Help required to remove Spyware.ISpynow please

Edit by Belahzur: bad link killed

Hi,

I wonder if anyone can help me? From reading your forum I do not appear to be the obly one with this problem.

I have a laptop running Microsoft Vista Home Premium OS. I have McAfee SecurityCenter version 9.0, Virus scan version 13.0 and Personal Firewall version 10.0. I also have SUPERAntiSpyware free edition.

Over the last two days I have been getting a Windows Security Alert window pop up every 13 minutes that states:


Windows Security Alert

Windows Firewall has blocked some features of this program

Windows Firewall has detected unauthorized activity, but unfortunately it cannot help you remove viruses, keyloggers and other spyware threats that steal your personal information from your computer. Click here to pick recommended software.

Name: Spyware.ISpynow

Risk Level: High

Description: This trojan has a keyboard logger function which is intended to steal information from users of a range of online payment systems.


There are two option buttons to click on. The option to “Keep Blocking” is greyed out leaving just the option “Protect” available. When I click on this button it take me to a website: hxxp://www.defende2009.com/buy.php?a=111 offering me to buy “Perfect Defender 2009”. If I click on the Click here to pick recommended software hyperlink the same website opens.

I've done full scans with Mcafee and SUPERAntiSpyware in both normal and safe modes. However, none of these found anything.

I've also scanned with Windows Defender and Malwarebytes Anti-Malware, but neither of those found anything either.

McAfee Help forum suggested I download HijackThis and post the log on this forum. Therefore I have done this and the log is below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:52:33, on 28/11/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PcSync2.exe
C:\Users\Owner\AppData\Roaming\Google\dwm.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Windows\System32\mobsync.exe
C:\Users\Owner\Downloads\HijackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skybroadband.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ARIO&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...ARIO&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [HPsetm] "C:\Users\Owner\AppData\Roaming\Google\dwm.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O13 - Gopher Prefix:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Stuffit Archive Name Service - Smith Micro Software, Inc. - C:\Program Files\Smith Micro\StuffIt11\ArcNameService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 9762 bytes

Can you please suggest how I can remove this please.

Thank you in advance for any help you can give.

Hello.
Lets run this.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts, but select NO when asked to install the recovery console.
3. When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

thanks for quick response. Log as requested...

ComboFix 08-12-01.01 - Owner 2008-12-01 23:38:40.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.198 [GMT 0:00]
Running from: c:\users\Owner\Downloads\COMBOFIX\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\x64

.
((((((((((((((((((((((((( Files Created from 2008-11-01 to 2008-12-01 )))))))))))))))))))))))))))))))
.

2008-11-28 16:44 . 2008-11-28 16:44 d-------- c:\users\Owner\AppData\Roaming\Malwarebytes
2008-11-28 16:44 . 2008-11-28 16:44 d-------- c:\users\All Users\Malwarebytes
2008-11-28 16:44 . 2008-11-28 16:44 d-------- c:\programdata\Malwarebytes
2008-11-28 16:44 . 2008-11-28 16:44 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-28 16:44 . 2008-10-22 16:10 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-11-28 16:44 . 2008-10-22 16:10 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-11-25 21:40 . 2008-10-21 05:25 1,645,568 --a------ c:\windows\System32\connect.dll
2008-11-25 21:40 . 2008-08-28 03:40 712,704 --a------ c:\windows\System32\WindowsCodecs.dll
2008-11-25 21:40 . 2008-08-28 03:40 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll
2008-11-25 21:40 . 2008-08-28 03:40 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll
2008-11-25 21:40 . 2008-10-22 03:57 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2008-11-24 20:21 . 2008-11-24 20:21 d-------- c:\program files\iPod
2008-11-24 20:20 . 2008-11-24 20:21 d-------- c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-24 20:20 . 2008-11-24 20:21 d-------- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-24 20:20 . 2008-11-24 20:21 d-------- c:\program files\iTunes
2008-11-24 20:17 . 2008-11-24 20:18 d-------- c:\program files\QuickTime
2008-11-21 22:46 . 2008-11-21 22:46 d-------- c:\users\Owner\AppData\Roaming\MPEG Streamclip
2008-11-13 20:46 . 2008-08-27 01:05 212,480 --a------ c:\windows\System32\drivers\mrxsmb10.sys
2008-11-13 20:45 . 2008-09-10 03:40 1,334,272 --a------ c:\windows\System32\msxml6.dll
2008-11-13 20:45 . 2008-09-05 05:14 1,191,936 --a------ c:\windows\System32\msxml3.dll
2008-11-05 20:33 . 2008-11-05 20:33 d-------- c:\users\All Users\WindowsSearch
2008-11-05 20:33 . 2008-11-05 20:33 d-------- c:\programdata\WindowsSearch
2008-11-04 22:06 . 2008-11-04 22:06 d-------- c:\program files\Common Files\PCSuite
2008-11-04 22:06 . 2008-11-04 22:06 d-------- c:\program files\Common Files\Nokia
2008-11-04 22:04 . 2008-11-04 22:04 d-------- c:\users\Owner\{131064f5-6385-46b2-af13-efa5ee87b8dd}
2008-11-04 10:30 . 2008-11-04 10:30 90,112 --a------ c:\windows\System32\QuickTimeVR.qtx
2008-11-04 10:30 . 2008-11-04 10:30 57,344 --a------ c:\windows\System32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-01 21:44 --------- d-----w c:\programdata\Roxio
2008-12-01 21:14 --------- d-----w c:\users\Owner\AppData\Roaming\OpenOffice.org2
2008-11-24 21:58 --------- d-----w c:\users\Owner\AppData\Roaming\Hewlett-Packard
2008-11-24 21:58 --------- d-----w c:\users\Owner\AppData\Roaming\CyberLink
2008-11-24 21:58 --------- d-----w c:\users\Owner\AppData\Roaming\Apple Computer
2008-11-24 20:21 --------- d-----w c:\program files\Common Files\Apple
2008-11-18 20:23 --------- d-----w c:\program files\SUPERAntiSpyware
2008-11-14 14:11 --------- d-----w c:\program files\McAfee
2008-11-04 22:06 --------- d-----w c:\program files\Nokia
2008-11-04 21:59 --------- d-----w c:\programdata\Installations
2008-11-02 22:40 --------- d-----w c:\users\Owner\AppData\Roaming\Roxio
2008-10-27 23:38 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-10-22 19:31 --------- d-----w c:\programdata\Sonic
2008-10-22 19:15 --------- d-----w c:\users\Owner\AppData\Roaming\PC Suite
2008-10-22 18:51 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-10-20 23:25 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-20 22:59 --------- d-----w c:\users\Owner\AppData\Roaming\Nokia
2008-10-17 23:09 --------- d-----w c:\program files\Common Files\Adobe
2008-10-16 21:49 --------- d-----w c:\program files\Java
2008-10-15 23:03 --------- d-----w c:\program files\Windows Mail
2008-10-10 22:16 0 ---ha-w c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_05_00.Wdf
2008-10-07 22:11 --------- d-----w c:\programdata\SMSI
2008-10-07 22:11 --------- d-----w c:\program files\Smith Micro
2008-10-07 21:54 --------- d-----w c:\program files\Canon
2008-10-07 21:41 --------- d--h--w c:\programdata\CanonBJ
2008-10-07 21:37 --------- d--h--w c:\program files\CanonBJ
2008-10-07 21:24 174 --sha-w c:\program files\desktop.ini
2008-10-07 21:14 --------- d-----w c:\program files\Windows Sidebar
2008-10-07 21:14 --------- d-----w c:\program files\Windows Calendar
2008-10-07 21:13 --------- d-----w c:\program files\Windows Photo Gallery
2008-10-07 21:13 --------- d-----w c:\program files\Windows Journal
2008-10-07 21:13 --------- d-----w c:\program files\Windows Defender
2008-10-07 21:13 --------- d-----w c:\program files\Windows Collaboration
2008-10-07 20:47 82,432 ----a-w c:\windows\System32\axaltocm.dll
2008-10-07 20:47 101,888 ----a-w c:\windows\System32\ifxcardm.dll
2008-10-06 22:45 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-10-06 22:45 --------- d-----w c:\programdata\PC Suite
2008-10-06 22:40 --------- d-----w c:\program files\DIFX
2008-10-06 22:37 --------- d-----w c:\program files\PC Connectivity Solution
2008-10-06 20:24 --------- d-----w c:\programdata\Apple Computer
2008-10-06 20:23 --------- d-----w c:\program files\Bonjour
2008-10-06 20:22 --------- d-----w c:\program files\Apple Software Update
2008-10-06 20:20 --------- d-----w c:\programdata\Apple
2008-10-06 20:01 --------- d-----w c:\program files\OpenOffice.org 2.4
2008-10-06 19:38 --------- d-----w c:\program files\Google
2008-10-06 19:30 --------- d-----w c:\program files\Sky Broadband
2008-10-06 19:09 --------- d-----w c:\users\Owner\AppData\Roaming\HP
2008-10-06 19:09 --------- d-----w c:\programdata\HP
2008-10-06 11:30 --------- d-----w c:\programdata\SUPERAntiSpyware.com
2008-10-06 11:19 --------- d-----w c:\users\Owner\AppData\Roaming\SUPERAntiSpyware.com
2008-10-06 11:18 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-06 08:12 --------- d-----w c:\programdata\McAfee
2008-10-06 08:09 --------- d-----w c:\program files\Common Files\McAfee
2008-10-06 08:08 --------- d-----w c:\program files\McAfee.com
2008-10-03 14:54 269,312 ----a-w c:\windows\System32\es.dll
2008-10-03 14:36 61,440 ----a-w c:\windows\System32\winipsec.dll
2008-10-03 14:36 361,984 ----a-w c:\windows\System32\IPSECSVC.DLL
2008-10-03 14:36 28,672 ----a-w c:\windows\System32\FwRemoteSvr.dll
2008-10-03 14:36 272,896 ----a-w c:\windows\System32\polstore.dll
2008-10-03 14:34 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-10-03 14:34 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-10-03 14:34 4,240,384 ----a-w c:\windows\System32\GameUXLegacyGDFs.dll
2008-10-03 14:34 28,160 ----a-w c:\windows\System32\Apphlpdm.dll
2008-10-03 14:34 2,560 ----a-w c:\windows\AppPatch\AcRes.dll
2008-10-03 14:34 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-10-03 14:34 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-10-03 14:34 1,695,744 ----a-w c:\windows\System32\gameux.dll
2008-10-03 14:30 --------- d-----w c:\program files\CONEXANT
2008-10-03 14:23 2,048 ----a-w c:\windows\System32\tzres.dll
2008-10-03 14:21 303,616 ----a-w c:\windows\System32\wmpeffects.dll
2008-10-03 14:18 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2008-10-03 14:05 988,216 ----a-w c:\windows\System32\winload.exe
2008-10-03 14:05 927,288 ----a-w c:\windows\System32\winresume.exe
2008-10-03 14:05 615,992 ----a-w c:\windows\System32\ci.dll
2008-10-03 14:05 6,656 ----a-w c:\windows\System32\kbd106n.dll
2008-10-03 14:05 46,592 ----a-w c:\windows\System32\setbcdlocale.dll
2008-10-03 14:05 40,960 ----a-w c:\windows\System32\srclient.dll
2008-10-03 14:05 378,368 ----a-w c:\windows\System32\srcore.dll
2008-10-03 14:05 318,464 ----a-w c:\windows\System32\rstrui.exe
2008-10-03 14:05 19,000 ----a-w c:\windows\System32\kd1394.dll
2008-10-03 14:05 14,848 ----a-w c:\windows\System32\srdelayed.exe
2008-10-03 14:02 295,936 ----a-w c:\windows\System32\gdi32.dll
2008-10-03 13:59 14,848 ----a-w c:\windows\System32\wshrm.dll
2008-10-03 13:59 113,664 ----a-w c:\windows\system32\drivers\rmcast.sys
2008-10-03 13:56 84,480 ----a-w c:\windows\System32\INETRES.dll
2008-10-03 13:56 738,304 ----a-w c:\windows\System32\inetcomm.dll
2008-10-03 13:56 1,314,816 ----a-w c:\windows\System32\quartz.dll
2008-10-03 13:53 --------- d-----w c:\program files\Microsoft Works
2008-10-03 13:52 --------- d-----w c:\program files\MSXML 4.0
2008-10-03 13:16 53,448 ----a-w c:\windows\System32\wuauclt.exe
2008-10-03 13:16 45,768 ----a-w c:\windows\System32\wups2.dll
2008-10-03 13:16 1,811,656 ----a-w c:\windows\System32\wuaueng.dll
2008-10-03 13:16 1,524,736 ----a-w c:\windows\System32\wucltux.dll
2008-10-03 13:15 83,456 ----a-w c:\windows\System32\wudriver.dll
2008-10-03 13:15 563,912 ----a-w c:\windows\System32\wuapi.dll
2008-10-03 13:15 36,552 ----a-w c:\windows\System32\wups.dll
2008-10-03 13:14 31,232 ----a-w c:\windows\System32\wuapp.exe
2008-10-03 13:14 163,904 ----a-w c:\windows\System32\wuwebv.dll
2008-10-03 13:00 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-03 12:59 --------- d-----w c:\programdata\Symantec
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-18 1805552]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-06 39408]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-10-02 1124352]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 1249280]
"HPsetm"="c:\users\Owner\AppData\Roaming\Google\dwm.exe" [2008-11-24 104960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1021224]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-12-03 167936]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"NapsterShell"="c:\program files\Napster\napster.exe" [2006-09-06 323216]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-11-10 46704]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 317152]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]

c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-10-07 20:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-537077918-208727484-728856451-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E673E3DB-F26B-401C-8286-2C5084B6024B}"= UDP:c:\program files\HP\QuickPlay\QP.exe:QP
"{668EEA5A-A3E8-43B9-906E-2D3684E12F54}"= TCP:c:\program files\HP\QuickPlay\QP.exe:QP
"{5B82BE7A-BF4F-4F7E-AD54-84DF48F37A94}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{4C3FDCE5-D95E-4D99-AB74-1F7E1CCDB217}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{57C0B6BF-7350-497C-B699-1815B6204EDC}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{86A1B292-CD3A-4FED-BC65-F4AEC9CA9FFA}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{82C0D23B-8608-4C40-80F4-0EEDAD54BBEF}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{F9A6FA72-1DD9-4F63-AB12-3E2D8EFC1CC2}"= UDP:c:\program files\Malwarebytes' Anti-Malware\mbam.exe:Malwarebytes' Anti-Malware
"{27AA47AF-93F8-49E3-8134-B304CA282F8B}"= TCP:c:\program files\Malwarebytes' Anti-Malware\mbam.exe:Malwarebytes' Anti-Malware

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"DoNotAllowExceptions"= 1 (0x1)

R2 Stuffit Archive Name Service;Stuffit Archive Name Service;"c:\program files\Smith Micro\StuffIt11\ArcNameService.exe" [2007-07-18 157000]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-10-06 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2008-10-06 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-01 23:44:00
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2868)
c:\users\Owner\AppData\Roaming\Google\lrpovl.dll
.
Completion time: 2008-12-01 23:47:15
ComboFix-quarantined-files.txt 2008-12-01 23:47:07

Pre-Run: 8,843,087,872 bytes free
Post-Run: 8,679,280,640 bytes free

236 --- E O F --- 2008-12-01 21:17:53

Hello.
CF missed the malware in the first run, so lets get it now.

Now open a new notepad file.
Input this into the notepad file:

File::
c:\users\Owner\AppData\Roaming\Google\dwm.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPsetm"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

Tried do as requested. However as ComboFix started its scan, I got a blue screen stating "BAD POOL ..." (couldn't read all off it before Windows shut down.
When windows restarted in normal mode I got this Window pop up:

Windows has recovered from an unexpected shutdown

Details of the error were:

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6001.2.1.0.768.3
Locale ID: 2057

Additional information about the problem:
BCCode: c2
BCP1: 0000000D
BCP2: 849FAB88
BCP3: 20206F49
BCP4: 8E8D5353
OS Version: 6_0_6001
Service Pack: 1_0
Product: 768_1

Files that help describe the problem:
C:\WINDOWS\Minidump\Mini120208-01.dmp
C:\Users\Owner\AppData\Local\Temp\WER-94021-0.sysdata.xml
C:\Users\Owner\AppData\Local\Temp\WER6315.tmp.version.txt

Read our privacy statement:
http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409

Okay, never seen that before. Nevermind though, we can use this.

Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it.
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :processes
  explorer.exe
  
  :files
  c:\users\Owner\AppData\Roaming\Google\dwm.exe
  
  :reg
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "HPsetm"=-
  
  :commands
  [purity]
  [emptytemp]
  [start explorer]
  [reboot]
  
  
  
  
• Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Hi,

Thanks for advice.

I did as you said, but made the mistake of not copying the results window before clicking on yes to reboot to complete the move process. I thought you would need the results after the reboot but the OtMoveIt3 did not reopen on reboot.
Is there anyway I can get the results now?

Sorry for my error.

There might be the report saved to a .txt file or a .log file in the _OTMoveIt folder.
Take a look for it.

Found it:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
c:\users\Owner\AppData\Roaming\Google\dwm.exe moved successfully.
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\HPsetm not found.
========== COMMANDS ==========
File delete failed. C:\Users\Owner\AppData\Local\Temp\Low\~DFEEC1.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\Owner\AppData\Local\Temp\Low\~DFF350.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\Owner\AppData\Local\Temp\ehmsas.txt scheduled to be deleted on reboot.
File delete failed. C:\Users\Owner\AppData\Local\Temp\NGLALog.txt scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\Windows\temp\mcmsc_6Slqh04U6uQOOgC scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\mcmsc_IvqTtPzZ4vloxui scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\mcmsc_JdyFK4XQVqRw0UN scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\mcmsc_jJ21jSS0U76nJeb scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\mcmsc_k8UBSUnCLJA2azX scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\WFVB8F3.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.1 log created on 12022008_204921


PS I've not had the Spyware.ISpynow pop up since doing this.

Ah, good.
Combofix log looks good, no problems remain?

Belahzur wrote:

Ah, good.
Combofix log looks good, no problems remain?

No all seems fine!

Can't thank you enough for your help.

Heh, no problem.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

• Download the latest version of Java SE Runtime Environment (JRE) 6 Update 11.
  
• Select the first option where it says "Java SE Runtime Environment (JRE) 6 Update 11".
  
• Click the "Download" button to the right.
  
• In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  
• Click on the link to download Windows Offline Installation and save to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  - Examples of older versions in Add or Remove Programs:
  - Java 2 Runtime Environment, SE v1.4.2
  - J2SE Runtime Environment 5.0
  - J2SE Runtime Environment 5.0 Update 2
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-6u11-windows-i586-p.exe that you downloaded to install the newest version.
  

Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from here

• First, unzip it.
  
• Then run JavaRa.
  
• Select English from the drop down menu and press Select.
  
• This will open JavaRa.
  
• Press Remove older versions
  
• Press yes to the prompt.
  
• It will make a log file of what it's removed.
  
• Copy and paste the log back here.
  

Did as above.

JavaRa said it had removed an older file. It said it had created a log in the C drive and would open thr log now. I clicked on Ok but the log didn't open. I've looked for it in C but can't find it.

No problem, don't really need to see it.

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.


Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems! Good luck.

I'm running Vista. There is no Turn Off system restore (or not that I can find.

However, there is an option to create a restore point right now. Should I use this option?

My bad.
See here for Vista.
http://www.howtogeek.com/howto/windows-vista/disable-system-restore-in-windows-vista/

Due to lack of feedback, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.