Spyware - Help!

[SAVE]

Download the attached CFScript.txt  and save it to your  desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop  in the list of selections in that window & press save)

Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished

Close any open browsers
Then drag the CFScript.txt into the ComboFix.exe  or renamed combofix icon as shown in the screenshot below.

 



 

This will start ComboFix again.  It may ask to reboot.  Post the contents of Combofix.txt in your next reply .


Note: these instructions and script were created specifically for this user.  If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum

ComboFix 12-05-12.01 - Christopher 05/12/2012  20:56:32.7.1 - x86
Running from: c:\documents and settings\Christopher\Desktop\Isaiah4031.exe
Command switches used :: c:\documents and settings\Christopher\Desktop\CFScript.txt
.
.
(((((((((((((((((((((((((   Files Created from 2012-04-13 to 2012-05-13  )))))))))))))))))))))))))))))))
.
.
2012-04-30 03:06 . 2012-04-30 03:06   --------   d-----w-   c:\program files\Mozilla Maintenance Service
2012-04-30 03:04 . 2012-04-30 03:04   157352   ----a-w-   c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-04-30 03:04 . 2012-04-30 03:04   129976   ----a-w-   c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-04-23 03:33 . 2012-04-23 03:33   --------   d-----w-   c:\program files\Common Files\Java
2012-04-23 03:25 . 2012-04-23 03:23   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2012-04-23 03:22 . 2012-04-23 03:22   --------   d-----w-   c:\program files\Java
2012-04-19 21:12 . 2012-04-19 21:21   --------   d-----w-   C:\username123
2012-04-14 00:52 . 2012-04-14 00:52   --------   d-----w-   c:\program files\Windows Sidebar
2012-04-14 00:52 . 2012-05-11 02:45   --------   d-----w-   c:\documents and settings\All Users\Application Data\Norton
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-23 03:23 . 2011-02-01 01:54   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2012-04-11 13:12 . 2003-03-11 14:58   1862272   ----a-w-   c:\windows\system32\win32k.sys
2012-04-11 13:10 . 2001-08-17 23:00   2192640   ----a-w-   c:\windows\system32\ntoskrnl.exe
2012-04-11 12:35 . 2001-08-17 23:00   2069120   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2012-03-01 01:25 . 2004-01-21 21:16   832512   ----a-w-   c:\windows\system32\wininet.dll
2012-03-01 01:25 . 2008-10-28 22:52   78336   ------w-   c:\windows\system32\ieencode.dll
2012-03-01 01:25 . 2003-08-29 16:31   1830912   ------w-   c:\windows\system32\inetcpl.cpl
2012-03-01 01:25 . 2001-08-17 23:00   17408   ----a-w-   c:\windows\system32\corpol.dll
2012-02-29 14:10 . 2001-08-17 23:00   177664   ----a-w-   c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2001-08-17 23:00   148480   ----a-w-   c:\windows\system32\imagehlp.dll
2011-07-27 21:09 . 2011-07-27 21:08   9481028   ----a-w-   c:\program files\Pidgin.exe
2012-04-30 03:04 . 2011-11-12 17:01   97208   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((   SnapShot@2012-05-11_04.45.38   )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-05-13 00:16 . 2012-05-13 00:16   16384              c:\windows\Temp\Perflib_Perfdata_5e4.dat
- 2012-05-11 02:46 . 2012-05-11 02:46   16384              c:\windows\Temp\Perflib_Perfdata_5e4.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=c:\windows\pss\MyWebSearch Email Plugin.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Christopher^Start Menu^Programs^Startup^KeyText.lnk]
path=c:\documents and settings\Christopher\Start Menu\Programs\Startup\KeyText.lnk
backup=c:\windows\pss\KeyText.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-04-10 08:44   679936   ----a-w-   c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2006-01-19 16:06   110592   ----a-w-   c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Christopher\\Application Data\\mjusbsp\\magicJack.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"22:TCP"= 22:TCP:GameDesire
"21:TCP"= 21:TCP:GD2
"23:TCP"= 23:TCP:Gd3
"81:TCP"= 81:TCP:GD4
"443:TCP"= 443:TCP:gd5
"1080:TCP"= 1080:TCP:gd6
"3128:TCP"= 3128:TCP:gd7
"8080:TCP"= 8080:TCP:gd9
"5070:UDP"= 5070:UDP:5070
"5060:UDP"= 5060:UDP:5060
.
R3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;c:\windows\SYSTEM32\DRIVERS\vch.sys [12/31/1979 11:00 AM 18487]
R3 Ich;Ich;c:\windows\SYSTEM32\DRIVERS\Ich.sys [12/31/1979 11:00 AM 65916]
R3 ISLP2;Intersil 802.11 Wireless LAN Driver;c:\windows\SYSTEM32\DRIVERS\islp2nds.sys [10/3/2002 7:07 PM 611840]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/29/2012 10:06 PM 129976]
S3 WPC11;Instant Wireless Network PC Card V3.0 Driver;c:\windows\SYSTEM32\DRIVERS\LSWLNDS.sys [11/8/2002 5:24 PM 54083]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper   REG_MULTI_SZ      nosGetPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
Trusted Zone: gamedesire.com\www
TCP: DhcpNameServer = 192.168.254.254
TCP: Interfaces\{99F92F82-A2D3-4FA6-872C-F5A404B907B4}: NameServer = 67.90.152.122,67.107.71.186
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Christopher\Application Data\Mozilla\Firefox\Profiles\uxr1x5ok.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-12 21:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1404)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2012-05-12  21:23:53
ComboFix-quarantined-files.txt  2012-05-13 02:23
ComboFix2.txt  2012-05-11 04:54
ComboFix3.txt  2012-04-20 23:49
.
Pre-Run: 4,840,112,128 bytes free
Post-Run: 4,797,276,160 bytes free
.
- - End Of File - - 16D1840E89AF596A8DB7892E576A997D

[Microsoft MVP/Consumer Security]

Has that helped at all or are you still having problems

It has helped and all is good now..   Can I del Combo fix from my computer

Thanks again

[START]

*Follow these steps to uninstall Combofix and the other tools it downloaded to remove the malware*
*  Click START then RUN
*  Now type Combofix /Uninstall in the runbox  and click OK.  Note the space between the X and the /U, it needs to be there.


This will also purge the restore folder and clear any malware that has been put in there. Now Empty Recycle bin on desktop Then reboot.

go here http://www.thespykiller.co.uk/index.php?page=3  for info on how to tighten your security settings and how to help prevent future attacks.

and scan here http://secunia.com/vulnerability_scanning/online/   for out of date & vulnerable common applications on your computer and update whatever it suggests. Download & use the PSI version ( not the OSI, in your browser java version) as I no longer recommend having Java installed on the computer at all, unless it is absolutely necessary, because of the too high risk of malware infiltration   

Then pay an urgent visit to windows update & make sure you are fully updated,  that will help to plug the security holes that let these pests on in the first place. If windows update doesn't work, please come back & tell us