Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Spy Sheriff [RESOLVED]


  • This topic is locked This topic is locked

#16
TerryR

TerryR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Still no luck I am afraid.

There were some problems however.

Start>Run did not find prefetch and, more worringly, did not find the Windows folder either. An error message said it had been deleted or moved.
I tried 20 or so times to run Kaspersky but each time a message told me that their database was damaged and it would not run.

I also seem to have lost both my Ewido reports. Both were saved seperately to the Desktop in safe mode but disappeared when I rebooted. The second one was clear however

Hijack Log attached

TerryR



Logfile of HijackThis v1.99.1
Scan saved at 11:30:04, on 29/06/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\RMClient\PMClient.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\fkqq\fkqqm.exe
C:\PROGRA~1\COMMON~1\fkqq\fkqqa.exe
C:\Program Files\HJT\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINNT\system32\nsh6.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [fkqq] C:\PROGRA~1\COMMON~1\fkqq\fkqqm.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINNT\system32\sex.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SmartNetMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {5938FEB1-3609-11D4-85CD-00902707DAE7} (MapCtl Class) - http://www.promapser...test/webmap.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1118749099296
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = WORTH.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = WORTH.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = WORTH.local
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  • 0

Advertisements


#17
Guest_usetobe_*

Guest_usetobe_*
  • Guest
how many accounts are there on this pc? do you have administrator status? and do you sign in with the same account in safe mode and normal mode?
  • 0

#18
TerryR

TerryR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
I am afraid I do not know what you mean by accounts ( my computer skills are very limited)

I log in as myself normally but cannot do so in safe mode so I have to log in as administrator.

It is part of a network and I can log in as myself as Safe Networking but everything I have done so far has been as administrator

TerryR
  • 0

#19
Guest_usetobe_*

Guest_usetobe_*
  • Guest
You will need to log in as administrator for normal mode as well to get to anything you save on desktop.

Also do you have your full 2000 installation disc with valid product key? for future reference if needed?
  • 0

#20
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Please click on the link below and follow the instructions to download Kaspersky trial.

Link

Then follow all of the instructions. We need to clear out Bube infection.

Once that is completed get back to me.

Edited by usetobe, 29 June 2005 - 06:00 AM.

  • 0

#21
TerryR

TerryR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Disc and number to hand - are you thinking format and reinstall - I am conscious that I am taking up an awful lot of your time

TerryR
  • 0

#22
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hey no problem...time is not a factor
  • 0

#23
TerryR

TerryR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Neither refresh nor Kaspersky link working i am just being hijacked all over the web (even after rebooting)- I can now recommend several sites for CD's

Terry R
  • 0

#24
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Do this first, then try the link.

Download the Hoster from here:
http://www.funkytoad...load/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.

Also try this link

Other link
  • 0

#25
TerryR

TerryR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
The Sheriff simply does not want me to use Kaspersky!

I have it downloaded in that it appears on the computer but when I try and use it a message pops up to tell me the database is corrupted. It appears to load new files and then asks me to reboot. When I do the circle starts all over agian.

I have tried uninstalling and loading from both links.
  • 0

Advertisements


#26
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi terry,

You have a really nasty Bube infection. I'm confereing with other specialists to see what we can come up with.

What browser are you using?
  • 0

#27
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Try this Terry,

Uninstall your version of Kaspersky that you just downloaded

Then click on the link below to see if you can download an older version of Kaspersky. Let me know how that gets on before we go to plan B.


Kaspersky old
  • 0

#28
TerryR

TerryR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
I suppose this is fame of some sort!

Internet Explorer

Terry
  • 0

#29
TerryR

TerryR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Ok

I now have the old style Kaspersky installed.

I have not updated the files, as prompted ,and so far am ignoring the virus prompts.

How would you like me to proceed from here.

Terry
  • 0

#30
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Run Kaspersky old and allow it to fix anything it finds
SAVE THE LOG TO POST BACK
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP