Tom's Guide | Tom's Hardware | Tom's Games

Computing.Net > Forums > Security and Virus > spyware detected!

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

spyware detected!

Reply to Message Icon

Name: donever
Date: December 25, 2008 at 16:46:19 Pacific
OS: Windows Vista
CPU/Ram: athlon 3g
Product: Custom / CUSTOM MADE
Comment:

hello and merry christmas to everybody. Recently my Panda Internet Security 2009 reported that I have 4 spyware detected. can somebody help me out with this. i use panda internet security to scan but i don't know if it is removed. the spyware still show in panda as last incident spyware detected. any help would be appreciated.



Sponsored Link
Ads by Google

Response Number 1
Name: jabuck
Date: December 25, 2008 at 17:53:25 Pacific
Reply:

Download a run the scans from these programs and post their logs please.

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This


1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


0

Response Number 2
Name: donever
Date: December 25, 2008 at 21:11:56 Pacific
Reply:

after i did a scan with malwarebytes and hijackthis, my panda security report that virus is neutralized! unfortunately Malwarebytes and hijackthis didn't detect; is it because the virus netralize. thank a lot!

Result of Malwarebytes


Malwarebytes' Anti-Malware 1.31
Database version: 1548
Windows 6.0.6001 Service Pack 1

12/26/2008 12:01:25 AM
mbam-log-2008-12-26 (00-01-25).txt

Scan type: Quick Scan
Objects scanned: 48116
Time elapsed: 6 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Result of hijackthis


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:16 PM, on 12/25/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\PROGRAM FILES\PANDA SECURITY\PANDA INTERNET SECURITY 2009\WebProxy.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Panda Security\Panda Internet Security 2009\ApVxdWin.exe
C:\Windows\System32\rundll32.exe
C:\Windows\SOUNDMAN.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Panda Security\Panda Internet Security 2009\PavBckPT.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\wsqmcons.exe
C:\Users\Duhh\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Internet Security 2009\APVXDWIN.exe" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Internet Security 2009\Inicio.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Internet Security 2009\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Internet Security 2009\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Internet Security 2009\pavsrvx86.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda internet security 2009\firewall\PSHOST.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files\Panda Security\Panda Internet Security 2009\PsImSvc.exe
O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Internet Security 2009\PskSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Internet Security 2009\TPSrv.exe

--
End of file - 4996 bytes


0

Response Number 3
Name: jabuck
Date: December 25, 2008 at 22:23:44 Pacific
Reply:

To run this scan you must be offline and have Panda disabled. You may have to do a google search for info on how to temporarily disable your version of Panda.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your Panda antivirus, and any antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.


0

Response Number 4
Name: Hellfire
Date: December 26, 2008 at 02:53:11 Pacific
Reply:

Jabuck ?

He didn't say that he still have virus/spyware, he said he's not sure if the virus/spyware is still there.
If the Panda has discovered the virus i'm sure it has already removed it.

"the spyware still show in panda as last incident spyware detected"

This probably means that the last virus/spyware it has detected was the 4 spywares.
After a few days it will probably find other virus/spyware and then it will say the same thing again, however it will not say the 4 spywares it has discovered before.
It will then contain the new discovered viruses/spyware.
This log updates itself with the latest discovered viruses only !



0

Response Number 5
Name: Hellfire
Date: December 26, 2008 at 02:54:32 Pacific
Reply:

When you Panda says that the virus is neutralized, it means the virus is REMOVED !!!!


0

Related Posts

See More



Response Number 6
Name: jabuck
Date: December 26, 2008 at 07:46:04 Pacific
Reply:

Hellfire, Panda didn't make the "neutralized" statement until after Malwarebytes was run which means it probably could not remove the baddie without some help.

We are looking for remnants of the virus and are aware of what "neutralized" mean when expressed by Panda.

Thanks for the insight though.


0

Response Number 7
Name: donever
Date: December 26, 2008 at 19:20:30 Pacific
Reply:

below is the result of ComboFix. also, I uninstall Panda Security just to run Combofix because ComboFix won't run with panda installed or disabled. from what i see
ComboFix won't run so i decided to uninstall panda and run ComboFix and sure enough it run. also, before i uninstall panda, a warning message report from panda security that said: " a dangerous operation ! by a program ! has been detected and blocked". the ! is inside 0 but ! is like an i or it is 180 degree turn.

08-12-26.03 - Duhh 2008-12-26 21:57:33.1 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.2559.1874 [GMT -5:00]
Running from: c:\users\Duhh\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-27 to 2008-12-27 )))))))))))))))))))))))))))))))
.

2008-12-26 21:45 . 2008-12-26 21:45 <DIR> d-------- c:\windows\Downloaded Installations
2008-12-26 21:45 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2008-12-25 23:57 . 2008-12-25 23:57 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-12-25 23:53 . 2008-12-25 23:53 <DIR> d-------- c:\users\Duhh\AppData\Roaming\Malwarebytes
2008-12-25 23:53 . 2008-12-25 23:53 <DIR> d-------- c:\users\All Users\Malwarebytes
2008-12-25 23:53 . 2008-12-25 23:53 <DIR> d-------- c:\programdata\Malwarebytes
2008-12-25 23:53 . 2008-12-25 23:53 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-25 23:53 . 2008-12-03 19:59 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-12-25 23:53 . 2008-12-03 19:59 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-12-25 19:44 . 2008-12-25 19:44 <DIR> d-------- c:\users\All Users\WindowsSearch
2008-12-25 19:44 . 2008-12-25 19:44 <DIR> d-------- c:\programdata\WindowsSearch
2008-12-25 19:38 . 2008-12-25 19:38 <DIR> d-------- c:\program files\uTorrent
2008-12-25 19:37 . 2008-12-25 22:23 <DIR> d-------- c:\users\Duhh\AppData\Roaming\uTorrent
2008-12-25 16:27 . 2008-12-25 16:28 <DIR> d-------- c:\users\All Users\Lavasoft
2008-12-25 16:27 . 2008-12-25 16:28 <DIR> d-------- c:\programdata\Lavasoft
2008-12-25 16:27 . 2008-12-25 16:27 <DIR> d-------- c:\program files\Lavasoft
2008-12-25 16:25 . 2008-12-25 16:25 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-25 11:50 . 2008-12-25 11:50 <DIR> d-------- C:\PerfLogs
2008-12-25 11:21 . 2008-12-25 11:21 <DIR> d-------- C:\[u]0[/u]46ae29465861359d052864ade
2008-12-24 19:37 . 2008-01-19 02:33 2,623,488 --a------ c:\windows\System32\SLsvc.exe
2008-12-24 19:37 . 2008-01-19 02:36 1,541,120 --a------ c:\windows\System32\onex.dll
2008-12-24 19:34 . 2008-01-18 22:12 3,662,296 --a------ c:\windows\System32\locale.nls
2008-12-24 19:33 . 2008-01-19 02:34 1,855,488 --a------ c:\windows\System32\dbgeng.dll
2008-12-24 19:32 . 2008-01-19 02:38 4,595,712 --a------ c:\windows\System32\AuthFWSnapin.dll
2008-12-24 19:31 . 2008-01-19 02:33 8,139,264 --a------ c:\windows\System32\ssBranded.scr
2008-12-24 19:30 . 2008-01-19 02:36 2,204,672 --a------ c:\windows\System32\SyncCenter.dll
2008-12-24 19:29 . 2008-01-19 02:33 2,515,968 --a------ c:\windows\System32\accessibilitycpl.dll
2008-12-24 19:28 . 2008-01-19 02:35 3,072,000 --a------ c:\windows\System32\networkmap.dll
2008-12-24 19:27 . 2008-01-19 02:36 2,588,160 --a------ c:\windows\System32\UIHub.dll
2008-12-24 19:26 . 2008-01-19 02:37 1,329,152 --a------ c:\windows\System32\WMSPDMOE.DLL
2008-12-24 19:25 . 2008-01-19 02:32 1,370,624 --a------ c:\windows\System32\Aurora.scr
2008-12-24 19:24 . 2008-01-19 02:35 282,624 --a------ c:\windows\System32\mstext40.dll
2008-12-24 19:23 . 2008-01-19 02:32 5,714,432 --a------ c:\windows\System32\logon.scr
2008-12-24 19:22 . 2008-01-19 02:34 344,064 --a------ c:\windows\System32\msexcl40.dll
2008-12-24 19:21 . 2008-01-19 02:35 450,560 --a------ c:\windows\System32\msxbde40.dll
2008-12-24 19:20 . 2008-01-19 02:34 6,103,040 --a------ c:\windows\System32\chtbrkr.dll
2008-12-24 19:19 . 2008-01-19 01:06 8,147,456 --a------ c:\windows\System32\wmploc.DLL
2008-12-24 19:18 . 2008-01-19 02:33 599,552 --a------ c:\windows\System32\vsp1cln.exe
2008-12-24 19:18 . 2008-01-05 06:31 145,455 --a------ c:\windows\System32\perfmon.msc
2008-12-24 19:18 . 2008-01-05 06:22 144,909 --a------ c:\windows\System32\fsmgmt.msc
2008-12-24 19:18 . 2008-01-05 06:32 120,458 --a------ c:\windows\System32\secpol.msc
2008-12-24 19:18 . 2008-01-05 06:34 15,181 --a------ c:\windows\System32\gatherWirelessInfo.vbs
2008-12-24 19:18 . 2008-01-05 06:21 12,198 --a------ c:\windows\System32\gatherWiredInfo.vbs
2008-12-24 19:18 . 2008-01-19 02:31 7,680 --a------ c:\windows\System32\spwizres.dll
2008-12-24 19:18 . 2008-01-19 02:28 7,168 --a------ c:\windows\System32\f3ahvoas.dll
2008-12-24 19:18 . 2008-01-19 00:37 2,048 --a------ c:\windows\System32\wertargets.wtl
2008-12-24 19:18 . 2008-01-05 06:39 150 --a------ c:\windows\System32\RacUREx.xml
2008-12-24 19:18 . 2008-01-05 06:31 3 --a------ c:\windows\System32\drivers\MsftWdf_Kernel_01007_Inbox_Critical.Wdf
2008-12-24 19:17 . 2008-01-19 02:36 704,512 --a------ c:\windows\System32\SmiEngine.dll
2008-12-24 19:17 . 2008-01-19 02:36 357,888 --a------ c:\windows\System32\wbemcomn.dll
2008-12-24 19:17 . 2008-01-19 02:36 218,624 --a------ c:\windows\System32\wdscore.dll
2008-12-24 19:17 . 2008-01-19 02:36 139,264 --a------ c:\windows\System32\SmiInstaller.dll
2008-12-24 19:17 . 2008-01-19 02:33 130,560 --a------ c:\windows\System32\PkgMgr.exe
2008-12-24 19:17 . 2008-01-19 02:36 129,536 --a------ c:\windows\System32\sqmapi.dll
2008-12-24 19:16 . 2008-01-19 02:34 305,152 --a------ c:\windows\System32\msdelta.dll
2008-12-24 19:16 . 2008-01-19 02:34 258,560 --a------ c:\windows\System32\dpx.dll
2008-12-24 19:16 . 2008-01-19 02:34 246,784 --a------ c:\windows\System32\drvstore.dll
2008-12-24 19:16 . 2008-01-19 02:35 35,328 --a------ c:\windows\System32\mspatcha.dll
2008-12-24 17:53 . 2008-12-24 17:53 <DIR> d-------- c:\program files\KLC
2008-12-24 17:53 . 2004-08-04 03:56 431,616 --a------ c:\windows\System32\temp.000
2008-12-24 17:53 . 2000-05-22 00:00 203,976 --a------ c:\windows\System32\RICHTX32.OCX
2008-12-24 17:53 . 1999-12-07 07:00 61,491 --a------ c:\windows\System32\wbemdisp.TLB
2008-12-24 09:48 . 2008-12-24 09:49 <DIR> d-------- c:\users\All Users\NVIDIA
2008-12-24 09:48 . 2008-12-24 09:49 <DIR> d-------- c:\programdata\NVIDIA
2008-12-24 09:38 . 2008-09-17 23:55 1,108,512 --a------ c:\windows\System32\nvcpluir.dll
2008-12-24 09:38 . 2008-09-17 23:55 797,216 --a------ c:\windows\System32\nvcplui.exe
2008-12-24 09:38 . 2008-09-17 23:55 453,152 --a------ c:\windows\System32\nvuninst.exe
2008-12-24 09:38 . 2008-09-17 23:55 420,384 --a------ c:\windows\System32\nvcpl.cpl
2008-12-24 09:27 . 2008-08-27 22:40 712,704 --a------ c:\windows\System32\WindowsCodecs.dll
2008-12-24 09:27 . 2008-08-27 22:40 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll
2008-12-24 09:27 . 2008-08-27 22:40 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll
2008-12-24 09:27 . 2007-07-03 17:16 1,820 --a------ c:\windows\System32\rasctrnm.h
2008-12-24 09:26 . 2008-10-21 22:57 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2008-12-24 09:26 . 2008-01-19 02:36 160,768 --a------ c:\windows\System32\PortableDeviceTypes.dll
2008-12-24 09:26 . 2008-01-19 02:36 94,720 --a------ c:\windows\System32\PortableDeviceClassExtension.dll
2008-12-24 09:26 . 2008-01-19 02:34 15,872 --a------ c:\windows\System32\hcrstco.dll
2008-12-24 09:22 . 2008-10-21 00:25 1,645,568 --a------ c:\windows\System32\connect.dll
2008-12-24 09:11 . 2008-12-26 20:38 8,627 --a------ c:\windows\System32\PAV_FOG.OPC
2008-12-24 08:59 . 2008-12-24 08:59 <DIR> d-------- c:\users\All Users\Backup
2008-12-24 08:59 . 2008-12-24 08:59 <DIR> d-------- c:\programdata\Backup
2008-12-24 08:57 . 2008-12-26 21:51 <DIR> d-------- c:\program files\Common Files\InstallShield
2008-12-23 17:01 . 2008-12-23 17:01 269,312 --a------ c:\windows\System32\es.dll
2008-12-22 23:41 . 2008-12-22 22:38 <DIR> d-------- c:\windows\Debug
2008-12-22 23:38 . 2008-12-22 20:43 <DIR> d-------- c:\windows\Panther
2008-12-22 23:38 . 2008-12-25 12:04 <DIR> d--hs---- C:\Boot
2008-12-22 23:38 . 2008-01-19 02:45 333,203 -rahs---- C:\bootmgr
2008-12-22 23:38 . 2008-12-22 23:38 8,192 -ra-s---- C:\BOOTSECT.BAK
2008-12-22 22:24 . 2008-12-22 22:24 361,984 --a------ c:\windows\System32\IPSECSVC.DLL
2008-12-22 22:24 . 2008-12-22 22:24 272,896 --a------ c:\windows\System32\polstore.dll
2008-12-22 22:24 . 2008-12-22 22:24 61,440 --a------ c:\windows\System32\winipsec.dll
2008-12-22 22:24 . 2008-12-22 22:24 28,672 --a------ c:\windows\System32\FwRemoteSvr.dll
2008-12-22 22:16 . 2008-12-22 22:16 296,960 --a------ c:\windows\System32\gdi32.dll
2008-12-22 22:15 . 2008-12-22 22:15 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2008-12-22 22:13 . 2008-12-22 22:13 212,480 --a------ c:\windows\System32\drivers\mrxsmb10.sys
2008-12-22 22:12 . 2008-12-22 22:12 28,672 --a------ c:\windows\System32\Apphlpdm.dll
2008-12-22 22:11 . 2008-12-22 22:11 4,240,384 --a------ c:\windows\System32\GameUXLegacyGDFs.dll
2008-12-22 22:11 . 2008-12-22 22:11 1,695,744 --a------ c:\windows\System32\gameux.dll
2008-12-22 22:10 . 2008-12-22 22:10 303,616 --a------ c:\windows\System32\wmpeffects.dll
2008-12-22 22:08 . 2008-12-22 22:08 2,032,640 --a------ c:\windows\System32\win32k.sys
2008-12-22 22:08 . 2008-12-22 22:08 1,191,936 --a------ c:\windows\System32\msxml3.dll
2008-12-22 22:08 . 2008-12-22 22:08 2,048 --a------ c:\windows\System32\msxml3r.dll
2008-12-22 22:05 . 2008-12-22 22:05 2,048 --a------ c:\windows\System32\tzres.dll
2008-12-22 22:01 . 2008-12-22 22:01 2,927,104 --a------ c:\windows\explorer.exe
2008-12-22 21:59 . 2008-12-22 21:59 827,392 --a------ c:\windows\System32\wininet.dll
2008-12-22 21:53 . 2008-12-22 21:53 988,216 --a------ c:\windows\System32\winload.exe
2008-12-22 21:53 . 2008-12-22 21:53 927,288 --a------ c:\windows\System32\winresume.exe
2008-12-22 21:53 . 2008-12-22 21:53 615,992 --a------ c:\windows\System32\ci.dll
2008-12-22 21:53 . 2008-12-22 21:53 378,368 --a------ c:\windows\System32\srcore.dll
2008-12-22 21:53 . 2008-12-22 21:53 318,464 --a------ c:\windows\System32\rstrui.exe
2008-12-22 21:53 . 2008-12-22 21:53 46,592 --a------ c:\windows\System32\setbcdlocale.dll
2008-12-22 21:53 . 2008-12-22 21:53 40,960 --a------ c:\windows\System32\srclient.dll
2008-12-22 21:53 . 2008-12-22 21:53 19,000 --a------ c:\windows\System32\kd1394.dll
2008-12-22 21:53 . 2008-12-22 21:53 14,848 --a------ c:\windows\System32\srdelayed.exe
2008-12-22 21:53 . 2008-12-22 21:53 6,656 --a------ c:\windows\System32\kbd106n.dll
2008-12-22 21:51 . 2008-12-22 21:51 443,392 --a------ c:\windows\System32\win32spl.dll
2008-12-22 21:51 . 2008-12-22 21:51 288,768 --a------ c:\windows\System32\drivers\srv.sys
2008-12-22 21:51 . 2008-12-22 21:51 113,664 --a------ c:\windows\System32\drivers\rmcast.sys
2008-12-22 21:51 . 2008-12-22 21:51 37,888 --a------ c:\windows\System32\printcom.dll
2008-12-22 21:51 . 2008-12-22 21:51 14,848 --a------ c:\windows\System32\wshrm.dll
2008-12-22 21:49 . 2008-12-22 21:49 2,868,736 --a------ c:\windows\System32\mf.dll
2008-12-22 21:49 . 2008-12-22 21:49 996,352 --a------ c:\windows\System32\WMNetMgr.dll
2008-12-22 21:49 . 2008-12-22 21:49 738,304 --a------ c:\windows\System32\inetcomm.dll
2008-12-22 21:49 . 2008-12-22 21:49 98,816 --a------ c:\windows\System32\mfps.dll
2008-12-22 21:49 . 2008-12-22 21:49 94,720 --a------ c:\windows\System32\logagent.exe
2008-12-22 21:49 . 2008-12-22 21:49 84,480 --a------ c:\windows\System32\INETRES.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-25 17:04 174 --sha-w c:\program files\desktop.ini
2008-12-25 16:51 --------- d-----w c:\program files\Windows Sidebar
2008-12-25 16:51 --------- d-----w c:\program files\Windows Photo Gallery
2008-12-25 16:51 --------- d-----w c:\program files\Windows Mail
2008-12-25 16:51 --------- d-----w c:\program files\Windows Journal
2008-12-25 16:51 --------- d-----w c:\program files\Windows Defender
2008-12-25 16:51 --------- d-----w c:\program files\Windows Collaboration
2008-12-25 16:51 --------- d-----w c:\program files\Windows Calendar
2008-12-25 16:32 82,432 ----a-w c:\windows\System32\axaltocm.dll
2008-12-25 16:32 101,888 ----a-w c:\windows\System32\ifxcardm.dll
2008-12-23 03:11 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-12-23 03:11 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-12-23 03:11 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-12-23 03:11 2,560 ----a-w c:\windows\AppPatch\AcRes.dll
2008-12-23 03:11 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-12-23 03:11 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-12-23 02:17 --------- d-----w c:\program files\MSBuild
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13580832]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 92704]
"SoundMan"="SOUNDMAN.EXE" [2008-09-10 c:\windows\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{587D46E1-39B0-4007-A215-387CB134731F}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{A2F1CF73-738A-4BE3-BE37-4AFDADCFA95D}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{B11F0BB9-10F5-40C8-8D7A-F413F5CC1C5B}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{DB21E17B-39F4-4F18-A6AE-4C725F223417}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{2B0CBEB5-31DE-4E64-8E93-974ABDC00262}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R3 ULI526X;ULi M526X 10/100 Ethernet Controller Driver;c:\windows\system32\DRIVERS\ULILAN32.SYS [2006-11-02 30720]
S3 rt61x86;Linksys Wireless-G PCI Adapter Driver;c:\windows\system32\DRIVERS\WMP54Gv41x86.sys [2007-03-12 286208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - WDSetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{40deea11-d2de-11dd-8f61-00138f88dfbe}]
\shell\AutoRun\command - WDSetup.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Media Codec Update Service - c:\program files\Essentials Codec Pack\update.exe

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-26 22:00:34
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-26 22:06:07
ComboFix-quarantined-files.txt 2008-12-27 03:05:56

Pre-Run: 125,078,913,024 bytes free
Post-Run: 125,028,601,856 bytes free

201 --- E O F --- 2008-12-25 18:39:25


0

Response Number 8
Name: jabuck
Date: December 26, 2008 at 20:21:50 Pacific
Reply:

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::

Folder::
C:\[u]0[/u]46ae29465861359d052864ade

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.


Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


0

Response Number 9
Name: donever
Date: December 27, 2008 at 18:24:48 Pacific
Reply:

when i try to run kaspersky, there is a problem. the problem is that it can't be run because it said that java is not enable in my web browser. how do i fix that. i check my firefox and it's enable already yet still nothing happen.


0

Response Number 10
Name: jabuck
Date: December 27, 2008 at 20:03:14 Pacific
Reply:

Go to start control panel> internet options, then:

1. Select the Advanced Tab, and scroll down to "Java (Sun)"
2. Check the box next to the Java version
3. Next, select the Security Tab, and select the "Custom Level" button
4. Scroll down to "Scripting of Java applets"
5. Make sure the "Enable" radio button is checked.
6. Click OK to save your preference.


0

Response Number 11
Name: donever
Date: December 27, 2008 at 20:43:47 Pacific
Reply:

everything is enable!


0

Response Number 12
Name: jabuck
Date: December 27, 2008 at 21:58:01 Pacific
Reply:

Try this scanner.

Please run Esets online scanner from this link:

ESET

1. Note: You will need to use Internet explorer for this scan
2. Tick the box next to YES, I accept the Terms of Use.
3. Click Start
4. When asked, allow the activex control to install
5. Click Start
6. Make sure that the option Remove found threats is unticked ( I want to see what is found first), and the option Scan unwanted applications is checked
7. Click Scan
8. Wait for the scan to finish
9. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
10. Copy and paste that log in your next reply.


0

Response Number 13
Name: donever
Date: December 28, 2008 at 18:13:09 Pacific
Reply:

so i finally got the kaspersky to work and here is the result. from what i see i'm not infected i think it because my panda quantified this spyware. in the future, if my pc is infected with any kind of virus, would this process work too. thank for helping out!

----------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, December 28, 2008
Operating System: Microsoft Windows Vista Business Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, December 28, 2008 19:57:37
Records in database: 1525514
----------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 73665
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 00:47:39

No malware has been detected. The scan area is clean.

The selected area was scanned.



0

Response Number 14
Name: jabuck
Date: December 29, 2008 at 14:54:52 Pacific
Reply:

For now it will, but in this ever changing world these tools could have to be purchased in the future. And there are always newer tools/procedures being use to fight viri and spyware.

Glad we could help.


0

Sponsored Link
Ads by Google
Reply to Message Icon



Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.


Go to Security and Virus Forum Home


Sponsored links
Ads by Google


Results for: spyware detected!
Warning! spyware detected! www.computing.net/answers/security/warning-spyware-detected-/22801.html

Warning! Spyware Detected. Plz help www.computing.net/answers/security/warning-spyware-detected-plz-help/22963.html

Warning spyware detected! S.O.S. www.computing.net/answers/security/warning-spyware-detected-sos/22976.html