 07:56 . 2009-03-25 11:03 -------- d-----w c:\program files\MSN Games
2009-03-25 07:56 . 2009-03-25 07:56 -------- d-----w c:\program files\Oberon Media
2009-03-25 06:54 . 2009-03-25 06:54 -------- d-----w c:\documents and settings\All Users\Application Data\Shockwave
2009-03-25 04:04 . 2009-03-25 04:04 -------- d-----w c:\documents and settings\All Users\Application Data\HipSoft
2009-03-25 01:22 . 2009-03-25 01:22 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Dreamsdwell Stories
2009-03-23 20:00 . 2009-03-23 20:08 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Nero
2009-03-23 08:48 . 2009-03-23 08:48 4767 ----a-w c:\windows\Irremote.ini
2009-03-23 08:43 . 2009-03-23 08:43 -------- d-----w c:\program files\Windows Sidebar
2009-03-23 08:11 . 2009-03-23 08:46 -------- d-----w c:\program files\Nero
2009-03-23 08:10 . 2009-03-23 08:30 -------- d-----w c:\documents and settings\All Users\Application Data\Nero
2009-03-23 08:10 . 2009-03-23 09:13 -------- d-----w c:\program files\Common Files\Nero
2009-03-22 05:50 . 2009-03-22 07:49 -------- d-----w c:\documents and settings\All Users\Application Data\IJJIGame
2009-03-21 20:25 . 2009-03-21 20:31 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Burdaloo
2009-03-18 02:03 . 2009-03-21 03:55 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Lost in the City

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-11 19:01 . 2004-08-12 02:36 -------- d-----w c:\program files\Java
2009-04-10 01:36 . 2008-12-09 01:23 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-09 06:58 . 2008-08-30 02:53 34 ----a-w c:\documents and settings\HP_Owner\jagex_runescape_preferences.dat
2009-04-06 06:32 . 2009-03-01 00:05 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-06 02:58 . 2008-12-09 01:18 -------- d-----w c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-04-04 13:06 . 2009-04-03 01:02 0 ----a-w C:\look.txt
2009-04-03 01:03 . 2009-04-03 01:03 966 ----a-w C:\look1.txt
2009-04-01 10:13 . 2009-03-02 10:21 -------- d-----w c:\program files\Trend Micro
2009-03-28 11:48 . 2004-08-12 03:57 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-26 08:52 . 2008-10-11 16:01 -------- d-----w c:\program files\MySpace
2009-03-25 01:11 . 2008-12-09 01:29 -------- d-----w c:\documents and settings\HP_Owner\Application Data\PlayFirst
2009-03-25 01:11 . 2008-12-09 01:29 -------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2009-03-23 08:33 . 2008-10-25 18:02 -------- d-----w c:\program files\WarRock
2009-03-19 08:49 . 2008-10-05 22:01 -------- d-----w c:\program files\Diablo II
2009-03-16 04:13 . 2008-07-26 03:28 -------- d--h--w c:\documents and settings\HP_Owner\Application Data\ijjigame
2009-03-14 22:57 . 2009-03-14 22:57 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Flood Light Games
2009-03-14 22:57 . 2009-03-14 22:57 -------- d-----w c:\documents and settings\All Users\Application Data\Flood Light Games
2009-03-12 14:22 . 2009-02-03 23:01 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-03-12 14:22 . 2009-02-03 23:01 -------- d-----w c:\program files\NOS
2009-03-12 12:48 . 2004-12-31 21:04 -------- d-----w c:\program files\Common Files\Adobe
2009-03-11 02:43 . 2009-03-11 02:43 -------- d-----w c:\documents and settings\HP_Owner\Application Data\SerpentOfIsis
2009-03-10 02:39 . 2009-03-10 02:39 -------- d-----w c:\documents and settings\HP_Owner\Application Data\ZEMNOTT
2009-03-10 02:39 . 2009-03-10 02:39 -------- d-----w c:\documents and settings\All Users\Application Data\ZEMNOTT
2009-03-09 12:19 . 2008-12-22 15:40 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-05 04:14 . 2009-03-05 04:14 -------- d-----w c:\documents and settings\HP_Owner\Application Data\BrandX Games
2009-03-04 21:34 . 2009-03-02 03:41 -------- d-----w c:\program files\Lavasoft
2009-03-04 21:34 . 2009-03-02 03:41 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-04 15:10 . 2009-03-02 05:02 2742 ----a-w C:\aaw7boot.log
2009-03-03 06:35 . 2004-08-12 03:52 -------- d-----w c:\program files\Common Files\Real
2009-03-03 06:16 . 2009-03-03 01:22 -------- d-----w c:\program files\Google
2009-03-03 01:26 . 2003-08-13 01:17 499712 ----a-w c:\windows\system32\msvcp71.dll
2009-03-02 04:40 . 2009-03-01 00:05 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-01 01:20 . 2008-10-17 00:17 -------- d-----w c:\program files\SpacialAudio
2009-03-01 00:59 . 2009-03-01 00:59 98304 ----a-w c:\windows\system32\CmdLineExt.dll
2009-03-01 00:43 . 2009-03-01 00:43 -------- d-----w c:\program files\UBISOFT
2009-02-26 03:45 . 2009-02-13 02:52 -------- d-----w c:\documents and settings\All Users\Application Data\MysteryChronicles
2009-02-25 03:28 . 2008-12-12 03:06 -------- d-----w c:\program files\Mystery Case Files - Return to Ravenhearst
2009-02-19 02:01 . 2009-02-19 02:01 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Dragon Altar Games
2009-02-18 19:30 . 2004-08-12 04:07 -------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-13 07:13 . 2009-02-13 07:13 -------- d-----w c:\program files\AviSynth 2.5
2009-02-13 07:13 . 2009-02-13 07:13 -------- d-----w c:\program files\Red Kawa
2009-02-13 03:29 . 2009-02-13 03:24 -------- d-----w c:\program files\Art of Murder - FBI Confidential
2009-02-09 11:13 . 2004-09-20 02:21 1846784 ----a-w c:\windows\system32\win32k.sys
2009-01-24 11:30 . 2009-01-24 11:30 2560 ----a-w c:\windows\_MSRSTRT.EXE
2005-12-16 16:11 . 2005-12-16 16:11 996968 ----a-w c:\program files\aolsetup.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\documents and settings\HP_Owner\Application Data\rbizaono ----

2009-04-09 04:56 65536 --a------ c:\documents and settings\HP_Owner\Application Data\rbizaono\Profiles\gms08uuz.default\cert8.db
2009-04-09 04:56 2048 --a------ c:\documents and settings\HP_Owner\Application Data\rbizaono\Profiles\gms08uuz.default\cookies.sqlite
2009-04-09 04:55 8651 --a------ c:\documents and settings\HP_Owner\Application Data\rbizaono\Profiles\gms08uuz.default\pluginreg.dat
2009-04-09 04:55 569 --a------ c:\documents and settings\HP_Owner\Application Data\rbizaono\Profiles\gms08uuz.default\localstore.rdf
2009-04-09 04:55 4096 --a------ c:\documents and settings\HP_Owner\Application Data\rbizaono\Profiles\gms08uuz.default\formhistory.sqlite
2009-04-09 04:55 367 --a------ c:\documents and settings\HP_Owner\Application Data\rbizaono\Profiles\gms08uuz.default\prefs.js
2009-04-09 04:55 2048 --a------ c:\documents and settings\HP_Owner\Application Data\rbizaono\Profiles\gms08uuz.default\webappsstore.sqlite
2009-04-09 04:55 2048 --a------ c:\documents and settings\HP_Owner\Application Data\rbizaono\Profiles\gms08uuz.default\permissions.sqlite
2009-04-09 04:55 16384 --a------ c:\documents and settings\HP_Owner\Application Data\rbizaono\Profiles\gms08uuz.default\secmod.db
2009-04-09 04:55 16384 --a------ c:\documents and settings\HP_Owner\Application Data\rbizaono\Profiles\gms08uuz.default\key3.db
2009-04-09 04:55 131072 --a------ c:\documents and settings\HP_Owner\Application Data\rbizaono\Profiles\gms08uuz.default\places.sqlite
2009-04-09 04:55 127820 --a------ c:\documents and settings\HP_Owner\Application Data\rbizaono\Profiles\gms08uuz.default\compreg.dat
2009-04-09 04:55 0 --a------ c:\documents and settings\HP_Owner\Application Data\rbizaono\Profiles\gms08uuz.default\places.sqlite-journal
2009-04-09 04:54 96173 --a------ c:\documents and settings\HP_Owner\Application Data\rbizaono\Profiles\gms08uuz.default\xpti.dat
2009-04-09 04:54 207 --a------ c:\documents and settings\HP_Owner\Application Data\rbizaono\Profiles\gms08uuz.default\compatibility.ini
2009-04-09 04:54 111 --a------ c:\documents and settings\HP_Owner\Application Data\rbizaono\profiles.ini

Paperhouse
Intermediate
Intermediate

Posts Posts : 142
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : Windows 10 Home
Protection Protection : Advanced SystemCare Pro
Points Points : 29517
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Paperhouse on 13th April 2009, 11:07 pm

---- Directory of c:\documents and settings\NetworkService\Application Data\rbizaono ----

2009-04-09 04:43 698 --a------ c:\documents and settings\NetworkService\Application Data\rbizaono\Profiles\0naozty3.default\prefs.js
2009-04-09 04:43 65536 --a------ c:\documents and settings\NetworkService\Application Data\rbizaono\Profiles\0naozty3.default\cert8.db
2009-04-09 04:43 2048 --a------ c:\documents and settings\NetworkService\Application Data\rbizaono\Profiles\0naozty3.default\cookies.sqlite
2009-04-09 04:43 16384 --a------ c:\documents and settings\NetworkService\Application Data\rbizaono\Profiles\0naozty3.default\key3.db
2009-04-09 04:43 131072 --a------ c:\documents and settings\NetworkService\Application Data\rbizaono\Profiles\0naozty3.default\places.sqlite
2009-04-09 04:25 569 --a------ c:\documents and settings\NetworkService\Application Data\rbizaono\Profiles\0naozty3.default\localstore.rdf
2009-04-09 04:24 96173 --a------ c:\documents and settings\NetworkService\Application Data\rbizaono\Profiles\0naozty3.default\xpti.dat
2009-04-09 04:24 8651 --a------ c:\documents and settings\NetworkService\Application Data\rbizaono\Profiles\0naozty3.default\pluginreg.dat
2009-04-09 04:24 4096 --a------ c:\documents and settings\NetworkService\Application Data\rbizaono\Profiles\0naozty3.default\formhistory.sqlite
2009-04-09 04:24 207 --a------ c:\documents and settings\NetworkService\Application Data\rbizaono\Profiles\0naozty3.default\compatibility.ini
2009-04-09 04:24 2048 --a------ c:\documents and settings\NetworkService\Application Data\rbizaono\Profiles\0naozty3.default\webappsstore.sqlite
2009-04-09 04:24 2048 --a------ c:\documents and settings\NetworkService\Application Data\rbizaono\Profiles\0naozty3.default\permissions.sqlite
2009-04-09 04:24 16384 --a------ c:\documents and settings\NetworkService\Application Data\rbizaono\Profiles\0naozty3.default\secmod.db
2009-04-09 04:24 127820 --a------ c:\documents and settings\NetworkService\Application Data\rbizaono\Profiles\0naozty3.default\compreg.dat
2009-04-09 04:24 111 --a------ c:\documents and settings\NetworkService\Application Data\rbizaono\profiles.ini


((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-13 22:57 . 2009-04-13 22:57 16384 c:\windows\temp\Perflib_Perfdata_5e4.dat
+ 2009-04-13 22:55 . 2005-10-21 03:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-04-13 19:16 . 2005-10-21 03:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="c:\hp\drivers\keyboard\PS2.EXE" [2002-10-16 81920]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 c:\windows\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-04 235936]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=c:\windows\pss\HP Organize.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 17:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a--c--- 2004-08-20 16:55 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 10:47 289064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a--c--- 2003-12-17 23:31 118784 c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-03-04 12:01 88209 c:\windows\AGRSMMSG.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

R2 gupdate1c99b9e8f903320;Google Update Service (gupdate1c99b9e8f903320);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-02 133104]
R3 BCM42U;USB HPNA 10 Mbps Network Adapter Driver;c:\windows\system32\DRIVERS\BCM42U.SYS [2001-08-17 66557]
R3 rtl8180;Realtek RTL8180 Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\DRIVERS\RTL8180.SYS [2004-03-18 185216]
S2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 3744]
S2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe [2007-10-16 81920]
S2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 3904]
S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe [2007-10-16 2711552]

.
Contents of the 'Scheduled Tasks' folder

2009-04-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2009-04-13 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-02 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\6rwwrgi5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-04-13 15:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3468)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\wanmpsvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-13 16:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-13 23:03
ComboFix2.txt 2009-04-13 22:09
ComboFix3.txt 2009-04-13 13:57
ComboFix4.txt 2009-04-14 02:52
ComboFix5.txt 2009-04-13 22:51

Pre-Run: 13,435,412,480 bytes free
Post-Run: 13,419,974,656 bytes free

277 --- E O F --- 2009-04-07 11:16

Paperhouse
Intermediate
Intermediate

Posts Posts : 142
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : Windows 10 Home
Protection Protection : Advanced SystemCare Pro
Points Points : 29517
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Belahzur on 13th April 2009, 11:43 pm

Hello.

Finally, it's gone.
Stupid file hooking itself into lsass.exe.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.
==============

Please run Gooredfix option 2 now. Smile
Post the new Gooredfix log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Paperhouse on 14th April 2009, 1:30 am

GooredFix v1.92 by jpshortstuff
Log created at 18:30 on 13/04/2009 running Option #2 (HP_Owner)
Firefox version 3.0.8 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3851221E-BE15-430A-9639-1C051BAAA5F9}"="C:\Documents and Settings\HP_Owner\Local Settings\Application Data\{3851221E-BE15-430A-9639-1C051BAAA5F9}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\HP_Owner\Local Settings\Application Data\{3851221E-BE15-430A-9639-1C051BAAA5F9}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

Paperhouse
Intermediate
Intermediate

Posts Posts : 142
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : Windows 10 Home
Protection Protection : Advanced SystemCare Pro
Points Points : 29517
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Belahzur on 14th April 2009, 4:08 pm

Hello.
How is it now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Paperhouse on 14th April 2009, 6:51 pm

Perfect.

Paperhouse
Intermediate
Intermediate

Posts Posts : 142
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : Windows 10 Home
Protection Protection : Advanced SystemCare Pro
Points Points : 29517
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WinSpywareProtect

Post by Belahzur on 14th April 2009, 6:59 pm

Click Start >> Run and then copy/paste the following into the box and hit Enter:
"%userprofile%\Desktop\GooredFix.exe" /uninstall
note the space between " /
If any of your security programs query a new Registry/AutoStart value being added please allow the changes.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum