[TerryR]

Hi. I hope you can help me since I seem to have picked up a Spy Sheriff problem. It has stolen my desktop and hijacks my use of the internet. I have followed all you recommended courses of action other than to update Windows. I keep crashing out of the "Search for updates" page and wonder whether this is a result of the infection.

Hope you can help me lose the bad Sheriff. Hijack log attached.

Terry R

Logfile of HijackThis v1.99.1
Scan saved at 14:28:10, on 14/06/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svhost.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\System32\msxct.exe
C:\WINNT\System32\internat.exe
C:\Program Files\RMClient\PMClient.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINNT\System32\svhost.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINNT\System32\vbrundll.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {794904E4-732F-4412-834E-2FA8FE93AB82} - C:\WINNT\System32\laca.dll (file missing)
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINNT\System32\nso123.dll
O2 - BHO: XBTB07618 - {BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} - C:\PROGRA~1\MAXIFI~1\MAXIFI~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [regsync] C:\WINNT\System32\regsync.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [System backup] C:\WINNT\System32\082e4923.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SmartNetMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {5938FEB1-3609-11D4-85CD-00902707DAE7} (MapCtl Class) - http://www.promapser...test/webmap.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1118749099296
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = WORTH.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = WORTH.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = WORTH.local
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

[Advertisements]

Welcome to Geeks 2 Go. Sorry about the delay in getting to your post, we have been very busy.

Do you still require help or are your problems resolved.

Please let me know and if you still require assistance, please post a fresh HJT log.

Regards,

Usetobe

[TerryR]

Thanks for the response. I certainly would appreciate the help. I am using 5 Spyware/Malware programs which all find something but do not cure the problem - took me half the morning to log on. Also had a lot of trouble getting onto your site - could this be a Spy Sheriff issue.

New log attached.

Logfile of HijackThis v1.99.1
Scan saved at 13:49:54, on 20/06/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svhost.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\System32\internat.exe
C:\Program Files\RMClient\PMClient.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\180searchassistant\sac.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINNT\System32\svhost.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINNT\System32\vbrundll.dll
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\sachook.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {794904E4-732F-4412-834E-2FA8FE93AB82} - C:\WINNT\System32\laca.dll (file missing)
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINNT\System32\nso123.dll
O2 - BHO: XBTB07618 - {BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} - C:\PROGRA~1\MAXIFI~1\MAXIFI~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [regsync] C:\WINNT\System32\regsync.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [sac] c:\program files\180searchassistant\sac.exe
O4 - HKLM\..\Run: [otej] C:\WINNT\otej.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [System backup] C:\WINNT\System32\082e4923.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SmartNetMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {5938FEB1-3609-11D4-85CD-00902707DAE7} (MapCtl Class) - http://www.promapser...test/webmap.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1118749099296
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gbn1742.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = WORTH.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = WORTH.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = WORTH.local
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

[TerryR]

Sorry just realised I should hasve rebooted before running the log please ignore last log.

new log attached.

Logfile of HijackThis v1.99.1
Scan saved at 14:14:41, on 20/06/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\taskmgr.exe
C:\WINNT\system32\svhost.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\program files\180searchassistant\sac.exe
C:\WINNT\otej.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\RMClient\PMClient.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINNT\System32\svhost.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINNT\System32\vbrundll.dll
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\sachook.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {794904E4-732F-4412-834E-2FA8FE93AB82} - C:\WINNT\System32\laca.dll (file missing)
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINNT\System32\nso123.dll
O2 - BHO: XBTB07618 - {BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} - C:\PROGRA~1\MAXIFI~1\MAXIFI~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [regsync] C:\WINNT\System32\regsync.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [sac] c:\program files\180searchassistant\sac.exe
O4 - HKLM\..\Run: [otej] C:\WINNT\otej.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [System backup] C:\WINNT\System32\082e4923.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SmartNetMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {5938FEB1-3609-11D4-85CD-00902707DAE7} (MapCtl Class) - http://www.promapser...test/webmap.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1118749099296
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gbn1742.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = WORTH.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = WORTH.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = WORTH.local
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

[TerryR]

Thanks again.

Unfortunatley I cannot update. Your link takes me to a blank page and refresh has no effect.

Going through the Microsoft main page/Windows update has the same result

TerryR

[TerryR]

Hi finally able to get back in!

I downloaded Service Pack 4 put could not then boot up. Spy Sheriff immediatley opened up and whether I closed it down or let it run all my icons disappeared and the screen froze.

I was finally able to get back by loading in Safe Network mode and runing Ewido, Adaware and MS Beta 1.

Spy Sheriff is still there and still opens when I boot up but at least I can now get into normal mode.

Latest Hi Jack log attached taken after booting up into normal mode and before runnning any anti spyware programs

TerryR

Logfile of HijackThis v1.99.1
Scan saved at 15:08:48, on 24/06/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svhost.exe
C:\WINNT\explorer.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\internat.exe
C:\Program Files\RMClient\PMClient.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\SpySheriff\SpySheriff.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINNT\CDILLA64.EXE
C:\WINNT\system32\ntvdm.exe
C:\Program Files\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINNT\System32\svhost.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINNT\System32\vbrundll.dll
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\sachook.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {794904E4-732F-4412-834E-2FA8FE93AB82} - C:\WINNT\System32\laca.dll (file missing)
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINNT\System32\nso123.dll
O2 - BHO: XBTB07618 - {BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} - C:\PROGRA~1\MAXIFI~1\MAXIFI~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [regsync] C:\WINNT\System32\regsync.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [System backup] C:\WINNT\System32\082e4923.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SmartNetMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {5938FEB1-3609-11D4-85CD-00902707DAE7} (MapCtl Class) - http://www.promapser...test/webmap.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1118749099296
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gbn1742.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = WORTH.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = WORTH.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = WORTH.local
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

[TerryR]

Hi

Sorry No luck

It seemed to work at first but within a minute of logging in Spy Sheriff and all his deputy pop ups came flooding back. I attach the requested Logs and some thoughts I had when following your instructions.

smitRem seemed to need XP , I have Windows 2000.

I could not scan Archives in Ewido because it was greyed out.

I could not find the display/desktop/etc commands

As ever I appreciate your help

TerryR

Panda Log

Incident Status Location

Virus:W32/Admincash.B Disinfected Operating system
Adware:Adware/IESearchBar No disinfected C:\WINNT\isrvs\mfiltis.dll
Adware:Adware/nCase No disinfected C:\WINNT\nytsnmn.exe
Adware:Adware/Startpage.AAO No disinfected C:\WINNT\system32\sex.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\services.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\DNS\Catcher.dll
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs\sysupd.dll
Adware:Adware/Beginto No disinfected C:\WINNT\system32\nsp2.dll
Adware:Adware/nCase No disinfected C:\WINNT\nytsnmn.exe
Adware:Adware/IESearchBar No disinfected C:\WINNT\isrvs\desktop.exe
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs\FFISEA~1.EXE
Adware:Adware/Sqwire No disinfected C:\PROGRA~1\COMMON~1\tsa\tsl.exe
Adware:Adware/Startpage.AAO No disinfected C:\WINNT\system32\sex.exe
Adware:Adware/Maxifiles No disinfected C:\PROGRA~1\COMMON~1\MC-58-~1.EXE
Adware:Adware/SpywareNo No disinfected C:\winstall.exe
Adware:Adware/Startpage.AAO No disinfected C:\WINNT\system32\sex.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINNT\system32\cache32_rtneg?
Adware:Adware/nCase No disinfected C:\DOCUME~1\TRegan\LOCALS~1\Temp\180sainstaller.exe
Spyware:Spyware/AdClicker No disinfected C:\WINNT\usta33.ini
Spyware:Spyware/Dyfuca No disinfected Windows Registry
Adware:Adware/SAHAgent No disinfected C:\WINNT\unstall.exe
Adware:Adware/CWS No disinfected Windows Registry
Adware:Adware/Apropos No disinfected C:\DOCUME~1\TRegan\LOCALS~1\Temp\cfout.txt
Adware:Adware/WinTools No disinfected C:\WINNT\hisistheurls.exe
Adware:Adware/Sqwire No disinfected Windows Registry
Adware:Adware/DealHelper No disinfected C:\WINNT\system32\main.exe
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs
Adware:Adware/SearchExe No disinfected C:\WINNT\Downloaded Program Files\on-line.exe
Spyware:Spyware/Media-motor No disinfected Windows Registry
Adware:Adware/Beginto No disinfected C:\WINNT\system32\nsp2.dll
Spyware:Spyware/YourSiteBar No disinfected Windows Registry
Adware:Adware/Transponder No disinfected C:\WINNT\inst
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\TRegan\Favorites\1111\1111.url
Adware:Adware/Startpage.AAO No disinfected C:\WINNT\system32\dload.exe
Adware:Adware/ImGiant No disinfected C:\Program Files\joystick networks
Adware:Adware/SpywareNo No disinfected Windows Registry
Adware:Adware/SpySheriff No disinfected C:\winstall.exe
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\TRegan\Favorites\1111\1111.url
Spyware:Spyware/Dyfuca No disinfected C:\Documents and Settings\TRegan\Local Settings\Temp\clnE5.tmp
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\TRegan\Local Settings\Temp\tsinstall_4_0_3_8_b17.exe
Adware:Adware/Maxifiles No disinfected C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\5UJEFS20\stubinstallerBundle[1].exe
Adware:Adware/Maxifiles No disinfected C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\5UJEFS20\stubinstallerThin[1].exe
Adware:Adware/Maxifiles No disinfected C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\C96NGLAF\dnscatcher[1].exe
Spyware:Spyware/Dyfuca No disinfected C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\C96NGLAF\nem220[1].dll
Spyware:Spyware/Dyfuca No disinfected C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\C96NGLAF\optimize314[1].exe
Adware:Adware/Beginto No disinfected C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\EVOLCL8L\sp[1].js
Adware:Adware/TopConvert No disinfected C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\N55L46VO\protect[1].htm
Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\fkqq\fkqqd\fkqqc.dll
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\FreeProd1\mc-58-12-0000093.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\FreeProd2\mc-58-12-0000093.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\FreeProdFetch\mc-58-12-0000093.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\mc-58-12-0000093.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\services.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\system32.dll
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\system32.dll[Catcher.dll]
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\system32.dll[gui.exe]
Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\tsa\tsl.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\DNS\Catcher.dll
Adware:Adware/Maxifiles No disinfected C:\Program Files\DNS\gui.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\DNS\tmp.exe
Adware:Adware/Beginto No disinfected C:\Program Files\Lavasoft\Ad-Aware SE Personal\bigtraffic.exe
Spyware:Spyware/Media-motor No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\30C480B6-52D6-43BB-91A4-2780FE.asq
Spyware:Spyware/Media-motor No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\45A4017E-1FC1-4BDD-A4A7-7A219D.asq
Spyware:Spyware/Media-motor No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\5F8653B5-49AA-4D9A-8B08-D90188.asq
Spyware:Spyware/Media-motor No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\92011946-46D6-48A2-8B45-2B3199.asq
Spyware:Spyware/Media-motor No disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\9CEE2EFA-5C85-4E18-9F93-9A1B8F.asq
Adware:Adware/Maxifiles No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\0A0E2E8E-E95D-4A2B-91D7-BEB8A1\E918ED88-B428-4AB7-9B45-F6CB7D
Adware:Adware/Maxifiles No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\36BBDB59-FE61-4E27-8505-9B9578\450ABC4D-8EBD-46EB-9E4D-1FA0E6
Adware:Adware/Maxifiles No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\4E2386F0-8422-4C7F-B2A5-43F667\857169B1-87F4-46AB-8CDF-A0E942
Adware:Adware/Maxifiles No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\BE7D863B-0FF1-40DE-A403-E5096A\73D2CCB3-353F-41BE-83BD-425EA4
Adware:Adware/Maxifiles No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C3C252B8-F08F-4B4F-8C61-2AA1A8\FF291565-0996-4883-85FD-9E1961
Adware:Adware/Maxifiles No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\F9C54FAB-2A58-41B4-8B5B-3041E4\272A12AD-EA6F-49EC-97BE-03E411
Adware:Adware/SpywareNo No disinfected C:\Program Files\SpySheriff\ProcMon.dll
Adware:Adware/Maxifiles No disinfected C:\RECYCLER\S-1-5-21-507921405-1708537768-839522115-500\Dc1.dll
Adware:Adware/ISearch No disinfected C:\RECYCLER\S-1-5-21-507921405-1708537768-839522115-500\Dc4.xpi
Adware:Adware/ISearch No disinfected C:\RECYCLER\S-1-5-21-507921405-1708537768-839522115-500\Dc4.xpi[isearch.jar][isearch.js]
Adware:Adware/Beginto No disinfected C:\WINNT\bigtraffic.exe
Adware:Adware/ISearch No disinfected C:\WINNT\delprot.ini
Adware:Adware/ISearch No disinfected C:\WINNT\deskbar.ini
Spyware:Spyware/Media-motor No disinfected C:\WINNT\Downloaded Program Files\m67m.inf
Adware:Adware/IGuard No disinfected C:\WINNT\Downloaded Program Files\on-line.exe
Virus:W32/Admincash.B Disinfected C:\WINNT\explorer.exe
Adware:Adware/WinTools No disinfected C:\WINNT\hisistheurls.exe
Spyware:Spyware/Dyfuca No disinfected C:\WINNT\inst\3p_1.exe
Adware:Adware/IESearchBar No disinfected C:\WINNT\isrvs\desktop.exe
Adware:Adware/FIsearch No disinfected C:\WINNT\isrvs\edmond.exe
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs\ffisearch.exe
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs\isearch.xpi
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs\isearch.xpi[isearch.jar][isearch.js]
Adware:Adware/IESearchBar No disinfected C:\WINNT\isrvs\mfiltis.dll
Adware:Adware/FIsearch No disinfected C:\WINNT\isrvs\msdbhk.dll
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs\sysupd.dll
Spyware:Spyware/BargainBuddy No disinfected C:\WINNT\msxct1.ini
Adware:Adware/nCase No disinfected C:\WINNT\nytsnmn.exe
Virus:W32/Admincash.B Disinfected C:\WINNT\system32\dllcache\explorer.exe
Adware:Adware/Startpage.AAO No disinfected C:\WINNT\system32\dload.exe
Virus:Trj/Delprot.A Disinfected C:\WINNT\system32\drivers\delprot.sys
Adware:Adware/DealHelper No disinfected C:\WINNT\system32\main.exe
Adware:Adware/Maxifiles No disinfected C:\WINNT\system32\mc-58-12-0000093.exe
Adware:Adware/Beginto No disinfected C:\WINNT\system32\nsp2.dll
Adware:Adware/ImGiant No disinfected C:\WINNT\system32\protect.exe
Adware:Adware/Startpage.AAO No disinfected C:\WINNT\system32\sex.exe
Adware:Adware/Sqwire No disinfected C:\WINNT\system32\tsuninst.exe
Adware:Adware/Maxifiles No disinfected C:\WINNT\system32\welcome.txt
Spyware:Spyware/Media-motor No disinfected C:\WINNT\unstall.exe
Spyware:Spyware/AdClicker No disinfected C:\WINNT\usta33.ini
Adware:Adware/Maxifiles No disinfected C:\WINNT\welcome.txt
Adware:Adware/SpywareNo No disinfected C:\winstall.exe
Ewido Log
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 14:18:19, 27/06/2005
+ Report-Checksum: 50A3CC56

+ Date of database: 27/06/2005
+ Version of scan engine: v3.0

+ Duration: 10 min
+ Scanned Files: 20648
+ Speed: 31.71 Files/Second
+ Infected files: 48
+ Removed files: 48
+ Files put in quarantine: 48
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: No

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\TRegan\Cookies\tregan@21971720[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\N55L46VO\dbn1742[1].exe -> Dialer.Generic -> Cleaned with backup
C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\N55L46VO\mp3[1].ocx -> TrojanDownloader.Agent.ex -> Cleaned with backup
C:\Program Files\180searchassistant\sachook.dll -> Spyware.180Solutions -> Cleaned with backup
C:\Program Files\Common Files\fkqq\fkqqa.exe -> TrojanDownloader.TSUpdate.l -> Cleaned with backup
C:\Program Files\Common Files\fkqq\fkqql.exe -> TrojanDownloader.TSUpdate.j -> Cleaned with backup
C:\Program Files\Common Files\fkqq\fkqqm.exe -> TrojanDownloader.TSUpdate.k -> Cleaned with backup
C:\Program Files\Common Files\fkqq\fkqqp.exe -> Spyware.Xupiter.m -> Cleaned with backup
C:\Program Files\Lavasoft\Ad-Aware SE Personal\sefe.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
C:\Program Files\MaxiFiles\maxifiles.dll -> Spyware.SearchIt -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\4723FBFA-FEDC-4A0A-9825-CB48B3\EF3127D9-B7F5-4196-8842-72FC7D -> Spyware.Isearch -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\93BF0D7B-E0F6-46B6-A529-B62DB8\3B2C0B0B-2D9E-4EDD-B9B5-4375EE -> TrojanDownloader.Ieser.a -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\93BF0D7B-E0F6-46B6-A529-B62DB8\BDCD546E-E4A3-40B8-A3D2-2DF4B3 -> Spyware.Isearch -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\AE652F50-4471-4E56-B872-4DAE7A\68B84582-A574-410C-ABE6-DCF9CD -> TrojanDownloader.Ieser.a -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc15.exe -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc18.exe -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc22.exe -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc26.exe -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc30.exe -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc8.exe -> Dialer.Generic -> Cleaned with backup
C:\WINNT\convert.exe -> Spyware.Small.ga -> Cleaned with backup
C:\WINNT\Downloaded Program Files\CONFLICT.1\ysbactivex.dll -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINNT\Downloaded Program Files\CONFLICT.2\ysbactivex.dll -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINNT\Downloaded Program Files\ysbactivex.dll -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINNT\imgthin.exe -> TrojanDownloader.VB.if -> Cleaned with backup
C:\WINNT\isrvs\delprot.sys -> Trojan.Delprot.a -> Cleaned with backup
C:\WINNT\isrvs\ffisearch.exe -> Spyware.Isearch -> Cleaned with backup
C:\WINNT\isrvs\mfiltis.dll -> Spyware.ISearch.d -> Cleaned with backup
C:\WINNT\isrvs\sysupd.dll -> TrojanDownloader.Ieser.a -> Cleaned with backup
C:\WINNT\sefe.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
C:\WINNT\sex.exe -> TrojanDownloader.Small.my -> Cleaned with backup
C:\WINNT\sex2.exe -> Dialer.Generic -> Cleaned with backup
C:\WINNT\system32\COMMCOS2.DLL -> Spyware.SafeSurfing -> Cleaned with backup
C:\WINNT\system32\drivers\delprot.sys -> Trojan.Delprot.a -> Cleaned with backup
C:\WINNT\system32\nsg2.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINNT\system32\nsg45.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINNT\system32\nsg4A.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINNT\system32\nsi3.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINNT\system32\nsn2.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\system32\nso123.dll -> Spyware.HotSearchBar -> Cleaned with backup
C:\WINNT\system32\nsv2.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINNT\system32\nsw2.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\system32\nsx2.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\system32\regsync.exe -> Spyware.SafeSurfing -> Cleaned with backup
C:\WINNT\system32\sefe.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
C:\WINNT\system32\sex.exe -> TrojanDownloader.Small.my -> Cleaned with backup
C:\WINNT\system32\svhost.exe -> Backdoor.Generic -> Cleaned with backup
C:\WINNT\system32\vbrundll.dll -> Spyware.SafeSurfing -> Cleaned with backup


::Report End

Hijack Log

Logfile of HijackThis v1.99.1
Scan saved at 17:33:29, on 27/06/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\program files\180searchassistant\sac.exe
C:\WINNT\system32\sex.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\RMClient\PMClient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINNT\system32\nsp2.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINNT\system32\richedtr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [sac] c:\program files\180searchassistant\sac.exe
O4 - HKLM\..\Run: [nytsnmn] C:\WINNT\nytsnmn.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINNT\system32\sex.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [System backup] C:\WINNT\System32\082e4923.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINNT\system32\sex.exe
O4 - HKCU\..\Run: [fkqq] C:\PROGRA~1\COMMON~1\fkqq\fkqqm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SmartNetMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {5938FEB1-3609-11D4-85CD-00902707DAE7} (MapCtl Class) - http://www.promapser...test/webmap.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1118749099296
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = WORTH.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = WORTH.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = WORTH.local
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

[TerryR]

Sorry. Much the same result as before.

When I logged back in out of safe mode The Sheriff had diappeared and I could reinstate my desktop background. The pirate icons were still there together with a number of pop ups.

Unfortunatly Spy Sheriff and and some more popups reappeared when I was half way through the Panda scan.

Just for feed back Cleanup would not let me empty the reycle bins ( the command was not htere) and the Pretech command was greyed out. I could not find the file C:\Windows\Prefetch.

New logs attached

TerryR

Hi Jack

Logfile of HijackThis v1.99.1
Scan saved at 12:12:08, on 28/06/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\internat.exe
C:\Program Files\RMClient\PMClient.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Common Files\services.exe
H:\sex.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINNT\system32\nsn3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINNT\system32\sex.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINNT\system32\sex.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SmartNetMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {5938FEB1-3609-11D4-85CD-00902707DAE7} (MapCtl Class) - http://www.promapser...test/webmap.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1118749099296
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gbn1742.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = WORTH.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = WORTH.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = WORTH.local
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

Panda
Incident Status Location

Virus:W32/Admincash.B Disinfected Operating system
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\services.exe
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs\sysupd.dll
Adware:Adware/Beginto No disinfected C:\WINNT\system32\nsn3.dll
Adware:Adware/IESearchBar No disinfected C:\WINNT\isrvs\mfiltis.dll
Adware:Adware/Startpage.AAO No disinfected H:\sex.exe
Adware:Adware/Startpage.AAO No disinfected C:\WINNT\system32\dload.exe
Adware:Adware/IESearchBar No disinfected C:\WINNT\isrvs\desktop.exe
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs\FFISEA~1.EXE
Adware:Adware/Sqwire No disinfected C:\PROGRA~1\COMMON~1\tsa\tsl.exe
Adware:Adware/Startpage.AAO No disinfected C:\WINNT\system32\sex.exe
Adware:Adware/Maxifiles No disinfected C:\PROGRA~1\COMMON~1\MC-58-~1.EXE
Adware:Adware/Startpage.AAO No disinfected C:\WINNT\system32\sex.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINNT\system32\cache32_rtneg?
Adware:Adware/nCase No disinfected C:\Program Files\180searchassistant
Spyware:Spyware/Dyfuca No disinfected Windows Registry
Adware:Adware/Apropos No disinfected C:\DOCUME~1\TRegan\LOCALS~1\Temp\cfout.txt
Adware:Adware/Sqwire No disinfected Windows Registry
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs
Spyware:Spyware/Media-motor No disinfected Windows Registry
Adware:Adware/Beginto No disinfected C:\WINNT\system32\nsn3.dll
Spyware:Spyware/YourSiteBar No disinfected Windows Registry
Adware:Adware/CWS.Searchmeup No disinfected C:\Documents and Settings\TRegan\Desktop\Free Sony PS3.url
Adware:Adware/CWS.Aboutblank No disinfected Windows Registry
Adware:Adware/Transponder No disinfected C:\WINNT\inst
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\TRegan\Favorites\1111\1111.url
Adware:Adware/Startpage.AAO No disinfected C:\WINNT\system32\dload.exe
Adware:Adware/ImGiant No disinfected C:\Program Files\joystick networks
Adware:Adware/SpywareNo No disinfected Windows Registry
Adware:Adware/SpySheriff No disinfected C:\winstall.exe
Adware:Adware/CWS.Searchmeup No disinfected C:\Documents and Settings\TRegan\Desktop\Free Sony PS3.url
Adware:Adware/CWS.Searchmeup No disinfected C:\Documents and Settings\TRegan\Desktop\Free Xbox 360.url
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\TRegan\Favorites\1111\1111.url
Adware:Adware/Maxifiles No disinfected C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\0AQ64NLG\maxifilesdns[1].zip[Catcher.dll]
Adware:Adware/Maxifiles No disinfected C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\0AQ64NLG\maxifilesdns[1].zip[gui.exe]
Spyware:Spyware/Dyfuca No disinfected C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\0AQ64NLG\nem220[1].dll
Adware:Adware/Maxifiles No disinfected C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\89E30DA7\dnscatcher[1].exe
Spyware:Spyware/Dyfuca No disinfected C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\89E30DA7\optimize314[1].exe
Adware:Adware/TopConvert No disinfected C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\OP2FCPUF\protect[1].htm
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\FreeProdFetch\mc-58-12-0000093.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\mc-58-12-0000093.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\services.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\system32.dll
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\system32.dll[Catcher.dll]
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\system32.dll[gui.exe]
Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\tsa\tsl.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\DNS\Catcher.dll
Adware:Adware/Maxifiles No disinfected C:\Program Files\DNS\gui.exe
Adware:Adware/SpywareNo No disinfected C:\Program Files\SpySheriff\ProcMon.dll
Adware:Adware/ISearch No disinfected C:\WINNT\delprot.ini
Adware:Adware/ISearch No disinfected C:\WINNT\deskbar.ini
Virus:W32/Admincash.B Disinfected C:\WINNT\explorer.exe
Spyware:Spyware/Dyfuca No disinfected C:\WINNT\inst\3p_1.exe
Adware:Adware/IESearchBar No disinfected C:\WINNT\isrvs\desktop.exe
Adware:Adware/FIsearch No disinfected C:\WINNT\isrvs\edmond.exe
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs\ffisearch.exe
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs\isearch.xpi
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs\isearch.xpi[isearch.jar][isearch.js]
Adware:Adware/IESearchBar No disinfected C:\WINNT\isrvs\mfiltis.dll
Adware:Adware/FIsearch No disinfected C:\WINNT\isrvs\msdbhk.dll
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs\sysupd.dll
Adware:Adware/Startpage.AAO No disinfected C:\WINNT\system32\dload.exe
Adware:Adware/Maxifiles No disinfected C:\WINNT\system32\mc-58-12-0000093.exe
Adware:Adware/Beginto No disinfected C:\WINNT\system32\nsn3.dll
Adware:Adware/Startpage.AAO No disinfected C:\WINNT\system32\sex.exe
Adware:Adware/SpywareNo No disinfected C:\winstall.exe
Virus:W32/Netsky.D.worm Disinfected Mailbox - Terry Regan\Deleted Items\Re: Your archive\your_archive.pif
Virus:W32/Netsky.P.worm Disinfected Mailbox - Terry Regan\Deleted Items\Mail Delivery (failure [email protected])\message.wav
Virus:W32/Netsky.P.worm Disinfected Mailbox - Terry Regan\Deleted Items\Mail Delivery (failure)\msg.doc .scr
Virus:W32/Mabutu.A.worm Disinfected Mailbox - Terry Regan\Deleted Items\Hi\message.zip[message.txt .scr]
Virus:W32/Netsky.P.worm Disinfected Mailbox - Terry Regan\Deleted Items\Undelivered Mail Returned to Sender\Re: improved\message_sales.txt.pif
Virus:W32/Netsky.P.worm Disinfected Mailbox - Terry Regan\Deleted Items\Re: Delivery Server\details.txt .pif
Virus:W32/Netsky.P.worm Disinfected Mailbox - Terry Regan\Deleted Items\Mail Delivery (failure [email protected])\message.wav
Virus:W32/Netsky.P.worm Disinfected Mailbox - Terry Regan\Deleted Items\Re: important\screensaver_terry_regan.zip[details.txt .pif]
Virus:W32/Netsky.P.worm Disinfected Mailbox - Terry Regan\Deleted Items\Re: Its me\document.doc .scr
Ewido

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 14:18:19, 27/06/2005
+ Report-Checksum: 50A3CC56

+ Date of database: 27/06/2005
+ Version of scan engine: v3.0

+ Duration: 10 min
+ Scanned Files: 20648
+ Speed: 31.71 Files/Second
+ Infected files: 48
+ Removed files: 48
+ Files put in quarantine: 48
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: No

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\TRegan\Cookies\tregan@21971720[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\N55L46VO\dbn1742[1].exe -> Dialer.Generic -> Cleaned with backup
C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\N55L46VO\mp3[1].ocx -> TrojanDownloader.Agent.ex -> Cleaned with backup
C:\Program Files\180searchassistant\sachook.dll -> Spyware.180Solutions -> Cleaned with backup
C:\Program Files\Common Files\fkqq\fkqqa.exe -> TrojanDownloader.TSUpdate.l -> Cleaned with backup
C:\Program Files\Common Files\fkqq\fkqql.exe -> TrojanDownloader.TSUpdate.j -> Cleaned with backup
C:\Program Files\Common Files\fkqq\fkqqm.exe -> TrojanDownloader.TSUpdate.k -> Cleaned with backup
C:\Program Files\Common Files\fkqq\fkqqp.exe -> Spyware.Xupiter.m -> Cleaned with backup
C:\Program Files\Lavasoft\Ad-Aware SE Personal\sefe.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
C:\Program Files\MaxiFiles\maxifiles.dll -> Spyware.SearchIt -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\4723FBFA-FEDC-4A0A-9825-CB48B3\EF3127D9-B7F5-4196-8842-72FC7D -> Spyware.Isearch -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\93BF0D7B-E0F6-46B6-A529-B62DB8\3B2C0B0B-2D9E-4EDD-B9B5-4375EE -> TrojanDownloader.Ieser.a -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\93BF0D7B-E0F6-46B6-A529-B62DB8\BDCD546E-E4A3-40B8-A3D2-2DF4B3 -> Spyware.Isearch -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\AE652F50-4471-4E56-B872-4DAE7A\68B84582-A574-410C-ABE6-DCF9CD -> TrojanDownloader.Ieser.a -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc15.exe -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc18.exe -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc22.exe -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc26.exe -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc30.exe -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc8.exe -> Dialer.Generic -> Cleaned with backup
C:\WINNT\convert.exe -> Spyware.Small.ga -> Cleaned with backup
C:\WINNT\Downloaded Program Files\CONFLICT.1\ysbactivex.dll -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINNT\Downloaded Program Files\CONFLICT.2\ysbactivex.dll -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINNT\Downloaded Program Files\ysbactivex.dll -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINNT\imgthin.exe -> TrojanDownloader.VB.if -> Cleaned with backup
C:\WINNT\isrvs\delprot.sys -> Trojan.Delprot.a -> Cleaned with backup
C:\WINNT\isrvs\ffisearch.exe -> Spyware.Isearch -> Cleaned with backup
C:\WINNT\isrvs\mfiltis.dll -> Spyware.ISearch.d -> Cleaned with backup
C:\WINNT\isrvs\sysupd.dll -> TrojanDownloader.Ieser.a -> Cleaned with backup
C:\WINNT\sefe.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
C:\WINNT\sex.exe -> TrojanDownloader.Small.my -> Cleaned with backup
C:\WINNT\sex2.exe -> Dialer.Generic -> Cleaned with backup
C:\WINNT\system32\COMMCOS2.DLL -> Spyware.SafeSurfing -> Cleaned with backup
C:\WINNT\system32\drivers\delprot.sys -> Trojan.Delprot.a -> Cleaned with backup
C:\WINNT\system32\nsg2.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINNT\system32\nsg45.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINNT\system32\nsg4A.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINNT\system32\nsi3.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINNT\system32\nsn2.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\system32\nso123.dll -> Spyware.HotSearchBar -> Cleaned with backup
C:\WINNT\system32\nsv2.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINNT\system32\nsw2.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\system32\nsx2.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\system32\regsync.exe -> Spyware.SafeSurfing -> Cleaned with backup
C:\WINNT\system32\sefe.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
C:\WINNT\system32\sex.exe -> TrojanDownloader.Small.my -> Cleaned with backup
C:\WINNT\system32\svhost.exe -> Backdoor.Generic -> Cleaned with backup
C:\WINNT\system32\vbrundll.dll -> Spyware.SafeSurfing -> Cleaned with backup


::Report End

[TerryR]

Hi Again

Logs attached so far as I can. I could not work out how to produce an F-secure log but it did find the following viruses

C:\Program Files\Internet Explorer\shttps\start.exe Trojan Proxy.Win32 Delf.t

C:\q257446.exe.Trojan-Downloader.Win32.Small.amb

c:\WINNT\explorer.exe.Virus.Win32.Bube.1

I still have the Sheriff and all his deputies.

I am still unable to find C:\WINDOWS\pretfetch folder


Terry R

Ewido
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 14:18:19, 27/06/2005
+ Report-Checksum: 50A3CC56

+ Date of database: 27/06/2005
+ Version of scan engine: v3.0

+ Duration: 10 min
+ Scanned Files: 20648
+ Speed: 31.71 Files/Second
+ Infected files: 48
+ Removed files: 48
+ Files put in quarantine: 48
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: No

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\TRegan\Cookies\tregan@21971720[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\N55L46VO\dbn1742[1].exe -> Dialer.Generic -> Cleaned with backup
C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\N55L46VO\mp3[1].ocx -> TrojanDownloader.Agent.ex -> Cleaned with backup
C:\Program Files\180searchassistant\sachook.dll -> Spyware.180Solutions -> Cleaned with backup
C:\Program Files\Common Files\fkqq\fkqqa.exe -> TrojanDownloader.TSUpdate.l -> Cleaned with backup
C:\Program Files\Common Files\fkqq\fkqql.exe -> TrojanDownloader.TSUpdate.j -> Cleaned with backup
C:\Program Files\Common Files\fkqq\fkqqm.exe -> TrojanDownloader.TSUpdate.k -> Cleaned with backup
C:\Program Files\Common Files\fkqq\fkqqp.exe -> Spyware.Xupiter.m -> Cleaned with backup
C:\Program Files\Lavasoft\Ad-Aware SE Personal\sefe.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
C:\Program Files\MaxiFiles\maxifiles.dll -> Spyware.SearchIt -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\4723FBFA-FEDC-4A0A-9825-CB48B3\EF3127D9-B7F5-4196-8842-72FC7D -> Spyware.Isearch -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\93BF0D7B-E0F6-46B6-A529-B62DB8\3B2C0B0B-2D9E-4EDD-B9B5-4375EE -> TrojanDownloader.Ieser.a -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\93BF0D7B-E0F6-46B6-A529-B62DB8\BDCD546E-E4A3-40B8-A3D2-2DF4B3 -> Spyware.Isearch -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\AE652F50-4471-4E56-B872-4DAE7A\68B84582-A574-410C-ABE6-DCF9CD -> TrojanDownloader.Ieser.a -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc15.exe -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc18.exe -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc22.exe -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc26.exe -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc30.exe -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1547161642-1965331169-725345543-1114\Dc8.exe -> Dialer.Generic -> Cleaned with backup
C:\WINNT\convert.exe -> Spyware.Small.ga -> Cleaned with backup
C:\WINNT\Downloaded Program Files\CONFLICT.1\ysbactivex.dll -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINNT\Downloaded Program Files\CONFLICT.2\ysbactivex.dll -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINNT\Downloaded Program Files\ysbactivex.dll -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINNT\imgthin.exe -> TrojanDownloader.VB.if -> Cleaned with backup
C:\WINNT\isrvs\delprot.sys -> Trojan.Delprot.a -> Cleaned with backup
C:\WINNT\isrvs\ffisearch.exe -> Spyware.Isearch -> Cleaned with backup
C:\WINNT\isrvs\mfiltis.dll -> Spyware.ISearch.d -> Cleaned with backup
C:\WINNT\isrvs\sysupd.dll -> TrojanDownloader.Ieser.a -> Cleaned with backup
C:\WINNT\sefe.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
C:\WINNT\sex.exe -> TrojanDownloader.Small.my -> Cleaned with backup
C:\WINNT\sex2.exe -> Dialer.Generic -> Cleaned with backup
C:\WINNT\system32\COMMCOS2.DLL -> Spyware.SafeSurfing -> Cleaned with backup
C:\WINNT\system32\drivers\delprot.sys -> Trojan.Delprot.a -> Cleaned with backup
C:\WINNT\system32\nsg2.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINNT\system32\nsg45.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINNT\system32\nsg4A.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINNT\system32\nsi3.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINNT\system32\nsn2.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\system32\nso123.dll -> Spyware.HotSearchBar -> Cleaned with backup
C:\WINNT\system32\nsv2.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINNT\system32\nsw2.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\system32\nsx2.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\system32\regsync.exe -> Spyware.SafeSurfing -> Cleaned with backup
C:\WINNT\system32\sefe.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
C:\WINNT\system32\sex.exe -> TrojanDownloader.Small.my -> Cleaned with backup
C:\WINNT\system32\svhost.exe -> Backdoor.Generic -> Cleaned with backup
C:\WINNT\system32\vbrundll.dll -> Spyware.SafeSurfing -> Cleaned with backup


::Report End

Hi Jack
Logfile of HijackThis v1.99.1
Scan saved at 15:39:07, on 28/06/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\RMClient\PMClient.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\SpySheriff\SpySheriff.exe
C:\sex.exe
C:\WINNT\system32\dload.exe
C:\Program Files\HJT\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem220.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINNT\system32\nsmD1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINNT\system32\sex.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [fkqq] C:\PROGRA~1\COMMON~1\fkqq\fkqqm.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINNT\system32\sex.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SmartNetMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {5938FEB1-3609-11D4-85CD-00902707DAE7} (MapCtl Class) - http://www.promapser...test/webmap.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1118749099296
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gbn1742.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = WORTH.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = WORTH.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = WORTH.local
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe