Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

SpySheriff Help Internet Explorer Hijack [RESOLVED]


  • This topic is locked This topic is locked

#1
saint

saint

    Member

  • Member
  • PipPip
  • 11 posts
Hi all,

I just got the Spy Sheriff spyware and am in the process of trying to remove it.

I've read Don77's posts and have followed his directions. Everything went smoothly except at the end. I tried opening up I.E. and all of a sudden, all of the previous program/icons were put back on my desktop. For some reason, I cannot access my I.E. (not to use) without having it re-install all of those shortcuts.

I have NOT found any of the programs that don77 listed in Safe Mode. Any help would be greatly appreciated. Let me know if there is any other information I can provide. The following is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:40:04 AM, on 6/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avast\aswUpdSv.exe
C:\Program Files\Avast\ashServ.exe
C:\Program Files\Avast\ashMaiSv.exe
C:\Program Files\Avast\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\iTunesHelper.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Avast\ashDisp.exe
C:\WINDOWS\system32\win32.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\saint\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/...hoo.sbc.com/dsl
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot\SDHelper.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\system32\zolk.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\QuickTime\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast\ashDisp.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe zolk.dll, DllRegisterServer
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\system32\win32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1118051712708
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast\ashWebSv.exe" /service (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

* I have not ran Spy Sheriff.

Warm Regards,

Bill

Edited by saint, 14 June 2005 - 12:47 AM.

  • 0

Advertisements


#2
saint

saint

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
bump anyone?
  • 0

#3
saint

saint

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
bump #2... can anyone help?
  • 0

#4
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
First, download, install, and run CleanUp! (so the scan won't take as long because cleanup will clear temporary files) *NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, backup it up or move it to a permanent folder prior to running Cleanup!

Please download Ewido Security Suite
  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.

Once the updates are installed do the following:
  • Reboot into Safe Mode, you can do this by restarting your computer, then contiunally tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Then, run Ewido.
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
Reboot into normal mode.

Then, please run this online virus scan:
ActiveScan

Save the results from ActiveScan.

I need you to post the log from Ewido, the log from ActiveScan and a new HiJackThis log.
  • 0

#5
saint

saint

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi bananafanafo,

Thanks for your help. The following are my hijackthis and ewido log files. I did NOT do the Activescan because that required I.E. only and I am afraid that if I opened up I.E., I will aggrevate the spyware again. I do have avast! anti-V running and that is updated everytime I bootup and go online.

Hijackthis Log:
Logfile of HijackThis v1.99.1
Scan saved at 5:33:39 PM, on 6/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Avast\ashDisp.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Avast\aswUpdSv.exe
C:\Program Files\Avast\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Avast\ashWebSv.exe
C:\Program Files\Avast\ashMaiSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\DOCUME~1\saint\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/...hoo.sbc.com/dsl
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\saint\Application Data\Mozilla\Profiles\default\14o0adc2.slt\prefs.js)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot\SDHelper.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\system32\zolk.dll (file missing)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast\ashDisp.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\system32\win32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1118051712708
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

ewido log:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:02:11 PM, 6/20/2005
+ Report-Checksum: F5F8C68

+ Date of database: 6/20/2005
+ Version of scan engine: v3.0

+ Duration: 34 min
+ Scanned Files: 62303
+ Speed: 30.04 Files/Second
+ Infected files: 24
+ Removed files: 24
+ Files put in quarantine: 24
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\
E:\
F:\

+ Scan result:
C:\Documents and Settings\saint\Local Settings\Temporary Internet Files\Content.IE5\01234567\latest[1].exe -> TrojanProxy.Lager.j -> Cleaned with backup
C:\lo333988913.exe -> TrojanDownloader.Small.awa -> Cleaned with backup
C:\WINDOWS\sys270.exe -> Trojan.Crypt.c -> Cleaned with backup
C:\WINDOWS\sys271.exe -> Trojan.Crypt.c -> Cleaned with backup
C:\WINDOWS\sys272.exe -> Trojan.Crypt.c -> Cleaned with backup
C:\WINDOWS\sys3046.exe -> Trojan.Crypt.c -> Cleaned with backup
C:\WINDOWS\sys3047.exe -> Trojan.Crypt.c -> Cleaned with backup
C:\WINDOWS\sys505.exe -> Trojan.Crypt.c -> Cleaned with backup
C:\WINDOWS\sys506.exe -> Trojan.Crypt.c -> Cleaned with backup
C:\WINDOWS\system32\abc.exe -> TrojanSpy.LdPinch.os -> Cleaned with backup
C:\WINDOWS\system32\cvxh8jkdq2.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
C:\WINDOWS\system32\cvxh8jkdq5.exe -> TrojanDownloader.Small.awa -> Cleaned with backup
C:\WINDOWS\system32\cvxh8jkdq6.exe -> TrojanDownloader.Small.awa -> Cleaned with backup
C:\WINDOWS\system32\cvxh8jkdq7.exe -> TrojanDownloader.Agent.ho -> Cleaned with backup
C:\WINDOWS\system32\cvxh8jkdq8.exe -> TrojanDownloader.Agent.pi -> Cleaned with backup
C:\WINDOWS\system32\init32m.exe -> TrojanDownloader.Agent.ho -> Cleaned with backup
C:\WINDOWS\system32\latest.exe -> TrojanProxy.Lager.j -> Cleaned with backup
C:\WINDOWS\system32\maxd.exe -> Dialer.Generic -> Cleaned with backup
C:\WINDOWS\system32\vxgamet2.exe -> TrojanDownloader.Small.aqu -> Cleaned with backup
C:\WINDOWS\system32\win32.exe -> TrojanProxy.Lager.j -> Cleaned with backup
C:\WINDOWS\system32\zolk.dll -> TrojanDownloader.Agent.pi -> Cleaned with backup
C:\WINDOWS\system32\ztoolber.dll -> Spyware.Zbar -> Cleaned with backup
C:\WINDOWS\system32\~update.exe -> TrojanProxy.Lager.j -> Cleaned with backup
D:\Utilities\NetCat\nc.exe -> Trojan.BDMania -> Cleaned with backup


::Report End

First, download, install, and run  CleanUp! (so the scan won't take as long because cleanup will clear temporary files) *NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders.  If you have anything in a temp folder, backup it up or move it to a permanent folder prior to running Cleanup!

Please download Ewido Security Suite

  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.

Once the updates are installed do the following:
  • Reboot into Safe Mode, you can do this by restarting your computer, then contiunally tapping F8 until a menu appears.  Use your up arrow key to highlight Safe Mode, then hit enter.  Then, run Ewido.
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean the first infected file it finds.  Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
Reboot into normal mode.

Then, please run this online virus scan:
ActiveScan

Save the results from ActiveScan.

I need you to post the log from Ewido, the log from ActiveScan and a new HiJackThis log.

View Post


  • 0

#6
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You need to run ActiveScan and post the results for me...You obviously got infected without using IE in the first place, correct? There is more stuff hiding out that ActiveScan will find that Ewido didn't...

First, we need to disable TeaTimer, temporarily. Otherwise, it could interfere with cleaning your system.
* Open Spybot.
* Click MODE, then check ADVANCED MODE, click YES
* Click TOOLS > RESIDENT.
* Uncheck Teatimer.
* Click ALLOW CHANGE.
* We will enable Teatimer after your system is clean

Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HiJackThis. Place a check next to the following items and click FIX CHECKED:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/...hoo.sbc.com/dsl

O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\system32\zolk.dll (file missing)

O4 - HKCU\..\Run: [wupd] C:\WINDOWS\system32\win32.exe


Close HiJackThis.

Delete the following, in bold, if found:

C:\WINDOWS\system32\win32.exe
C:\Documents and Settings\user account\Start Menu\Programs\SpySheriff <-whole folder
C:\Documents and Settings\user account\Application Data\Install.dat

*NOTE* user account is not the actual name of that folder. The name of that folder will be the name of your computer profile.

Run ActiveScan and post the results from it along with a new HiJackThis log.

Edited by bananafanafo, 20 June 2005 - 11:32 PM.

  • 0

#7
saint

saint

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi bananafanafo,

I have suspicion that it was caused by a file was automatically downloaded (and loaded) while running a game. However, when I did open up I.E. previously (I thought I had gotten rid of it and was going to clean up misc. stuff in I.E.), all of a sudden all of the desktop shortcuts from the spyware came back.

This is why I am hesitant to run ActiveScan as that only works with I.E. If however, you believe this is my only option, I will proceed as instructed.

Edited by saint, 22 June 2005 - 11:55 AM.

  • 0

#8
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I need you to run ActiveScan. If anything comes back we'll get rid of it along with the stuff found by ActiveScan but I doubt anything comes back :tazz:
  • 0

#9
saint

saint

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi bananafanafo,

The following is my ActiveScan and new hijackthis log files:

ActiveScan:

Incident Status Location

Adware:Adware/SaveNow No disinfected C:\Program Files\Save
Adware:Adware/AzeSearch No disinfected Windows Registry
Adware:Adware/SaveNow No disinfected C:\Arc\Utilities\BearShare\Installer\saveinstwm.exe
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\blank.mht
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\zsettings.dll

hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 12:51:31 PM, on 6/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Avast\ashDisp.exe
C:\Program Files\Avast\aswUpdSv.exe
C:\Program Files\Avast\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\saint\Desktop\hijackthis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\saint\Application Data\Mozilla\Profiles\default\14o0adc2.slt\prefs.js)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast\ashDisp.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1118051712708
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Edited by saint, 26 June 2005 - 11:53 AM.

  • 0

#10
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You did pick up a new item, but it was not from using IE, it came from Bearshare. Your computer will continue to pick up infections if you continue to use the P2P programs.

Go to Start > Control Panel > Add or Remove Programs and remove the following, if found:

VVSN (or Save or SaveNow)

Exit Add or Remove Programs.

Run HiJackThis. Place a check next to the following item and click FIX CHECKED:

O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe

Close HiJackThis.

* Please download the Killbox by Option^Explicit.

* Save it to your desktop.

* Run Killbox.exe.

* Select "Delete on Reboot".

* Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\Arc\Utilities\BearShare\Installer\saveinstwm.exe
C:\WINDOWS\blank.mht
C:\WINDOWS\zsettings.dll
C:\Program Files\VVSN\VVSN.exe


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If your computer does not restart automatically, please restart it manually.

After your computer reboots, delete the following folders (in bold):

C:\Program Files\Save
C:\Program Files\VVSN

Post a new HiJackThis log.
  • 0

Advertisements


#11
saint

saint

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi bananafanafo,

hijacklog:
Logfile of HijackThis v1.99.1
Scan saved at 10:28:12 AM, on 6/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Avast\ashDisp.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Avast\aswUpdSv.exe
C:\Program Files\Avast\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Avast\ashMaiSv.exe
C:\Program Files\Avast\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\saint\Desktop\hijackthis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\saint\Application Data\Mozilla\Profiles\default\14o0adc2.slt\prefs.js)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast\ashDisp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1118051712708
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
  • 0

#12
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
How is it running now?
  • 0

#13
saint

saint

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Smooth as a baby's bottom. Thanks so much bananafanafo!!!
  • 0

#14
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You're very welcome!! ;)

Congratulations your log is clean! Great job on the clean up :tazz:

I recommend checking the http://www.microsoft.com website periodically for critical updates to install.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs: *NOTE* If you choose to use one of these firewalls, you will need to disable the Windows firewall that comes with Service pack 2.
  • 0

#15
saint

saint

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
For the firewall, what do you consider to be the "best" (if there is such a thing) of the three?

As a sidebar, do you think any of these three are better than the default windows firewall?

Edited by saint, 28 June 2005 - 12:17 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP