Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Spy Sheriff [RESOLVED]


  • This topic is locked This topic is locked

#1
TerryR

TerryR

    Member

  • Member
  • PipPip
  • 31 posts
Hi. I hope you can help me since I seem to have picked up a Spy Sheriff problem. It has stolen my desktop and hijacks my use of the internet. I have followed all you recommended courses of action other than to update Windows. I keep crashing out of the "Search for updates" page and wonder whether this is a result of the infection.

Hope you can help me lose the bad Sheriff. Hijack log attached.

Terry R

Logfile of HijackThis v1.99.1
Scan saved at 14:28:10, on 14/06/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svhost.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\System32\msxct.exe
C:\WINNT\System32\internat.exe
C:\Program Files\RMClient\PMClient.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINNT\System32\svhost.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINNT\System32\vbrundll.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {794904E4-732F-4412-834E-2FA8FE93AB82} - C:\WINNT\System32\laca.dll (file missing)
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINNT\System32\nso123.dll
O2 - BHO: XBTB07618 - {BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} - C:\PROGRA~1\MAXIFI~1\MAXIFI~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [regsync] C:\WINNT\System32\regsync.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [System backup] C:\WINNT\System32\082e4923.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SmartNetMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {5938FEB1-3609-11D4-85CD-00902707DAE7} (MapCtl Class) - http://www.promapser...test/webmap.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1118749099296
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = WORTH.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = WORTH.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = WORTH.local
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  • 0

Advertisements


#2
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Welcome to Geeks 2 Go. Sorry about the delay in getting to your post, we have been very busy.

Do you still require help or are your problems resolved.

Please let me know and if you still require assistance, please post a fresh HJT log.

Regards,

Usetobe
  • 0

#3
TerryR

TerryR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Thanks for the response. I certainly would appreciate the help. I am using 5 Spyware/Malware programs which all find something but do not cure the problem - took me half the morning to log on. Also had a lot of trouble getting onto your site - could this be a Spy Sheriff issue.

New log attached.

Logfile of HijackThis v1.99.1
Scan saved at 13:49:54, on 20/06/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svhost.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\System32\internat.exe
C:\Program Files\RMClient\PMClient.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\180searchassistant\sac.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINNT\System32\svhost.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINNT\System32\vbrundll.dll
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\sachook.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {794904E4-732F-4412-834E-2FA8FE93AB82} - C:\WINNT\System32\laca.dll (file missing)
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINNT\System32\nso123.dll
O2 - BHO: XBTB07618 - {BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} - C:\PROGRA~1\MAXIFI~1\MAXIFI~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [regsync] C:\WINNT\System32\regsync.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [sac] c:\program files\180searchassistant\sac.exe
O4 - HKLM\..\Run: [otej] C:\WINNT\otej.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [System backup] C:\WINNT\System32\082e4923.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SmartNetMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {5938FEB1-3609-11D4-85CD-00902707DAE7} (MapCtl Class) - http://www.promapser...test/webmap.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1118749099296
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gbn1742.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = WORTH.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = WORTH.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = WORTH.local
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  • 0

#4
TerryR

TerryR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Sorry just realised I should hasve rebooted before running the log please ignore last log.

new log attached.

Logfile of HijackThis v1.99.1
Scan saved at 14:14:41, on 20/06/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\taskmgr.exe
C:\WINNT\system32\svhost.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\program files\180searchassistant\sac.exe
C:\WINNT\otej.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\RMClient\PMClient.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINNT\System32\svhost.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINNT\System32\vbrundll.dll
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\sachook.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {794904E4-732F-4412-834E-2FA8FE93AB82} - C:\WINNT\System32\laca.dll (file missing)
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINNT\System32\nso123.dll
O2 - BHO: XBTB07618 - {BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} - C:\PROGRA~1\MAXIFI~1\MAXIFI~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [regsync] C:\WINNT\System32\regsync.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [sac] c:\program files\180searchassistant\sac.exe
O4 - HKLM\..\Run: [otej] C:\WINNT\otej.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [System backup] C:\WINNT\System32\082e4923.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SmartNetMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {5938FEB1-3609-11D4-85CD-00902707DAE7} (MapCtl Class) - http://www.promapser...test/webmap.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1118749099296
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gbn1742.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = WORTH.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = WORTH.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = WORTH.local
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  • 0

#5
Guest_usetobe_*

Guest_usetobe_*
  • Guest
We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP, or Service Pack 4 if you are running Win2k. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here
Apply the update, reboot, and post a fresh Hijack This log.
  • 0

#6
TerryR

TerryR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Thanks again.

Unfortunatley I cannot update. Your link takes me to a blank page and refresh has no effect.

Going through the Microsoft main page/Windows update has the same result

TerryR
  • 0

#7
Guest_usetobe_*

Guest_usetobe_*
  • Guest
*Please go http://www.howtotell.com ]here[/URL] (Microsoft website) using Internet Explorer ( not Firefox or any other browser as they won't work)
*Click on "Windows Validation Assistant"
*Click on the "Validate Now" button.
*Be patient while the ActiveX loads, do not click on any links.
*Read the instructions on this page while it's loading. You will be prompted to install - click YES.
*Enter your product key then click "continue"
*When it says "Validation Complete" please click "Continue to return to your previous activity"
*Copy what it says and paste it here.
  • 0

#8
TerryR

TerryR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Hi finally able to get back in!

I downloaded Service Pack 4 put could not then boot up. Spy Sheriff immediatley opened up and whether I closed it down or let it run all my icons disappeared and the screen froze.

I was finally able to get back by loading in Safe Network mode and runing Ewido, Adaware and MS Beta 1.

Spy Sheriff is still there and still opens when I boot up but at least I can now get into normal mode.

Latest Hi Jack log attached taken after booting up into normal mode and before runnning any anti spyware programs

TerryR

Logfile of HijackThis v1.99.1
Scan saved at 15:08:48, on 24/06/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svhost.exe
C:\WINNT\explorer.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\internat.exe
C:\Program Files\RMClient\PMClient.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\SpySheriff\SpySheriff.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINNT\CDILLA64.EXE
C:\WINNT\system32\ntvdm.exe
C:\Program Files\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINNT\System32\svhost.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINNT\System32\vbrundll.dll
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\sachook.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {794904E4-732F-4412-834E-2FA8FE93AB82} - C:\WINNT\System32\laca.dll (file missing)
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINNT\System32\nso123.dll
O2 - BHO: XBTB07618 - {BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} - C:\PROGRA~1\MAXIFI~1\MAXIFI~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [regsync] C:\WINNT\System32\regsync.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [System backup] C:\WINNT\System32\082e4923.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SmartNetMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {5938FEB1-3609-11D4-85CD-00902707DAE7} (MapCtl Class) - http://www.promapser...test/webmap.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1118749099296
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gbn1742.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = WORTH.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = WORTH.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = WORTH.local
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  • 0

#9
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi Terry,

Here we go with the fix.

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Set PC to show hidden files (click link if you do not know how)LINK

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items:

R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINNT\System32\svhost.exe
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINNT\System32\vbrundll.dll
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\sachook.dll
O2 - BHO: (no name) - {794904E4-732F-4412-834E-2FA8FE93AB82} - C:\WINNT\System32\laca.dll (file missing)
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINNT\System32\nso123.dll
O2 - BHO: XBTB07618 - {BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} - C:\PROGRA~1\MAXIFI~1\MAXIFI~1.DLL
O4 - HKLM\..\Run: [regsync] C:\WINNT\System32\regsync.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKCU\..\Run: [System backup] C:\WINNT\System32\082e4923.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gbn1742.exe


Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.


Open Ad-aware and do a full scan. Remove all it finds.


Now open Ewido Security Suite
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save Report
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

Using windows explorer locate and delete the following if found

C:\Program Files\DNS\Catcher.dll
C:\WINNT\System32\vbrundll.dll
c:\program files\180searchassistant\sachook.dll
C:\WINNT\System32\laca.dll
C:\WINNT\System32\nso123.dll
C:\PROGRA~1\MAXIFI~1\MAXIFI~1.DLL
C:\WINNT\System32\regsync.exe
C:\WINNT\isrvs\ <<--entire folder
C:\WINNT\System32\082e4923.exe
C:\Program Files\Common Files\mc-58-12-0000093.exe


Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log and the Ewido Log by using Add Reply.
Let us know if any problems persist.
  • 0

#10
TerryR

TerryR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Hi

Sorry No luck

It seemed to work at first but within a minute of logging in Spy Sheriff and all his deputy pop ups came flooding back. I attach the requested Logs and some thoughts I had when following your instructions.

smitRem seemed to need XP , I have Windows 2000.

I could not scan Archives in Ewido because it was greyed out.

I could not find the display/desktop/etc commands

As ever I appreciate your help

TerryR

Panda Log

Incident Status Location

Virus:W32/Admincash.B Disinfected Operating system
Adware:Adware/IESearchBar No disinfected C:\WINNT\isrvs\mfiltis.dll
Adware:Adware/nCase No disinfected C:\WINNT\nytsnmn.exe
Adware:Adware/Startpage.AAO No disinfected C:\WINNT\system32\sex.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\services.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\DNS\Catcher.dll
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs\sysupd.dll
Adware:Adware/Beginto No disinfected C:\WINNT\system32\nsp2.dll
Adware:Adware/nCase No disinfected C:\WINNT\nytsnmn.exe
Adware:Adware/IESearchBar No disinfected C:\WINNT\isrvs\desktop.exe
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs\FFISEA~1.EXE
Adware:Adware/Sqwire No disinfected C:\PROGRA~1\COMMON~1\tsa\tsl.exe
Adware:Adware/Startpage.AAO No disinfected C:\WINNT\system32\sex.exe
Adware:Adware/Maxifiles No disinfected C:\PROGRA~1\COMMON~1\MC-58-~1.EXE
Adware:Adware/SpywareNo No disinfected C:\winstall.exe
Adware:Adware/Startpage.AAO No disinfected C:\WINNT\system32\sex.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINNT\system32\cache32_rtneg?
Adware:Adware/nCase No disinfected C:\DOCUME~1\TRegan\LOCALS~1\Temp\180sainstaller.exe
Spyware:Spyware/AdClicker No disinfected C:\WINNT\usta33.ini
Spyware:Spyware/Dyfuca No disinfected Windows Registry
Adware:Adware/SAHAgent No disinfected C:\WINNT\unstall.exe
Adware:Adware/CWS No disinfected Windows Registry
Adware:Adware/Apropos No disinfected C:\DOCUME~1\TRegan\LOCALS~1\Temp\cfout.txt
Adware:Adware/WinTools No disinfected C:\WINNT\hisistheurls.exe
Adware:Adware/Sqwire No disinfected Windows Registry
Adware:Adware/DealHelper No disinfected C:\WINNT\system32\main.exe
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs
Adware:Adware/SearchExe No disinfected C:\WINNT\Downloaded Program Files\on-line.exe
Spyware:Spyware/Media-motor No disinfected Windows Registry
Adware:Adware/Beginto No disinfected C:\WINNT\system32\nsp2.dll
Spyware:Spyware/YourSiteBar No disinfected Windows Registry
Adware:Adware/Transponder No disinfected C:\WINNT\inst
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\TRegan\Favorites\1111\1111.url
Adware:Adware/Startpage.AAO No disinfected C:\WINNT\system32\dload.exe
Adware:Adware/ImGiant No disinfected C:\Program Files\joystick networks
Adware:Adware/SpywareNo No disinfected Windows Registry
Adware:Adware/SpySheriff No disinfected C:\winstall.exe
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\TRegan\Favorites\1111\1111.url
Spyware:Spyware/Dyfuca No disinfected C:\Documents and Settings\TRegan\Local Settings\Temp\clnE5.tmp
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\TRegan\Local Settings\Temp\tsinstall_4_0_3_8_b17.exe
Adware:Adware/Maxifiles No disinfected C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\5UJEFS20\stubinstallerBundle[1].exe
Adware:Adware/Maxifiles No disinfected C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\5UJEFS20\stubinstallerThin[1].exe
Adware:Adware/Maxifiles No disinfected C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\C96NGLAF\dnscatcher[1].exe
Spyware:Spyware/Dyfuca No disinfected C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\C96NGLAF\nem220[1].dll
Spyware:Spyware/Dyfuca No disinfected C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\C96NGLAF\optimize314[1].exe
Adware:Adware/Beginto No disinfected C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\EVOLCL8L\sp[1].js
Adware:Adware/TopConvert No disinfected C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\N55L46VO\protect[1].htm
Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\fkqq\fkqqd\fkqqc.dll
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\FreeProd1\mc-58-12-0000093.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\FreeProd2\mc-58-12-0000093.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\FreeProdFetch\mc-58-12-0000093.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\mc-58-12-0000093.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\services.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\system32.dll
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\system32.dll[Catcher.dll]
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\system32.dll[gui.exe]
Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\tsa\tsl.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\DNS\Catcher.dll
Adware:Adware/Maxifiles No disinfected C:\Program Files\DNS\gui.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\DNS\tmp.exe
Adware:Adware/Beginto No disinfected C:\Program Files\Lavasoft\Ad-Aware SE Personal\bigtraffic.exe
Spyware:Spyware/Media-motor No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\30C480B6-52D6-43BB-91A4-2780FE.asq
Spyware:Spyware/Media-motor No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\45A4017E-1FC1-4BDD-A4A7-7A219D.asq
Spyware:Spyware/Media-motor No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\5F8653B5-49AA-4D9A-8B08-D90188.asq
Spyware:Spyware/Media-motor No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\92011946-46D6-48A2-8B45-2B3199.asq
Spyware:Spyware/Media-motor No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\9CEE2EFA-5C85-4E18-9F93-9A1B8F.asq
Adware:Adware/Maxifiles No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\0A0E2E8E-E95D-4A2B-91D7-BEB8A1\E918ED88-B428-4AB7-9B45-F6CB7D
Adware:Adware/Maxifiles No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\36BBDB59-FE61-4E27-8505-9B9578\450ABC4D-8EBD-46EB-9E4D-1FA0E6
Adware:Adware/Maxifiles No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\4E2386F0-8422-4C7F-B2A5-43F667\857169B1-87F4-46AB-8CDF-A0E942
Adware:Adware/Maxifiles No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\BE7D863B-0FF1-40DE-A403-E5096A\73D2CCB3-353F-41BE-83BD-425EA4
Adware:Adware/Maxifiles No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C3C252B8-F08F-4B4F-8C61-2AA1A8\FF291565-0996-4883-85FD-9E1961
Adware:Adware/Maxifiles No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\F9C54FAB-2A58-41B4-8B5B-3041E4\272A12AD-EA6F-49EC-97BE-03E411
Adware:Adware/SpywareNo No disinfected C:\Program Files\SpySheriff\ProcMon.dll
Adware:Adware/Maxifiles No disinfected C:\RECYCLER\S-1-5-21-507921405-1708537768-839522115-500\Dc1.dll
Adware:Adware/ISearch No disinfected C:\RECYCLER\S-1-5-21-507921405-1708537768-839522115-500\Dc4.xpi
Adware:Adware/ISearch No disinfected C:\RECYCLER\S-1-5-21-507921405-1708537768-839522115-500\Dc4.xpi[isearch.jar][isearch.js]
Adware:Adware/Beginto No disinfected C:\WINNT\bigtraffic.exe
Adware:Adware/ISearch No disinfected C:\WINNT\delprot.ini
Adware:Adware/ISearch No disinfected C:\WINNT\deskbar.ini
Spyware:Spyware/Media-motor No disinfected C:\WINNT\Downloaded Program Files\m67m.inf
Adware:Adware/IGuard No disinfected C:\WINNT\Downloaded Program Files\on-line.exe
Virus:W32/Admincash.B Disinfected C:\WINNT\explorer.exe
Adware:Adware/WinTools No disinfected C:\WINNT\hisistheurls.exe
Spyware:Spyware/Dyfuca No disinfected C:\WINNT\inst\3p_1.exe
Adware:Adware/IESearchBar No disinfected C:\WINNT\isrvs\desktop.exe
Adware:Adware/FIsearch No disinfected C:\WINNT\isrvs\edmond.exe
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs\ffisearch.exe
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs\isearch.xpi
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs\isearch.xpi[isearch.jar][isearch.js]
Adware:Adware/IESearchBar No disinfected C:\WINNT\isrvs\mfiltis.dll
Adware:Adware/FIsearch No disinfected C:\WINNT\isrvs\msdbhk.dll
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs\sysupd.dll
Spyware:Spyware/BargainBuddy No disinfected C:\WINNT\msxct1.ini
Adware:Adware/nCase No disinfected C:\WINNT\nytsnmn.exe
Virus:W32/Admincash.B Disinfected C:\WINNT\system32\dllcache\explorer.exe
Adware:Adware/Startpage.AAO No disinfected C:\WINNT\system32\dload.exe
Virus:Trj/Delprot.A Disinfected C:\WINNT\system32\drivers\delprot.sys
Adware:Adware/DealHelper No disinfected C:\WINNT\system32\main.exe
Adware:Adware/Maxifiles No disinfected C:\WINNT\system32\mc-58-12-0000093.exe
Adware:Adware/Beginto No disinfected C:\WINNT\system32\nsp2.dll
Adware:Adware/ImGiant No disinfected C:\WINNT\system32\protect.exe
Adware:Adware/Startpage.AAO No disinfected C:\WINNT\system32\sex.exe
Adware:Adware/Sqwire No disinfected C:\WINNT\system32\tsuninst.exe
Adware:Adware/Maxifiles No disinfected C:\WINNT\system32\welcome.txt
Spyware:Spyware/Media-motor No disinfected C:\WINNT\unstall.exe
Spyware:Spyware/AdClicker No disinfected C:\WINNT\usta33.ini
Adware:Adware/Maxifiles No disinfected C:\WINNT\welcome.txt
Adware:Adware/SpywareNo No disinfected C:\winstall.exe
Ewido Log
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 14:18:19, 27/06/2005
+ Report-Checksum: 50A3CC56

+ Date of database: 27/06/2005
+ Version of scan engine: v3.0

+ Duration: 10 min
+ Scanned Files: 20648
+ Speed: 31.71 Files/Second
+ Infected files: 48
+ Removed files: 48
+ Files put in quarantine: 48
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: No

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\TRegan\Cookies\tregan@21971720[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\N55L46VO\dbn1742[1].exe -> Dialer.Generic -> Cleaned with backup
C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\N55L46VO\mp3[1].ocx -> TrojanDownloader.Agent.ex -> Cleaned with backup
C:\Program Files\180searchassistant\sachook.dll -> Spyware.180Solutions -> Cleaned with backup
C:\Program Files\Common Files\fkqq\fkqqa.exe -> TrojanDownloader.TSUpdate.l -> Cleaned with backup
C:\Program Files\Common Files\fkqq\fkqql.exe -> TrojanDownloader.TSUpdate.j -> Cleaned with backup
C:\Program Files\Common Files\fkqq\fkqqm.exe -> TrojanDownloader.TSUpdate.k -> Cleaned with backup
C:\Program Files\Common Files\fkqq\fkqqp.exe -> Spyware.Xupiter.m -> Cleaned with backup
C:\Program Files\Lavasoft\Ad-Aware SE Personal\sefe.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
C:\Program Files\MaxiFiles\maxifiles.dll -> Spyware.SearchIt -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\4723FBFA-FEDC-4A0A-9825-CB48B3\EF3127D9-B7F5-4196-8842-72FC7D -> Spyware.Isearch -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\93BF0D7B-E0F6-46B6-A529-B62DB8\3B2C0B0B-2D9E-4EDD-B9B5-4375EE -> TrojanDownloader.Ieser.a -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\93BF0D7B-E0F6-46B6-A529-B62DB8\BDCD546E-E4A3-40B8-A3D2-2DF4B3 -> Spyware.Isearch -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\AE652F50-4471-4E56-B872-4DAE7A\68B84582-A574-410C-ABE6-DCF9CD -> TrojanDownloader.Ieser.a -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc15.exe -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc18.exe -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc22.exe -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc26.exe -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc30.exe -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc8.exe -> Dialer.Generic -> Cleaned with backup
C:\WINNT\convert.exe -> Spyware.Small.ga -> Cleaned with backup
C:\WINNT\Downloaded Program Files\CONFLICT.1\ysbactivex.dll -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINNT\Downloaded Program Files\CONFLICT.2\ysbactivex.dll -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINNT\Downloaded Program Files\ysbactivex.dll -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINNT\imgthin.exe -> TrojanDownloader.VB.if -> Cleaned with backup
C:\WINNT\isrvs\delprot.sys -> Trojan.Delprot.a -> Cleaned with backup
C:\WINNT\isrvs\ffisearch.exe -> Spyware.Isearch -> Cleaned with backup
C:\WINNT\isrvs\mfiltis.dll -> Spyware.ISearch.d -> Cleaned with backup
C:\WINNT\isrvs\sysupd.dll -> TrojanDownloader.Ieser.a -> Cleaned with backup
C:\WINNT\sefe.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
C:\WINNT\sex.exe -> TrojanDownloader.Small.my -> Cleaned with backup
C:\WINNT\sex2.exe -> Dialer.Generic -> Cleaned with backup
C:\WINNT\system32\COMMCOS2.DLL -> Spyware.SafeSurfing -> Cleaned with backup
C:\WINNT\system32\drivers\delprot.sys -> Trojan.Delprot.a -> Cleaned with backup
C:\WINNT\system32\nsg2.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINNT\system32\nsg45.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINNT\system32\nsg4A.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINNT\system32\nsi3.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINNT\system32\nsn2.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\system32\nso123.dll -> Spyware.HotSearchBar -> Cleaned with backup
C:\WINNT\system32\nsv2.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINNT\system32\nsw2.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\system32\nsx2.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\system32\regsync.exe -> Spyware.SafeSurfing -> Cleaned with backup
C:\WINNT\system32\sefe.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
C:\WINNT\system32\sex.exe -> TrojanDownloader.Small.my -> Cleaned with backup
C:\WINNT\system32\svhost.exe -> Backdoor.Generic -> Cleaned with backup
C:\WINNT\system32\vbrundll.dll -> Spyware.SafeSurfing -> Cleaned with backup


::Report End

Hijack Log

Logfile of HijackThis v1.99.1
Scan saved at 17:33:29, on 27/06/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\program files\180searchassistant\sac.exe
C:\WINNT\system32\sex.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\RMClient\PMClient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINNT\system32\nsp2.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINNT\system32\richedtr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [sac] c:\program files\180searchassistant\sac.exe
O4 - HKLM\..\Run: [nytsnmn] C:\WINNT\nytsnmn.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINNT\system32\sex.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [System backup] C:\WINNT\System32\082e4923.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINNT\system32\sex.exe
O4 - HKCU\..\Run: [fkqq] C:\PROGRA~1\COMMON~1\fkqq\fkqqm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SmartNetMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {5938FEB1-3609-11D4-85CD-00902707DAE7} (MapCtl Class) - http://www.promapser...test/webmap.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1118749099296
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = WORTH.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = WORTH.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = WORTH.local
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  • 0

Advertisements


#11
Guest_usetobe_*

Guest_usetobe_*
  • Guest
First, download and install Cleanup but do not run it yet.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

I need you to copy all of the Killbox file paths below and paste them into Notepad.

C:\WINNT\isrvs\
C:\WINNT\nytsnmn.exe
C:\WINNT\system32\sex.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\DNS\Catcher.dll
C:\WINNT\system32\nsp2.dll
C:\WINNT\nytsnmn.exe
C:\PROGRA~1\COMMON~1\tsa\tsl.exe
C:\PROGRA~1\COMMON~1\MC-58-~1.EXE
C:\winstall.exe
C:\WINNT\system32\cache32_rtneg?
C:\DOCUME~1\TRegan\LOCALS~1\Temp\180sainstaller.exe
C:\WINNT\usta33.ini
C:\WINNT\unstall.exe
C:\DOCUME~1\TRegan\LOCALS~1\Temp\cfout.txt
C:\WINNT\hisistheurls.exe
C:\WINNT\system32\main.exe
C:\WINNT\Downloaded Program Files\on-line.exe
C:\WINNT\system32\nsp2.dll
C:\WINNT\inst
C:\Documents and Settings\TRegan\Favorites\1111\1111.url
C:\WINNT\system32\dload.exe
C:\Program Files\joystick networks
C:\winstall.exe
C:\Documents and Settings\TRegan\Favorites\1111\1111.url
C:\Documents and Settings\TRegan\Local Settings\Temp\clnE5.tmp
C:\Documents and Settings\TRegan\Local Settings\Temp\tsinstall_4_0_3_8_b17.exe
C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\5UJEFS20\stubinstallerBundle[1].exe
C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\5UJEFS20\stubinstallerThin[1].exe
C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\C96NGLAF\dnscatcher[1].exe
C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\C96NGLAF\nem220[1].dll
C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\C96NGLAF\optimize314[1].exe
C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\EVOLCL8L\sp[1].js
C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\N55L46VO\protect[1].htm
C:\Program Files\Common Files\fkqq\fkqqd\fkqqc.dll
C:\Program Files\Common Files\FreeProd1\mc-58-12-0000093.exe
C:\Program Files\Common Files\FreeProd2\mc-58-12-0000093.exe
C:\Program Files\Common Files\FreeProdFetch\mc-58-12-0000093.exe
C:\Program Files\Common Files\mc-58-12-0000093.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Common Files\system32.dll
C:\Program Files\Common Files\system32.dll[Catcher.dll]
C:\Program Files\Common Files\system32.dll[gui.exe]
C:\Program Files\Common Files\tsa\tsl.exe
C:\Program Files\DNS\Catcher.dll
C:\Program Files\DNS\gui.exe
C:\Program Files\DNS\tmp.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\bigtraffic.exe
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\30C480B6-52D6-43BB-91A4-2780FE.asq
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\45A4017E-1FC1-4BDD-A4A7-7A219D.asq
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\5F8653B5-49AA-4D9A-8B08-D90188.asq
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\92011946-46D6-48A2-8B45-2B3199.asq
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\9CEE2EFA-5C85-4E18-9F93-9A1B8F.asq
C:\Program Files\Microsoft AntiSpyware\Quarantine\0A0E2E8E-E95D-4A2B-91D7-BEB8A1\E918ED88-B428-4AB7-9B45-F6CB7D
C:\Program Files\Microsoft AntiSpyware\Quarantine\36BBDB59-FE61-4E27-8505-9B9578\450ABC4D-8EBD-46EB-9E4D-1FA0E6
C:\Program Files\Microsoft AntiSpyware\Quarantine\4E2386F0-8422-4C7F-B2A5-43F667\857169B1-87F4-46AB-8CDF-A0E942
C:\Program Files\Microsoft AntiSpyware\Quarantine\BE7D863B-0FF1-40DE-A403-E5096A\73D2CCB3-353F-41BE-83BD-425EA4
C:\Program Files\Microsoft AntiSpyware\Quarantine\C3C252B8-F08F-4B4F-8C61-2AA1A8\FF291565-0996-4883-85FD-9E1961
C:\Program Files\Microsoft AntiSpyware\Quarantine\F9C54FAB-2A58-41B4-8B5B-3041E4\272A12AD-EA6F-49EC-97BE-03E411
C:\Program Files\SpySheriff\ProcMon.dll
C:\RECYCLER\S-1-5-21-507921405-1708537768-839522115-500\Dc1.dll
C:\RECYCLER\S-1-5-21-507921405-1708537768-839522115-500\Dc4.xpi
C:\RECYCLER\S-1-5-21-507921405-1708537768-839522115-500\Dc4.xpi[isearch.jar][isearch.js]
C:\WINNT\bigtraffic.exe
C:\WINNT\delprot.ini
C:\WINNT\deskbar.ini
C:\WINNT\Downloaded Program Files\m67m.inf
C:\WINNT\Downloaded Program Files\on-line.exe
C:\WINNT\explorer.exe
C:\WINNT\hisistheurls.exe
C:\WINNT\inst\3p_1.exe
C:\WINNT\isrvs\
C:\WINNT\msxct1.ini
C:\WINNT\nytsnmn.exe
C:\WINNT\system32\dllcache\explorer.exe
No disinfected C:\WINNT\system32\dload.exe
C:\WINNT\system32\main.exe
C:\WINNT\system32\mc-58-12-0000093.exe
C:\WINNT\system32\nsp2.dll
C:\WINNT\system32\protect.exe
C:\WINNT\system32\sex.exe
C:\WINNT\system32\tsuninst.exe
C:\WINNT\system32\welcome.txt
C:\WINNT\unstall.exe
C:\WINNT\usta33.ini
C:\WINNT\welcome.txt
C:\WINNT\system32\richedtr.dll
c:\program files\180searchassistant\sac.exe
C:\WINNT\System32\082e4923.exe
C:\Program Files\Common Files\mc-58-12-0000093.exe
C:\PROGRA~1\COMMON~1\fkqq\fkqqm.exe


* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.
Unzip it to the desktop.

* Please run Killbox.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting them and pressing CTRL + C:

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Once in Safe Mode, Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Scan local drives for temporary files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

After Cleanup! is finished:
  • Run Ewido.
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
  • Exit Ewido
Reboot into normal mode.

Go to Start > Control Panel > Add or Remove Programs and remove the following:

SpySheriff

Exit Add or Remove Programs.

Delete the following, in bold, if found:

C:\Documents and Settings\user account\Start Menu\Programs\SpySheriff <-whole folder
C:\Documents and Settings\user account\Application Data\Install.dat
C:\Program Files\SpySheriff <-whole folder
C:\Windows\Desktop.html
C:\winstall.exe

*NOTE* user account is not the actual name of that folder. The name of that folder will be the name of your computer profile.

Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HiJackThis. Place a check next to the following items, if found, and click FIX CHECKED:

R3 - Default URLSearchHook is missing
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINNT\system32\nsp2.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINNT\system32\richedtr.dll
O4 - HKLM\..\Run: [sac] c:\program files\180searchassistant\sac.exe
O4 - HKLM\..\Run: [nytsnmn] C:\WINNT\nytsnmn.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINNT\system32\sex.exe
O4 - HKCU\..\Run: [System backup] C:\WINNT\System32\082e4923.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINNT\system32\sex.exe
O4 - HKCU\..\Run: [fkqq] C:\PROGRA~1\COMMON~1\fkqq\fkqqm.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll


Close HiJackThis.

RIGHT-CLICK HERE and go to Save As (in IE it's "Save Target As") in order to download the smitfraud reg to your desktop.

Double-click smitfraud.reg on your desktop. When asked if you want to merge with the registry click YES.

After the merged successfully prompt, using Windows Explorer, navigate to the following folder:

C:\Windows\Prefetch

If there are any files inside the Prefetch folder, delete ALL of them. (Do NOT delete the folder. Just delete the files inside.)

Reboot your computer.

You should be able to change your desktop back to normal now.

Now rescan with Panda active scan

Post the report from Ewido and a new HiJackThis log and the panda scan log
  • 0

#12
TerryR

TerryR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Sorry. Much the same result as before.

When I logged back in out of safe mode The Sheriff had diappeared and I could reinstate my desktop background. The pirate icons were still there together with a number of pop ups.

Unfortunatly Spy Sheriff and and some more popups reappeared when I was half way through the Panda scan.

Just for feed back Cleanup would not let me empty the reycle bins ( the command was not htere) and the Pretech command was greyed out. I could not find the file C:\Windows\Prefetch.

New logs attached

TerryR

Hi Jack

Logfile of HijackThis v1.99.1
Scan saved at 12:12:08, on 28/06/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\internat.exe
C:\Program Files\RMClient\PMClient.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Common Files\services.exe
H:\sex.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINNT\system32\nsn3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINNT\system32\sex.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINNT\system32\sex.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SmartNetMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {5938FEB1-3609-11D4-85CD-00902707DAE7} (MapCtl Class) - http://www.promapser...test/webmap.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1118749099296
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gbn1742.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = WORTH.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = WORTH.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = WORTH.local
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

Panda
Incident Status Location

Virus:W32/Admincash.B Disinfected Operating system
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\services.exe
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs\sysupd.dll
Adware:Adware/Beginto No disinfected C:\WINNT\system32\nsn3.dll
Adware:Adware/IESearchBar No disinfected C:\WINNT\isrvs\mfiltis.dll
Adware:Adware/Startpage.AAO No disinfected H:\sex.exe
Adware:Adware/Startpage.AAO No disinfected C:\WINNT\system32\dload.exe
Adware:Adware/IESearchBar No disinfected C:\WINNT\isrvs\desktop.exe
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs\FFISEA~1.EXE
Adware:Adware/Sqwire No disinfected C:\PROGRA~1\COMMON~1\tsa\tsl.exe
Adware:Adware/Startpage.AAO No disinfected C:\WINNT\system32\sex.exe
Adware:Adware/Maxifiles No disinfected C:\PROGRA~1\COMMON~1\MC-58-~1.EXE
Adware:Adware/Startpage.AAO No disinfected C:\WINNT\system32\sex.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINNT\system32\cache32_rtneg?
Adware:Adware/nCase No disinfected C:\Program Files\180searchassistant
Spyware:Spyware/Dyfuca No disinfected Windows Registry
Adware:Adware/Apropos No disinfected C:\DOCUME~1\TRegan\LOCALS~1\Temp\cfout.txt
Adware:Adware/Sqwire No disinfected Windows Registry
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs
Spyware:Spyware/Media-motor No disinfected Windows Registry
Adware:Adware/Beginto No disinfected C:\WINNT\system32\nsn3.dll
Spyware:Spyware/YourSiteBar No disinfected Windows Registry
Adware:Adware/CWS.Searchmeup No disinfected C:\Documents and Settings\TRegan\Desktop\Free Sony PS3.url
Adware:Adware/CWS.Aboutblank No disinfected Windows Registry
Adware:Adware/Transponder No disinfected C:\WINNT\inst
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\TRegan\Favorites\1111\1111.url
Adware:Adware/Startpage.AAO No disinfected C:\WINNT\system32\dload.exe
Adware:Adware/ImGiant No disinfected C:\Program Files\joystick networks
Adware:Adware/SpywareNo No disinfected Windows Registry
Adware:Adware/SpySheriff No disinfected C:\winstall.exe
Adware:Adware/CWS.Searchmeup No disinfected C:\Documents and Settings\TRegan\Desktop\Free Sony PS3.url
Adware:Adware/CWS.Searchmeup No disinfected C:\Documents and Settings\TRegan\Desktop\Free Xbox 360.url
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\TRegan\Favorites\1111\1111.url
Adware:Adware/Maxifiles No disinfected C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\0AQ64NLG\maxifilesdns[1].zip[Catcher.dll]
Adware:Adware/Maxifiles No disinfected C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\0AQ64NLG\maxifilesdns[1].zip[gui.exe]
Spyware:Spyware/Dyfuca No disinfected C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\0AQ64NLG\nem220[1].dll
Adware:Adware/Maxifiles No disinfected C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\89E30DA7\dnscatcher[1].exe
Spyware:Spyware/Dyfuca No disinfected C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\89E30DA7\optimize314[1].exe
Adware:Adware/TopConvert No disinfected C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\OP2FCPUF\protect[1].htm
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\FreeProdFetch\mc-58-12-0000093.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\mc-58-12-0000093.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\services.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\system32.dll
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\system32.dll[Catcher.dll]
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\system32.dll[gui.exe]
Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\tsa\tsl.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\DNS\Catcher.dll
Adware:Adware/Maxifiles No disinfected C:\Program Files\DNS\gui.exe
Adware:Adware/SpywareNo No disinfected C:\Program Files\SpySheriff\ProcMon.dll
Adware:Adware/ISearch No disinfected C:\WINNT\delprot.ini
Adware:Adware/ISearch No disinfected C:\WINNT\deskbar.ini
Virus:W32/Admincash.B Disinfected C:\WINNT\explorer.exe
Spyware:Spyware/Dyfuca No disinfected C:\WINNT\inst\3p_1.exe
Adware:Adware/IESearchBar No disinfected C:\WINNT\isrvs\desktop.exe
Adware:Adware/FIsearch No disinfected C:\WINNT\isrvs\edmond.exe
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs\ffisearch.exe
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs\isearch.xpi
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs\isearch.xpi[isearch.jar][isearch.js]
Adware:Adware/IESearchBar No disinfected C:\WINNT\isrvs\mfiltis.dll
Adware:Adware/FIsearch No disinfected C:\WINNT\isrvs\msdbhk.dll
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs\sysupd.dll
Adware:Adware/Startpage.AAO No disinfected C:\WINNT\system32\dload.exe
Adware:Adware/Maxifiles No disinfected C:\WINNT\system32\mc-58-12-0000093.exe
Adware:Adware/Beginto No disinfected C:\WINNT\system32\nsn3.dll
Adware:Adware/Startpage.AAO No disinfected C:\WINNT\system32\sex.exe
Adware:Adware/SpywareNo No disinfected C:\winstall.exe
Virus:W32/Netsky.D.worm Disinfected Mailbox - Terry Regan\Deleted Items\Re: Your archive\your_archive.pif
Virus:W32/Netsky.P.worm Disinfected Mailbox - Terry Regan\Deleted Items\Mail Delivery (failure worthing@tmt.uk.com)\message.wav
Virus:W32/Netsky.P.worm Disinfected Mailbox - Terry Regan\Deleted Items\Mail Delivery (failure)\msg.doc .scr
Virus:W32/Mabutu.A.worm Disinfected Mailbox - Terry Regan\Deleted Items\Hi\message.zip[message.txt .scr]
Virus:W32/Netsky.P.worm Disinfected Mailbox - Terry Regan\Deleted Items\Undelivered Mail Returned to Sender\Re: improved\message_sales.txt.pif
Virus:W32/Netsky.P.worm Disinfected Mailbox - Terry Regan\Deleted Items\Re: Delivery Server\details.txt .pif
Virus:W32/Netsky.P.worm Disinfected Mailbox - Terry Regan\Deleted Items\Mail Delivery (failure terry_regan@tmt.uk.com)\message.wav
Virus:W32/Netsky.P.worm Disinfected Mailbox - Terry Regan\Deleted Items\Re: important\screensaver_terry_regan.zip[details.txt .pif]
Virus:W32/Netsky.P.worm Disinfected Mailbox - Terry Regan\Deleted Items\Re: Its me\document.doc .scr
Ewido

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 14:18:19, 27/06/2005
+ Report-Checksum: 50A3CC56

+ Date of database: 27/06/2005
+ Version of scan engine: v3.0

+ Duration: 10 min
+ Scanned Files: 20648
+ Speed: 31.71 Files/Second
+ Infected files: 48
+ Removed files: 48
+ Files put in quarantine: 48
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: No

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\TRegan\Cookies\tregan@21971720[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\N55L46VO\dbn1742[1].exe -> Dialer.Generic -> Cleaned with backup
C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\N55L46VO\mp3[1].ocx -> TrojanDownloader.Agent.ex -> Cleaned with backup
C:\Program Files\180searchassistant\sachook.dll -> Spyware.180Solutions -> Cleaned with backup
C:\Program Files\Common Files\fkqq\fkqqa.exe -> TrojanDownloader.TSUpdate.l -> Cleaned with backup
C:\Program Files\Common Files\fkqq\fkqql.exe -> TrojanDownloader.TSUpdate.j -> Cleaned with backup
C:\Program Files\Common Files\fkqq\fkqqm.exe -> TrojanDownloader.TSUpdate.k -> Cleaned with backup
C:\Program Files\Common Files\fkqq\fkqqp.exe -> Spyware.Xupiter.m -> Cleaned with backup
C:\Program Files\Lavasoft\Ad-Aware SE Personal\sefe.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
C:\Program Files\MaxiFiles\maxifiles.dll -> Spyware.SearchIt -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\4723FBFA-FEDC-4A0A-9825-CB48B3\EF3127D9-B7F5-4196-8842-72FC7D -> Spyware.Isearch -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\93BF0D7B-E0F6-46B6-A529-B62DB8\3B2C0B0B-2D9E-4EDD-B9B5-4375EE -> TrojanDownloader.Ieser.a -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\93BF0D7B-E0F6-46B6-A529-B62DB8\BDCD546E-E4A3-40B8-A3D2-2DF4B3 -> Spyware.Isearch -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\AE652F50-4471-4E56-B872-4DAE7A\68B84582-A574-410C-ABE6-DCF9CD -> TrojanDownloader.Ieser.a -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc15.exe -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc18.exe -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc22.exe -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc26.exe -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc30.exe -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc8.exe -> Dialer.Generic -> Cleaned with backup
C:\WINNT\convert.exe -> Spyware.Small.ga -> Cleaned with backup
C:\WINNT\Downloaded Program Files\CONFLICT.1\ysbactivex.dll -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINNT\Downloaded Program Files\CONFLICT.2\ysbactivex.dll -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINNT\Downloaded Program Files\ysbactivex.dll -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINNT\imgthin.exe -> TrojanDownloader.VB.if -> Cleaned with backup
C:\WINNT\isrvs\delprot.sys -> Trojan.Delprot.a -> Cleaned with backup
C:\WINNT\isrvs\ffisearch.exe -> Spyware.Isearch -> Cleaned with backup
C:\WINNT\isrvs\mfiltis.dll -> Spyware.ISearch.d -> Cleaned with backup
C:\WINNT\isrvs\sysupd.dll -> TrojanDownloader.Ieser.a -> Cleaned with backup
C:\WINNT\sefe.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
C:\WINNT\sex.exe -> TrojanDownloader.Small.my -> Cleaned with backup
C:\WINNT\sex2.exe -> Dialer.Generic -> Cleaned with backup
C:\WINNT\system32\COMMCOS2.DLL -> Spyware.SafeSurfing -> Cleaned with backup
C:\WINNT\system32\drivers\delprot.sys -> Trojan.Delprot.a -> Cleaned with backup
C:\WINNT\system32\nsg2.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINNT\system32\nsg45.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINNT\system32\nsg4A.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINNT\system32\nsi3.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINNT\system32\nsn2.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\system32\nso123.dll -> Spyware.HotSearchBar -> Cleaned with backup
C:\WINNT\system32\nsv2.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINNT\system32\nsw2.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\system32\nsx2.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\system32\regsync.exe -> Spyware.SafeSurfing -> Cleaned with backup
C:\WINNT\system32\sefe.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
C:\WINNT\system32\sex.exe -> TrojanDownloader.Small.my -> Cleaned with backup
C:\WINNT\system32\svhost.exe -> Backdoor.Generic -> Cleaned with backup
C:\WINNT\system32\vbrundll.dll -> Spyware.SafeSurfing -> Cleaned with backup


::Report End
  • 0

#13
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Ok we'll manually clear out a few things.

Using Disc cleanup in start/all programs/accessories/system tools. clean out all sections.

Set up PC to show hidden files.(Click link if you do not know how)
Show hidden files
Also ensure that you untick 'hide protected operating files'

Uninstall Microsoft Antispyware as it may interfere with what we need to do. You can reinstall it once we have finished with what we need to do.

Now using windows explorer locate

C:\WINDOWS\prefetch folder. If there are any files inside the Prefetch folder, delete ALL of them. (Do NOT delete the folder. Just delete the files inside.)

1.) Download the Hoster from HERE Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Download: http://www.mvps.org/winhelp2002/DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Now carry out this procedure again

Copy the following into Notepad and save it to desktop.

[/b]C:\Program Files\Common Files\services.exe
C:\WINNT\isrvs\sysupd.dll
C:\WINNT\system32\nsn3.dll
C:\WINNT\isrvs\mfiltis.dll
H:\sex.exe
C:\WINNT\system32\dload.exe
C:\WINNT\isrvs\desktop.exe
C:\WINNT\isrvs\FFISEA~1.EXE
C:\PROGRA~1\COMMON~1\tsa\tsl.exe
C:\WINNT\system32\sex.exe
C:\PROGRA~1\COMMON~1\MC-58-~1.EXE
C:\WINNT\system32\sex.exe
C:\WINNT\system32\cache32_rtneg?
C:\Program Files\180searchassistant
C:\DOCUME~1\TRegan\LOCALS~1\Temp\cfout.txt
C:\WINNT\isrvs
C:\WINNT\system32\nsn3.dll
C:\Documents and Settings\TRegan\Desktop\Free Sony PS3.url
C:\WINNT\inst
C:\Documents and Settings\TRegan\Favorites\1111\1111.url
C:\WINNT\system32\dload.exe
C:\Program Files\joystick networks
C:\winstall.exe
C:\Documents and Settings\TRegan\Desktop\Free Sony PS3.url
C:\Documents and Settings\TRegan\Desktop\Free Xbox 360.url
C:\Documents and Settings\TRegan\Favorites\1111\1111.url
C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\0AQ64NLG\maxifilesdns[1].zip[Catcher.dll]
C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\0AQ64NLG\maxifilesdns[1].zip[gui.exe]
C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\0AQ64NLG\nem220[1].dll
C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\89E30DA7\dnscatcher[1].exe
C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\89E30DA7\optimize314[1].exe
C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\OP2FCPUF\protect[1].htm
C:\Program Files\Common Files\FreeProdFetch\mc-58-12-0000093.exe
C:\Program Files\Common Files\mc-58-12-0000093.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Common Files\system32.dll
C:\Program Files\Common Files\system32.dll[Catcher.dll]
C:\Program Files\Common Files\system32.dll[gui.exe]
C:\Program Files\Common Files\tsa\tsl.exe
C:\Program Files\DNS\Catcher.dll
C:\Program Files\DNS\gui.exe
C:\Program Files\SpySheriff\ProcMon.dll
C:\WINNT\delprot.ini
C:\WINNT\deskbar.ini
C:\WINNT\explorer.exe
C:\WINNT\inst\3p_1.exe
C:\WINNT\isrvs\desktop.exe
C:\WINNT\isrvs\edmond.exe
C:\WINNT\isrvs\ffisearch.exe
C:\WINNT\isrvs\isearch.xpi
C:\WINNT\isrvs\isearch.xpi[isearch.jar][isearch.js]
C:\WINNT\isrvs\mfiltis.dll
C:\WINNT\isrvs\msdbhk.dll
C:\WINNT\isrvs\sysupd.dll
C:\WINNT\system32\dload.exe
C:\WINNT\system32\mc-58-12-0000093.exe
C:\WINNT\system32\nsn3.dll
C:\WINNT\system32\sex.exe
C:\winstall.exe[/b]

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your PC does not reboot automatically, please do it manually.

Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

[*]Run Ewido.
[*]Click on scanner
[*]Make sure the following boxes are checked before scanning:
  • Binder
  • Crypter
  • Archives
[*]Click on Start Scan
[*]Let the program scan the machine
[/list]While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
  • Exit Ewido
Reboot into normal mode.

Go to Start > Control Panel > Add or Remove Programs and remove the following:

SpySheriff

Exit Add or Remove Programs.

Delete the following, in bold, if found:

C:\Documents and Settings\user account\Start Menu\Programs\SpySheriff <-whole folder
C:\Documents and Settings\user account\Application Data\Install.dat
C:\Program Files\SpySheriff <-whole folder
C:\Windows\Desktop.html
C:\winstall.exe

*NOTE* user account is not the actual name of that folder. The name of that folder will be the name of your computer profile.

Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HiJackThis. Place a check next to the following items, if found, and click FIX CHECKED:

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINNT\system32\nsn3.dll
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINNT\system32\sex.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINNT\system32\sex.exe
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gbn1742.exe
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll


Close HiJackThis.

Double-click smitfraud.reg on your desktop. When asked if you want to merge with the registry click YES.

Reboot PC normally

Now scan with the following 2 antivirus programs:

Bitdefender

F-secure

Save the log produced

Rescan with HJT and Post the log plus report from Ewido and virus scans.
  • 0

#14
TerryR

TerryR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Hi Again

Logs attached so far as I can. I could not work out how to produce an F-secure log but it did find the following viruses

C:\Program Files\Internet Explorer\shttps\start.exe Trojan Proxy.Win32 Delf.t

C:\q257446.exe.Trojan-Downloader.Win32.Small.amb

c:\WINNT\explorer.exe.Virus.Win32.Bube.1

I still have the Sheriff and all his deputies.

I am still unable to find C:\WINDOWS\pretfetch folder


Terry R

Ewido
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 14:18:19, 27/06/2005
+ Report-Checksum: 50A3CC56

+ Date of database: 27/06/2005
+ Version of scan engine: v3.0

+ Duration: 10 min
+ Scanned Files: 20648
+ Speed: 31.71 Files/Second
+ Infected files: 48
+ Removed files: 48
+ Files put in quarantine: 48
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: No

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\TRegan\Cookies\tregan@21971720[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\N55L46VO\dbn1742[1].exe -> Dialer.Generic -> Cleaned with backup
C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\N55L46VO\mp3[1].ocx -> TrojanDownloader.Agent.ex -> Cleaned with backup
C:\Program Files\180searchassistant\sachook.dll -> Spyware.180Solutions -> Cleaned with backup
C:\Program Files\Common Files\fkqq\fkqqa.exe -> TrojanDownloader.TSUpdate.l -> Cleaned with backup
C:\Program Files\Common Files\fkqq\fkqql.exe -> TrojanDownloader.TSUpdate.j -> Cleaned with backup
C:\Program Files\Common Files\fkqq\fkqqm.exe -> TrojanDownloader.TSUpdate.k -> Cleaned with backup
C:\Program Files\Common Files\fkqq\fkqqp.exe -> Spyware.Xupiter.m -> Cleaned with backup
C:\Program Files\Lavasoft\Ad-Aware SE Personal\sefe.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
C:\Program Files\MaxiFiles\maxifiles.dll -> Spyware.SearchIt -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\4723FBFA-FEDC-4A0A-9825-CB48B3\EF3127D9-B7F5-4196-8842-72FC7D -> Spyware.Isearch -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\93BF0D7B-E0F6-46B6-A529-B62DB8\3B2C0B0B-2D9E-4EDD-B9B5-4375EE -> TrojanDownloader.Ieser.a -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\93BF0D7B-E0F6-46B6-A529-B62DB8\BDCD546E-E4A3-40B8-A3D2-2DF4B3 -> Spyware.Isearch -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\AE652F50-4471-4E56-B872-4DAE7A\68B84582-A574-410C-ABE6-DCF9CD -> TrojanDownloader.Ieser.a -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc15.exe -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc18.exe -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc22.exe -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc26.exe -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc30.exe -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc8.exe -> Dialer.Generic -> Cleaned with backup
C:\WINNT\convert.exe -> Spyware.Small.ga -> Cleaned with backup
C:\WINNT\Downloaded Program Files\CONFLICT.1\ysbactivex.dll -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINNT\Downloaded Program Files\CONFLICT.2\ysbactivex.dll -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINNT\Downloaded Program Files\ysbactivex.dll -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINNT\imgthin.exe -> TrojanDownloader.VB.if -> Cleaned with backup
C:\WINNT\isrvs\delprot.sys -> Trojan.Delprot.a -> Cleaned with backup
C:\WINNT\isrvs\ffisearch.exe -> Spyware.Isearch -> Cleaned with backup
C:\WINNT\isrvs\mfiltis.dll -> Spyware.ISearch.d -> Cleaned with backup
C:\WINNT\isrvs\sysupd.dll -> TrojanDownloader.Ieser.a -> Cleaned with backup
C:\WINNT\sefe.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
C:\WINNT\sex.exe -> TrojanDownloader.Small.my -> Cleaned with backup
C:\WINNT\sex2.exe -> Dialer.Generic -> Cleaned with backup
C:\WINNT\system32\COMMCOS2.DLL -> Spyware.SafeSurfing -> Cleaned with backup
C:\WINNT\system32\drivers\delprot.sys -> Trojan.Delprot.a -> Cleaned with backup
C:\WINNT\system32\nsg2.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINNT\system32\nsg45.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINNT\system32\nsg4A.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINNT\system32\nsi3.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINNT\system32\nsn2.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\system32\nso123.dll -> Spyware.HotSearchBar -> Cleaned with backup
C:\WINNT\system32\nsv2.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINNT\system32\nsw2.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\system32\nsx2.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\system32\regsync.exe -> Spyware.SafeSurfing -> Cleaned with backup
C:\WINNT\system32\sefe.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
C:\WINNT\system32\sex.exe -> TrojanDownloader.Small.my -> Cleaned with backup
C:\WINNT\system32\svhost.exe -> Backdoor.Generic -> Cleaned with backup
C:\WINNT\system32\vbrundll.dll -> Spyware.SafeSurfing -> Cleaned with backup


::Report End

Hi Jack
Logfile of HijackThis v1.99.1
Scan saved at 15:39:07, on 28/06/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\RMClient\PMClient.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\SpySheriff\SpySheriff.exe
C:\sex.exe
C:\WINNT\system32\dload.exe
C:\Program Files\HJT\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem220.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINNT\system32\nsmD1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINNT\system32\sex.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [fkqq] C:\PROGRA~1\COMMON~1\fkqq\fkqqm.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINNT\system32\sex.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SmartNetMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {5938FEB1-3609-11D4-85CD-00902707DAE7} (MapCtl Class) - http://www.promapser...test/webmap.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1118749099296
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gbn1742.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = WORTH.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = WORTH.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = WORTH.local
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  • 0

#15
Guest_usetobe_*

Guest_usetobe_*
  • Guest
From Start > Run type prefetch does that open prefetch folder?

Please print out a copy of this.

Carry out the following free online virus scan. For company type anything you wish. Save the log produced

Kaspersky

Please download CCleaner and install it. Close out the program when it has completed set up. Don't run it yet we will use it later )

Click here to Download, install, and update Adaware. After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run a scan. Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".

After it's updated, Reboot into Safe Mode - you can do this by restarting your computer and continually tapping F8 until a menu appears. Use your up arrow to highlight Safe Mode, then hit enter.

Once in Safe Mode, Run Ad-Aware
Reconfigure Ad-Aware for Full Scan as per the following instructions:
In the Ad-Aware main window, click on the gear icon at the top of the screen to open the preferences window. In the "General" window, make sure the following options are selected:
1) Automatically save log-file
2) Automatically quarantine objects prior to removal
3) Safe Mode (always request confirmation)

Click the "Scanning" button on the left-hand side and make sure the following options are selected:
1) Scan within archives
2) Scan active processes
3) Scan registry
4) Deep scan registry
4) Scan my IE Favorites for banned URLs
5) Scan my Hosts file

Please also click on "Select drives & folders to scan" and select your hard drive(s). Then click the "Advanced" button on the left-hand side and make sure all the options under "Log-file Detail Level" are selected. Next, click the "Tweak" button on the left-hand side. Click on "Scanning Engine" and make sure the following options are selected:
1) Unload recognized processes & modules during scanning
2) Obtain command line of scanned processes
3) Scan registry for all users instead of current user only

Click on "Cleaning Engine" and make sure the following options are selected:
1) Always try to unload modules before deletion
2) During removal, unload Explorer and IE if necessary
3) Let Windows remove files in use at next reboot
4) Delete quarantined objects after restoring

Finally, click on "Safety Settings" and make sure the following options are selected:
1) Automatically select problematic objects in results lists
2) Write-protect system files after repair (Hosts file, etc)

Click on "Proceed" to save the preferences. Then please click the "Start" button on the bottom left side to begin a scan. Select "Use custom scanning options" and then click "Next". Ad-Aware will then scan for malware. When it is finished, make sure any objects listed in RED are selected and click "Next" to remove the objects.

After it's done scanning and you delete the red items, exit Ad-Aware

Now run ewido again and save the log.

Run HJT and check the following entries.

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem220.dll
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINNT\system32\nsmD1.dll
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINNT\system32\sex.exe
O4 - HKCU\..\Run: [fkqq] C:\PROGRA~1\COMMON~1\fkqq\fkqqm.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINNT\system32\sex.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gbn1742.exe
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll


Ensure no windows open and click fix checked.

Now using windows explorer, locate and delete the following:

C:\Program Files\SpySheriff <<--entire folder
C:\Program Files\Common Files\services.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\sex.exe
C:\WINNT\system32\dload.exe
C:\WINNT\nem220.dll
C:\Program Files\DNS\Catcher.dll
C:\WINNT\isrvs\sysupd.dll
C:\WINNT\system32\nsmD1.dll
C:\WINNT\isrvs <<entire folder
C:\PROGRAM FILES\COMMON FILES\tsa\tsl.exe
C:\WINNT\system32\sex.exe
C:\winstall.exe
C:\PROGRAM FILES\COMMON FILES\fkqq\fkqqm.exe
C:\Program Files\Common Files\mc-58-12-0000093.exe
C:\Documents and Settings\TRegan\Start Menu\Programs\SpySheriff <-whole folder
C:\Documents and Settings\TRegan\Application Data\Install.dat
C:\Windows\Desktop.html


Open CCleaner
To clean your machine, it is highly recommended that you clean the following directory contents (but not the directory folder):

Please run CCleaner to assist in this process.
(Setup: go to >options > settings > Uncheck "Only delete files in Windows Temp folders older than 48 hours" for cleaning malware files!)

* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <- This will delete all your cached internet content including cookies.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".

Close out CCleaner.

Rescan with Ewido. Save the log.

Reboot PC normally.

Rescan with HJT and post the log, together with the Kaspersky and ewido logs

Edited by usetobe, 29 June 2005 - 04:56 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP