Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Spy Sheriff


  • Please log in to reply

#1
spysheriffsucks

spysheriffsucks

    New Member

  • Member
  • Pip
  • 1 posts
Hello,

I need some help! I have been hit with the Spy Sheriff malware! I hate this dam thing. I have seen from other posting some other people are struggling with this too. So I followed all the recommend suggestions and it is still here.

These are the steps I have taken:

Backgroud: WINDOWS XP system SP2 and all latest security patches
IExplorer v6.0 with SP2

1) I first download and ran Cleanup!
2) Then I ran EWIDO Security Suite in Safe mode after getting latest updates
3) I reboot and ran AD-Ware SEv1.06r1 with latest updates.

Here is my Hijack file and my Ewidow Security Log and HIJACKTHIS log. Please help!

Logfile of HijackThis v1.99.1
Scan saved at 6:08:58 PM, on 6/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Norton AntiVirus\navw32.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\cgregory\My Documents\My Downloads\Virus cleanup tools\Hijack this\HijackThis.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NaimAgent_UI] C:\ePOAgent\naimag32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopUp Buster+] C:\Program Files\PopUpBuster\popupbuster.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [version] C:\WINNT\system32\Mytkxl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Vonage] C:\Program Files\Vonage\Vonage Click-2-Call\click2call.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program Files\PopUpBuster\popupbuster.exe
O9 - Extra 'Tools' menuitem: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program Files\PopUpBuster\popupbuster.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BF5E26B7-7087-4C2D-B0BA-0098F7CBED6B} (LiveX(5.4.0.0) Control) - http://bowwow4.serve...om/cab/Live.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: McShield - Network Associates, Inc. - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NAI ePolicy Orchestrator Agent (NAIMAGENT32) - Network Associates, Inc. - C:\ePOAgent\naimas32.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:17:24 AM, 6/18/2005
+ Report-Checksum: 50813627

+ Date of database: 6/18/2005
+ Version of scan engine: v3.0

+ Duration: 376 min
+ Scanned Files: 120535
+ Speed: 5.34 Files/Second
+ Infected files: 39
+ Removed files: 39
+ Files put in quarantine: 39
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\WINNT\bsx32\XTFL2.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINNT\bsx32\ADVC3.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINNT\bsx32\INK1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINNT\bsx32\SPZ3.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINNT\bsx32\BingoRoom1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINNT\bsx32\BID1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINNT\bsx32\CARD2.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINNT\bsx32\EML1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINNT\uninstIU.exe -> Trojan.Agent.eo -> Cleaned with backup
C:\Documents and Settings\cgregory\My Documents\My Webs\Password Tool\Passtool3\bvq.exe -> TrojanDownloader.INService.cx -> Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\cgregory@mywebsearch[1].txt.dat/Documents and Settings/cgregory/Cookies/cgregory@mywebsearch[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\cgregory@fastclick[1].txt.dat/Documents and Settings/cgregory/Cookies/cgregory@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\cgregory@mediaplex[1].txt.dat/Documents and Settings/cgregory/Cookies/cgregory@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\cgregory@doubleclick[1].txt.dat/Documents and Settings/cgregory/Cookies/cgregory@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\cgregory@atdmt[1].txt.dat/Documents and Settings/cgregory/Cookies/cgregory@atdmt[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\cgregory@fastclick[2].txt.dat/Documents and Settings/cgregory/Cookies/cgregory@fastclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\cgregory@z1.adserver[1].txt.dat/Documents and Settings/cgregory/Cookies/cgregory@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\cgregory@atdmt[2].txt.dat/Documents and Settings/cgregory/Cookies/cgregory@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\winstall.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP507\A0067286.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP507\A0067289.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP508\A0067396.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP508\A0067399.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP494\A0066165.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP494\A0066168.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP496\A0066191.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP496\A0066192.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP496\A0066193.exe -> Spyware.SaveNow.t -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP500\A0066223.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP500\A0066226.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP503\A0066275.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP503\A0066278.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP510\A0067760.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP510\A0067795.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP510\A0067798.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP510\A0067800.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP510\A0067811.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP504\A0066289.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP504\A0066292.exe -> Trojan.P2E.br -> Cleaned with backup


::Report End

PLEASE HELP!!!! I NEED TO GET RID OF THIS! I also need to figure out how to prevent it from happening again.

Thanks!
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP