Thread: "Spyware detected" popup - NT19F32.exe
View Single Post
Old 05-09-2008, 12:25 AM   #1 (permalink)
hellfire
Registered User
 
Join Date: May 2008
Posts: 9
OS: XP


"Spyware detected" popup - NT19F32.exe
Hello all.

I'll try to follow the 5 steps as best I can, forgive me if I miss something. Any help is much appreciated.

I was just visiting a web page that I always visit, and all of a sudden my PC reboots. It turns back on, and straight away I get a message from AVG regarding two infections, the first one called "NT19F32.exe" keeps coming back up after I move it to the virus vault (under a different name, so not the same file I suppose... just different numbers), the second of which I cannot recall because it hasn't come up since. Furthermore, my desktop background turned into a blue screen, with the message "Warning! Spyware Detected" or something along those lines, before a popup came up saying:

"Attention! Adware.W32.SpyShredder spyware detected."
It goes on about how it can steal credit cards etc., and then says, "Click yes to get all available antispyware software". Obviously I clicked no, but it continues to come up every 10 minutes or so.

Okay, so here is my log from Deckards:



________________________________________________

Deckard's System Scanner v20071014.68
Run by User on 2008-05-09 16:17:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
5: 2008-05-09 06:17:59 UTC - RP480 - Deckard's System Scanner Restore Point
4: 2008-05-09 05:46:00 UTC - RP479 - Software Distribution Service 3.0
3: 2008-05-09 04:58:51 UTC - RP478 - Software Distribution Service 3.0
2: 2008-05-09 04:52:01 UTC - RP477 - Last good restore point
1: 2008-05-09 04:51:46 UTC - RP476 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as User.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:18:41 PM, on 9/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Documents and Settings\LocalService\Local Settings\Application Data\spooll.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\TEMP\winlogon.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\TEMP\scan2.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\User\Desktop\dss.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\DOCUME~1\User\Desktop\OTHERS~1\User.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\ctfmun.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\User\Local Settings\Application Data\spooll.exe
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\ctfmun.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\User\Local Settings\Application Data\spooll.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\spooll.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Firewall auto setup] C:\WINDOWS\TEMP\winlogon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1194149208515
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {A91DEB0D-AD0D-453E-9AC8-60178EC24212} - http://video.vividas.com/media/4190_...vivid_ocx.jpeg
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C2C85208-D2D7-47FE-A318-6619A49C5D29}: NameServer = 192.168.0.1
O20 - Winlogon Notify: droute - droute.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\ctfmun.exe

--
End of file - 7803 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 TBPanel - c:\windows\system32\drivers\tbpanel.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R3 Afc (PPdus ASPI Shell) - c:\windows\system32\drivers\afc.sys <Not Verified; Arcsoft, Inc.; Arcsoft(R) ASPI Shell>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S1 InCDPass - c:\windows\system32\drivers\incdpass.sys (file missing)
S1 InCDRm (InCD Reader) - c:\windows\system32\drivers\incdrm.sys (file missing)
S3 Cardex - c:\windows\system32\drivers\tbpanel.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
S4 InCDFs (InCD File System) - c:\windows\system32\drivers\incdfs.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 aawservice (Ad-Aware 2007 Service) - "c:\program files\lavasoft\ad-aware 2007\aawservice.exe" <Not Verified; Lavasoft AB; Ad-Aware 2007 Service>
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S4 gearsec - c:\windows\system32\gearsec.exe <Not Verified; GEAR Software; gearsec>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-09 15:08:34 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2008-04-09 and 2008-05-09 -----------------------------

2008-05-09 15:41:17 0 d-------- C:\ie-spyad_zo
2008-05-09 15:36:06 0 d-------- C:\WINDOWS\LastGood
2008-05-09 15:35:32 1823 --a------ C:\WINDOWS\mozver.dat
2008-05-09 15:35:32 0 d-------- C:\Program Files\Panda Security
2008-05-09 14:50:09 160256 --a------ C:\WINDOWS\system32\blackster.scr <Not Verified; Peter's Productions; Bugs!>
2008-05-09 14:50:06 96256 --a------ C:\WINDOWS\system32\ctfmona.exe
2008-04-22 22:19:36 0 d-------- C:\Program Files\DirectVobSub
2008-04-18 19:39:09 4367 --a------ C:\WINDOWS\system32\rhs.bin
2008-04-18 19:39:02 37737 ---hs---- C:\WINDOWS\system32\drivers\ctfmun.exe


-- Find3M Report ---------------------------------------------------------------

2008-05-09 15:20:15 0 d-------- C:\Documents and Settings\User\Application Data\AVG7
2008-05-09 14:49:45 0 d-------- C:\Program Files\lg_fwupdate
2008-05-08 10:12:23 0 d-------- C:\Documents and Settings\User\Application Data\uTorrent
2008-05-08 10:00:53 0 d-------- C:\Program Files\eMule
2008-03-31 09:49:01 0 d-------- C:\Documents and Settings\User\Application Data\TVU Networks
2008-03-18 11:44:11 0 d-------- C:\Documents and Settings\User\Application Data\Adobe
2008-03-10 22:24:39 16752 --a------ C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Alcmtr"="ALCMTR.EXE" [03/05/2005 08:43 PM C:\WINDOWS\Alcmtr.exe]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [02/06/2006 06:45 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [17/09/2007 12:07 AM]
"nwiz"="nwiz.exe" [17/09/2007 12:07 AM C:\WINDOWS\system32\nwiz.exe]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [05/04/2007 10:20 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [19/04/2008 10:43 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 05:20 PM]
"AceGain LiveUpdate"="C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe" []
"BluetoothAuthenticationAgent"="bthprops.cpl" [04/08/2004 12:56 AM C:\WINDOWS\system32\bthprops.cpl]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [17/09/2007 12:07 AM]
"ntuser"="C:\WINDOWS\system32\drivers\ctfmun.exe" [18/04/2008 07:39 PM]
"autoload"="C:\Documents and Settings\User\Local Settings\Application Data\spooll.exe" [18/04/2008 07:39 PM]
"ctfmona"="C:\WINDOWS\system32\ctfmona.exe" [09/05/2008 02:50 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [28/02/2006 10:00 PM]
"PowerBar"="" []
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 10:34 AM]
"ntuser"="C:\WINDOWS\system32\drivers\ctfmun.exe" [18/04/2008 07:39 PM]
"autoload"="C:\Documents and Settings\User\Local Settings\Application Data\spooll.exe" [18/04/2008 07:39 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
"ntuser"=C:\WINDOWS\system32\drivers\ctfmun.exe
"autoload"=C:\Documents and Settings\LocalService\Local Settings\Application Data\spooll.exe
"Firewall auto setup"=C:\WINDOWS\TEMP\winlogon.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 12:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\droute]
droute.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GetRight - Tray Icon.lnk
backup=C:\WINDOWS\pss\GetRight - Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"C:\Program Files\BearShare\BearShare.exe" /pause

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gainward]
C:\Program Files\XpertVision\TBPanel.exe /A

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]
C:\Program Files\VIA\RAID\raid_tool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gearsec"=2 (0x2)
"BthServ"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Nvsetup.exe

*Newly Created Service* - RKPAVPROC



-- End of Deckard's System Scanner: finished at 2008-05-09 16:19:20 ------------





I've downloaded everything those steps have told me to, and I've done the Pandascan thing. So any help is appreciated. Thanks.
Attached Files
File Type: txt extra.txt (18.9 KB, 3 views)
hellfire is offline