I need some help! I have been hit with the Spy Sheriff malware! I hate this dam thing. I have seen from other posting some other people are struggling with this too. So I followed all the recommend suggestions and it is still here.
These are the steps I have taken:
Backgroud: WINDOWS XP system SP2 and all latest security patches
IExplorer v6.0 with SP2
1) I first download and ran Cleanup!
2) Then I ran EWIDO Security Suite in Safe mode after getting latest updates
3) I reboot and ran AD-Ware SEv1.06r1 with latest updates.
Here is my Hijack file and my Ewidow Security Log and HIJACKTHIS log. Please help!
Logfile of HijackThis v1.99.1
Scan saved at 6:08:58 PM, on 6/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Norton AntiVirus\navw32.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\cgregory\My Documents\My Downloads\Virus cleanup tools\Hijack this\HijackThis.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NaimAgent_UI] C:\ePOAgent\naimag32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopUp Buster+] C:\Program Files\PopUpBuster\popupbuster.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [version] C:\WINNT\system32\Mytkxl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Vonage] C:\Program Files\Vonage\Vonage Click-2-Call\click2call.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program Files\PopUpBuster\popupbuster.exe
O9 - Extra 'Tools' menuitem: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program Files\PopUpBuster\popupbuster.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BF5E26B7-7087-4C2D-B0BA-0098F7CBED6B} (LiveX(5.4.0.0) Control) - http://bowwow4.serve...om/cab/Live.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: McShield - Network Associates, Inc. - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NAI ePolicy Orchestrator Agent (NAIMAGENT32) - Network Associates, Inc. - C:\ePOAgent\naimas32.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 9:17:24 AM, 6/18/2005
+ Report-Checksum: 50813627
+ Date of database: 6/18/2005
+ Version of scan engine: v3.0
+ Duration: 376 min
+ Scanned Files: 120535
+ Speed: 5.34 Files/Second
+ Infected files: 39
+ Removed files: 39
+ Files put in quarantine: 39
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
+ Scan result:
C:\WINNT\bsx32\XTFL2.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINNT\bsx32\ADVC3.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINNT\bsx32\INK1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINNT\bsx32\SPZ3.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINNT\bsx32\BingoRoom1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINNT\bsx32\BID1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINNT\bsx32\CARD2.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINNT\bsx32\EML1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINNT\uninstIU.exe -> Trojan.Agent.eo -> Cleaned with backup
C:\Documents and Settings\cgregory\My Documents\My Webs\Password Tool\Passtool3\bvq.exe -> TrojanDownloader.INService.cx -> Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\cgregory@mywebsearch[1].txt.dat/Documents and Settings/cgregory/Cookies/cgregory@mywebsearch[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\cgregory@fastclick[1].txt.dat/Documents and Settings/cgregory/Cookies/cgregory@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\cgregory@mediaplex[1].txt.dat/Documents and Settings/cgregory/Cookies/cgregory@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\cgregory@doubleclick[1].txt.dat/Documents and Settings/cgregory/Cookies/cgregory@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\cgregory@atdmt[1].txt.dat/Documents and Settings/cgregory/Cookies/cgregory@atdmt[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\cgregory@fastclick[2].txt.dat/Documents and Settings/cgregory/Cookies/cgregory@fastclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.dat/Documents and Settings/cgregory/Cookies/[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\cgregory@atdmt[2].txt.dat/Documents and Settings/cgregory/Cookies/cgregory@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\winstall.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP507\A0067286.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP507\A0067289.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP508\A0067396.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP508\A0067399.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP494\A0066165.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP494\A0066168.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP496\A0066191.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP496\A0066192.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP496\A0066193.exe -> Spyware.SaveNow.t -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP500\A0066223.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP500\A0066226.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP503\A0066275.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP503\A0066278.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP510\A0067760.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP510\A0067795.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP510\A0067798.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP510\A0067800.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP510\A0067811.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP504\A0066289.exe -> Trojan.P2E.br -> Cleaned with backup
C:\System Volume Information\_restore{E79A0D73-272D-4969-926E-B19357ACA915}\RP504\A0066292.exe -> Trojan.P2E.br -> Cleaned with backup
::Report End
PLEASE HELP!!!! I NEED TO GET RID OF THIS! I also need to figure out how to prevent it from happening again.
Thanks!