Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

SpySherriff... again... [RESOLVED]

Started by Inaaca , Jun 21 2005 07:21 AM

  • This topic is locked This topic is locked

#1
Inaaca
Posted 21 June 2005 - 07:21 AM

Inaaca

    New Member

  • Member
  • Pip
  • 9 posts
Okay... I tried to avoid bothering all of you with another SpySherriff thread, but I can't seem to avoid it, so here I go.

First of all, before we go any further, I followed bananafanafo's first instructional post in this thread exactly as specified: http://www.geekstogo...iff-t35340.html
This method worked beautifully, and I celebrated in that I finally managed to remove the accursed SpySherriff once and for all.

A few hours later SpySherriff pops up again and once again hijacks my desktop.. I immediately repeated the last few steps in bananafanafo's instructions which again, succeeded in removing it. However, SpySherriff still returned within a few hours.

Somehow, SpySherriff is still coming back even after removing it this way. I haven't tried removing it again, so SpySherriff currently has my desktop hijacked.

Right well, I hope I can find a solution here. Here is my HijackThis log...




Logfile of HijackThis v1.99.1
Scan saved at 6:05:14 AM, on 6/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\NewMixer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\Program Files\Daily Weather Forecast\weather.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Sean\spyprogs\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.4guys-1dragoon.cjb.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.4guys-1dragoon.cjb.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.comcast.net/"); (C:\Documents and Settings\Sean\Application Data\Mozilla\Profiles\default\tnu6gl7s.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Sean\Application Data\Mozilla\Profiles\default\tnu6gl7s.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2F18380B-7084-A3F3-6F0C-CDBA4623DFFD} - C:\WINDOWS\system32\byimsxze.dll (file missing)
O2 - BHO: (no name) - {B3D23BDA-B860-08D0-259C-1AF798FB560D} - C:\WINDOWS\system32\hkyctmqu.dll (file missing)
O2 - BHO: (no name) - {D5A8E1ED-8881-741C-1357-0371FB23BBD8} - C:\WINDOWS\system32\yfjcvclu.dll (file missing)
O2 - BHO: (no name) - {E4C21D2E-D0C2-9F6D-9809-DBC81C8D2AE1} - C:\WINDOWS\system32\fdu.dll (file missing)
O4 - HKLM\..\Run: [C-Media Mixer] C:\WINDOWS\NewMixer.exe /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1101450551918
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: emxkzkwjchzr (kyrvmavq6) - Unknown owner - C:\WINDOWS\system32\ufsbotxd6.exe (file missing)
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
  • 0

Advertisements

#2
Inaaca
Posted 21 June 2005 - 04:56 PM

Inaaca

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Wow... this got pushed to the 10th page pretty quick..

Anyways, I wanted to bring another matter up about Ewido since I'll likely be asked to use it again. After I finished getting rid of SpySherriff the first time, my computer started experiencing severe slowdown issues. I found that the problem was coming from Ewido, and uninstalling the program resolved the issue. I think maybe it was conflicting with something.

If I need to use this program again, how could I avoid getting this slowdown? If I don't need to use it, then I suppose you can simply disregard this post.
  • 0

#3
Inaaca
Posted 25 June 2005 - 02:39 AM

Inaaca

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
While waiting for a response here, I've been working at this problem myself. I've made a few discoveries, so I thought I'd note them here.

To my delight, when Ad-Aware SE made it's most recent auto-update, it started catching a bunch of SpywareNo/SpySherriff related files that it never caught before. I proceeded to run it in safe mode along with all my other anti-spyware software to try and catch anything I could. (Ad-Aware SE, Spybot-Search and Destroy, Microsoft Antispyware, CounterSpy, TDS-3, CWShredder, and CleanUp! I didn't scan with Ewido due to reasons I described in the above post.) Ad-Aware SE caught a bunch of stuff, and CounterSpy (http://www.sunbelt-software.com/) caught another SpySherriff related file.

When I booted back up into normal mode (disconnected from the internet), SpySherriff was no longer in the add/remove programs list, nor was it in the Program Files directory. I ran HijackThis, however, and it did detect a running SpySherriff application.. which I quickly had it fix. I added in the registry file to fix my desktop, rebooted and deleted the contents of the Prefetch folder as well.

This seemed to solve the problem, but I decided to hold off celebrations after reconnecting my internet for a while, since last time it took several hours before I found it reappearing again. Sure enough, it came back several hours later, same as always.. This is really getting very disheartening... So even though Ad-Aware is catching things, it doesn't seem to help my situation of SpySherriff returning later anyways..

I'm going to post Ad-Aware's log here from a quick scan I did in normal mode when SpySherriff returned. Maybe it will help. Note that I have not taken action on this scan though, since it doesn't seem to be doing a lot of good. I hope perhaps you can come up with a solution.

Hmm.. I scanned with CounterSpy also after I did the Ad-Aware scan since it had caught stuff before. It caught a lot of SpySherriff stuff, including some that Ad-Aware probably missed. It also a caught a few things relating to winstall. I'd like to show you these results as well, but I can't figure out how to get a log of CounterSpy's results...

Also, if I need to show you a more recent HijackThis log, just let me know.

In any case, here's the Ad-Aware SE scan log:


Ad-Aware SE Build 1.06r1
Logfile Created on:Saturday, June 25, 2005 1:12:05 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R50 13.06.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):7 total references
Other(TAC index:5):1 total references
SpywareNo(TAC index:7):41 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


6-25-2005 1:12:05 AM - Scan started. (Smart mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 472
ThreadCreationTime : 6-25-2005 6:09:05 AM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 524
ThreadCreationTime : 6-25-2005 6:09:09 AM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 548
ThreadCreationTime : 6-25-2005 6:09:11 AM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 592
ThreadCreationTime : 6-25-2005 6:09:13 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 604
ThreadCreationTime : 6-25-2005 6:09:13 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [ati2evxx.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 792
ThreadCreationTime : 6-25-2005 6:09:16 AM
BasePriority : Normal
FileVersion : 6.14.10.4116
ProductVersion : 6.14.10.4116
ProductName : ATI External Event Utility for WindowsNT and Windows9X
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.
OriginalFilename : ATI2EVXX.EXE

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 812
ThreadCreationTime : 6-25-2005 6:09:16 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 868
ThreadCreationTime : 6-25-2005 6:09:16 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 928
ThreadCreationTime : 6-25-2005 6:09:17 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [incdsrv.exe]
FilePath : C:\Program Files\Ahead\InCD\
ProcessID : 952
ThreadCreationTime : 6-25-2005 6:09:17 AM
BasePriority : Normal
FileVersion : 4, 1, 5, 10
ProductVersion : 4, 1, 5, 10
ProductName : Ahead Software AG incdsrv
CompanyName : Ahead Software AG
FileDescription : incdsrv
InternalName : incdsrv
LegalCopyright : Copyright 1995-2004 Ahead Software AG and its licensors. All Rights Reserved.
LegalTrademarks : InCD is a trademark of Ahead Software AG
OriginalFilename : incdsrv.exe

#:11 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1088
ThreadCreationTime : 6-25-2005 6:09:19 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:12 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1164
ThreadCreationTime : 6-25-2005 6:09:20 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:13 [ati2evxx.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1280
ThreadCreationTime : 6-25-2005 6:09:22 AM
BasePriority : Normal
FileVersion : 6.14.10.4116
ProductVersion : 6.14.10.4116
ProductName : ATI External Event Utility for WindowsNT and Windows9X
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.
OriginalFilename : ATI2EVXX.EXE

#:14 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1348
ThreadCreationTime : 6-25-2005 6:09:22 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:15 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1428
ThreadCreationTime : 6-25-2005 6:09:24 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:16 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\
ProcessID : 1584
ThreadCreationTime : 6-25-2005 6:09:24 AM
BasePriority : Normal
FileVersion : 7.00.9064.9150
ProductVersion : 7.00.9064.9150
ProductName : Microsoft Development Environment
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : Copyright © Microsoft Corp. 1997-2000
OriginalFilename : mdm.exe

#:17 [pcctlcom.exe]
FilePath : C:\PROGRA~1\TRENDM~1\INTERN~2\
ProcessID : 1624
ThreadCreationTime : 6-25-2005 6:09:26 AM
BasePriority : Normal
FileVersion : 12.10.0.1034
ProductVersion : 12.10.0
ProductName : Trend Micro Internet Security
CompanyName : Trend Micro Incorporated.
FileDescription : PcCtlCom Module
InternalName : PcCtlCom
LegalCopyright : Copyright © 1995-2004 Trend Micro Incorporated. All rights reserved.
LegalTrademarks : Copyright © Trend Micro Incorporated.
OriginalFilename : PcCtlCom.EXE

#:18 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1756
ThreadCreationTime : 6-25-2005 6:09:28 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:19 [tmntsrv.exe]
FilePath : C:\PROGRA~1\TRENDM~1\INTERN~2\
ProcessID : 1776
ThreadCreationTime : 6-25-2005 6:09:28 AM
BasePriority : Normal
FileVersion : 12.10.0.1034
ProductVersion : 12.10.0
ProductName : Trend Micro Internet Security
CompanyName : Trend Micro Incorporated.
FileDescription : Tmntsrv
InternalName : Tmntsrv
LegalCopyright : Copyright © 1995-2004 Trend Micro Incorporated. All rights reserved.
LegalTrademarks : Copyright © Trend Micro Incorporated.
OriginalFilename : Tmntsrv.exe

#:20 [tmproxy.exe]
FilePath : C:\PROGRA~1\TRENDM~1\INTERN~2\
ProcessID : 1928
ThreadCreationTime : 6-25-2005 6:09:30 AM
BasePriority : Normal
FileVersion : 1.0.0.1125
ProductVersion : 1.0.0
ProductName : Trend Micro Network Security Components 1.0
CompanyName : Trend Micro Inc.
FileDescription : TmProxy.exe
InternalName : TmProxy.exe
LegalCopyright : Copyright © 2001-2004 Trend Micro Inc. All rights reserved.
LegalTrademarks : Copyright © Trend Micro Inc.
OriginalFilename : TmProxy.exe

#:21 [newmixer.exe]
FilePath : C:\WINDOWS\
ProcessID : 2028
ThreadCreationTime : 6-25-2005 6:09:32 AM
BasePriority : Normal
FileVersion : 1.55
ProductVersion : 1.55
ProductName : Mixer
CompanyName : C-Media Electronic Inc. (www.cmedia.com.tw)
FileDescription : Mixer
InternalName : Mixer
LegalCopyright : Copyright © 1997-2002
LegalTrademarks : NONE
OriginalFilename : Mixer.EXE
Comments : Feng Min-Chih ([email protected])

#:22 [atiptaxx.exe]
FilePath : C:\Program Files\ATI Technologies\ATI Control Panel\
ProcessID : 2036
ThreadCreationTime : 6-25-2005 6:09:33 AM
BasePriority : Normal
FileVersion : 6.14.10.5155
ProductVersion : 6.14.10.5155
ProductName : ATI Desktop Component
CompanyName : ATI Technologies, Inc.
FileDescription : ATI Desktop Control Panel
InternalName : Atiptaxx.exe
LegalCopyright : Copyright © 1998-2005 ATI Technologies Inc.
OriginalFilename : Atiptaxx.exe

#:23 [wdfmgr.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 128
ThreadCreationTime : 6-25-2005 6:09:34 AM
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:24 [incd.exe]
FilePath : C:\Program Files\Ahead\InCD\
ProcessID : 180
ThreadCreationTime : 6-25-2005 6:09:34 AM
BasePriority : Normal
FileVersion : 4, 1, 5, 10
ProductVersion : 4, 1, 5, 10
ProductName : Ahead Software AG InCD
CompanyName : Ahead Software AG
FileDescription : InCD
InternalName : InCD
LegalCopyright : Copyright 1995-2004 Ahead Software AG and its licensors. All Rights Reserved.
LegalTrademarks : InCD is a trademark of Ahead Software AG
OriginalFilename : InCD.exe

#:25 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 224
ThreadCreationTime : 6-25-2005 6:09:35 AM
BasePriority : Normal
FileVersion : 6.4
ProductVersion : QuickTime 6.4
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2003
OriginalFilename : QTTask.exe

#:26 [ituneshelper.exe]
FilePath : C:\Program Files\iTunes\
ProcessID : 264
ThreadCreationTime : 6-25-2005 6:09:36 AM
BasePriority : Normal
FileVersion : 4.7.0.42
ProductVersion : 4.7.0.42
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2004 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iTunesHelper.exe

#:27 [jusched.exe]
FilePath : C:\Program Files\Java\jre1.5.0_02\bin\
ProcessID : 356
ThreadCreationTime : 6-25-2005 6:09:39 AM
BasePriority : Normal


#:28 [weather.exe]
FilePath : C:\Program Files\Daily Weather Forecast\
ProcessID : 376
ThreadCreationTime : 6-25-2005 6:09:40 AM
BasePriority : Normal


#:29 [gcasserv.exe]
FilePath : C:\Program Files\Microsoft AntiSpyware\
ProcessID : 388
ThreadCreationTime : 6-25-2005 6:09:40 AM
BasePriority : Idle
FileVersion : 1.00.0613
ProductVersion : 1.00.0613
ProductName : Microsoft AntiSpyware (Beta 1)
CompanyName : Microsoft Corporation
FileDescription : Microsoft AntiSpyware Service
InternalName : gcasServ
LegalCopyright : Copyright © 2004-2005 Microsoft Corporation. All rights reserved.
LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation. SpyNet™ is a trademark of Microsoft Corporation.
OriginalFilename : gcasServ.exe

#:30 [pccguide.exe]
FilePath : C:\Program Files\Trend Micro\Internet Security 2005\
ProcessID : 400
ThreadCreationTime : 6-25-2005 6:09:41 AM
BasePriority : Normal
FileVersion : 12.10.0.1014
ProductVersion : 12.10.0
ProductName : Trend Micro Internet Security
CompanyName : Trend Micro Incorporated.
FileDescription : PCCGuide
InternalName : PCCGuide
LegalCopyright : Copyright © 1995-2004 Trend Micro Incorporated. All rights reserved.
LegalTrademarks : Copyright © Trend Micro Incorporated.
OriginalFilename : PCCGuide

#:31 [winampa.exe]
FilePath : C:\Program Files\Winamp\
ProcessID : 416
ThreadCreationTime : 6-25-2005 6:09:41 AM
BasePriority : Normal


#:32 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 464
ThreadCreationTime : 6-25-2005 6:09:43 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:33 [steam.exe]
FilePath : C:\Program Files\Valve\Steam\
ProcessID : 508
ThreadCreationTime : 6-25-2005 6:09:45 AM
BasePriority : Normal
FileVersion : 1.0.0.0
ProductVersion : 1.0.0.0
ProductName : Steam
CompanyName : Valve Corporation
FileDescription : Steam
LegalCopyright : © Copyright 2000-2003 Valve Corporation All rights reserved.
OriginalFilename : Steam.exe

#:34 [gcasdtserv.exe]
FilePath : C:\Program Files\Microsoft AntiSpyware\
ProcessID : 320
ThreadCreationTime : 6-25-2005 6:09:45 AM
BasePriority : Normal
FileVersion : 1.00.0613
ProductVersion : 1.00.0613
ProductName : Microsoft AntiSpyware (Beta 1)
CompanyName : Microsoft Corporation
FileDescription : Microsoft AntiSpyware Data Service
InternalName : gcasDtServ
LegalCopyright : Copyright © 2004-2005 Microsoft Corporation. All rights reserved.
LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation. SpyNet™ is a trademark of Microsoft Corporation.
OriginalFilename : gcasDtServ.exe

#:35 [tmpfw.exe]
FilePath : C:\PROGRA~1\TRENDM~1\INTERN~2\
ProcessID : 1740
ThreadCreationTime : 6-25-2005 6:10:07 AM
BasePriority : Normal
FileVersion : 2.0.0.1125
ProductVersion : 1.0.0
ProductName : Trend Network Security Component 1.0
CompanyName : Trend Micro Inc.
FileDescription : TmPfw
InternalName : TmPfw
LegalCopyright : Copyright © 2001-2004 Trend Micro Inc. All rights reserved.
LegalTrademarks : Copyright © Trend Micro Inc.
OriginalFilename : TmPfw.exe

#:36 [ipodservice.exe]
FilePath : C:\Program Files\iPod\bin\
ProcessID : 2380
ThreadCreationTime : 6-25-2005 6:10:17 AM
BasePriority : Normal
FileVersion : 4.7.0.42
ProductVersion : 4.7.0.42
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © 2003-2004 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iPodService.exe

#:37 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2476
ThreadCreationTime : 6-25-2005 6:10:19 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:38 [hpohmr08.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\bin\
ProcessID : 2788
ThreadCreationTime : 6-25-2005 6:10:29 AM
BasePriority : Normal
FileVersion : 4.2.0.020
ProductVersion : 2.4.1.020
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Device Objects
InternalName : HPOHMR08
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOHMR08.EXE
Comments : HP OfficeJet <Homer> Series COM Device Objects

#:39 [hpotdd01.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\bin\
ProcessID : 2812
ThreadCreationTime : 6-25-2005 6:10:30 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : Hewlett-Packard hpotdd01
CompanyName : Hewlett-Packard
FileDescription : hpotdd01
InternalName : hpotdd01
LegalCopyright : Copyright © 2002
OriginalFilename : hpotdd01.exe

#:40 [hpoevm08.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\bin\
ProcessID : 2848
ThreadCreationTime : 6-25-2005 6:10:32 AM
BasePriority : Normal
FileVersion : 4.2.0.020
ProductVersion : 2.4.1.020
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Event Manager
InternalName : HPOEVM08
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOEVM08.EXE
Comments : HP OfficeJet COM Event Manager

#:41 [hpzipm12.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2904
ThreadCreationTime : 6-25-2005 6:10:33 AM
BasePriority : Normal
FileVersion : 6, 0, 0, 0
ProductVersion : 6, 0, 0, 0
ProductName : HP PML
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
LegalCopyright : Copyright © 1998, 1999 Hewlett-Packard Company
OriginalFilename : PmlDrv.exe

#:42 [hposts08.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\
ProcessID : 3440
ThreadCreationTime : 6-25-2005 6:10:46 AM
BasePriority : Normal
FileVersion : 4.2.0.020
ProductVersion : 2.4.1.020
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet Status
InternalName : HPOSTS08
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOSTS08.EXE
Comments : HP OfficeJet Status

#:43 [winamp.exe]
FilePath : C:\Program Files\Winamp\
ProcessID : 3972
ThreadCreationTime : 6-25-2005 8:00:14 AM
BasePriority : Normal
FileVersion : 5.093
ProductVersion : 5.093
ProductName : Winamp
CompanyName : Nullsoft
FileDescription : Winamp
InternalName : WINAMP
LegalCopyright : Copyright © 1997-2005, Nullsoft, Inc.
LegalTrademarks : Nullsoft and Winamp are trademarks of Nullsoft, Inc.
OriginalFilename : Winamp.exe
Comments : Visit http://www.winamp.com/ for updates.

#:44 [pol.exe]
FilePath : C:\Program Files\PlayOnline\SquareEnix\PlayOnlineViewer\
ProcessID : 1456
ThreadCreationTime : 6-25-2005 8:04:39 AM
BasePriority : Normal
FileVersion : 1.15.02
ProductVersion : 1.14.00
ProductName : PlayOnline Viewer
CompanyName : SQUARE ENIX CO., LTD.
FileDescription : PlayOnline Viewer
InternalName : PlayOnline Viewer
LegalCopyright : Copyright © 2002-2005 SQUARE ENIX CO., LTD.
LegalTrademarks : PlayOnline Viewer
OriginalFilename : pol.exe
Comments : Provides integrated entertainment and network service, complete with online games and communication tools.

#:45 [firefox.exe]
FilePath : C:\Program Files\Mozilla Firefox\
ProcessID : 1620
ThreadCreationTime : 6-25-2005 8:08:30 AM
BasePriority : Normal


#:46 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 1788
ThreadCreationTime : 6-25-2005 8:11:50 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

SpywareNo Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-725345543-1677128483-1060284298-1003\software\spysheriff

SpywareNo Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-725345543-1677128483-1060284298-1003\software\spysheriff
Value : PlaySounds

SpywareNo Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-725345543-1677128483-1060284298-1003\software\spysheriff
Value : ScheduledScan

SpywareNo Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-725345543-1677128483-1060284298-1003\software\spysheriff
Value : ScheduledScanHour

SpywareNo Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-725345543-1677128483-1060284298-1003\software\spysheriff
Value : ScheduledScanMin

SpywareNo Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-725345543-1677128483-1060284298-1003\software\spysheriff
Value : SecurityLevel

SpywareNo Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-725345543-1677128483-1060284298-1003\software\spysheriff
Value : Uninstall

SpywareNo Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-725345543-1677128483-1060284298-1003\software\spysheriff
Value : Security

SpywareNo Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\spysheriff

SpywareNo Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\spysheriff
Value : DisplayName

SpywareNo Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\spysheriff
Value : URLInfoAbout

SpywareNo Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\spysheriff
Value : HelpLink

SpywareNo Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\spysheriff
Value : UninstallString

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 13
Objects found so far: 13


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 13


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 13



Deep scanning and examining files...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 13

Disk Scan Result for C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 13

Disk Scan Result for C:\DOCUME~1\Sean\LOCALS~1\Temp\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 13


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 13



MRU List Object Recognized!
Location: : C:\Documents and Settings\Sean\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-725345543-1677128483-1060284298-1003\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-725345543-1677128483-1060284298-1003\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-725345543-1677128483-1060284298-1003\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened



Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

SpywareNo Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\sno

SpywareNo Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\desktop\general
Value : WallpaperLocalFileTime

SpywareNo Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : control panel\desktop
Value : WallpaperStyle

SpywareNo Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\desktop\general
Value : WallpaperFileTime

SpywareNo Object Recognized!
Type : RegData
Data : 0
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\policies\activedesktop
Value : NoAddingComponents
Data : 0

SpywareNo Object Recognized!
Type : RegData
Data : 0
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\policies\activedesktop
Value : NoChangingWallpaper
Data : 0

SpywareNo Object Recognized!
Type : RegData
Data : 0
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\policies\activedesktop
Value : NoComponents
Data : 0

SpywareNo Object Recognized!
Type : RegData
Data : 0
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\policies\activedesktop
Value : NoEditingComponents
Data : 0

SpywareNo Object Recognized!
Type : RegData
Data : 0
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\policies\activedesktop
Value : NoHTMLWallPaper
Data : 0

SpywareNo Object Recognized!
Type : RegData
Data : 0
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\policies\explorer
Value : ClassicShell
Data : 0

SpywareNo Object Recognized!
Type : RegData
Data : 1
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\policies\explorer
Value : ForceActiveDesktopOn
Data : 1

SpywareNo Object Recognized!
Type : RegData
Data : 0
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\policies\explorer
Value : NoActiveDesktop
Data : 0

SpywareNo Object Recognized!
Type : Folder
TAC Rating : 7
Category : Misc
Comment : SpywareNo
Object : C:\Documents and Settings\Sean\Start Menu\Programs\SpySheriff

SpywareNo Object Recognized!
Type : Folder
TAC Rating : 7
Category : Misc
Comment : SpywareNo
Object : C:\Program Files\SpySheriff

SpywareNo Object Recognized!
Type : File
Data : Install.dat
TAC Rating : 7
Category : Misc
Comment :
Object : C:\Documents and Settings\Sean\Application Data\



SpywareNo Object Recognized!
Type : File
Data : SpySheriff.lnk
TAC Rating : 7
Category : Misc
Comment :
Object : C:\Documents and Settings\Sean\Start Menu\Programs\spysheriff\



SpywareNo Object Recognized!
Type : File
Data : found.wav
TAC Rating : 7
Category : Misc
Comment :
Object : C:\Program Files\spysheriff\



SpywareNo Object Recognized!
Type : File
Data : IESecurity.dll
TAC Rating : 7
Category : Misc
Comment :
Object : C:\Program Files\spysheriff\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : SpySheriff
CompanyName : SpySheriff
FileDescription : IE Security Module
InternalName : IE Security
LegalCopyright : Copyright 2005 SpySheriff
OriginalFilename : IESecurity.dll


SpywareNo Object Recognized!
Type : File
Data : notfound.wav
TAC Rating : 7
Category : Misc
Comment :
Object : C:\Program Files\spysheriff\



SpywareNo Object Recognized!
Type : File
Data : ProcMon.dll
TAC Rating : 7
Category : Misc
Comment :
Object : C:\Program Files\spysheriff\



SpywareNo Object Recognized!
Type : File
Data : removed.wav
TAC Rating : 7
Category : Misc
Comment :
Object : C:\Program Files\spysheriff\



SpywareNo Object Recognized!
Type : File
Data : SpySheriff.dvm
TAC Rating : 7
Category : Misc
Comment :
Object : C:\Program Files\spysheriff\



SpywareNo Object Recognized!
Type : File
Data : SpySheriff.exe
TAC Rating : 7
Category : Misc
Comment :
Object : C:\Program Files\spysheriff\



SpywareNo Object Recognized!
Type : File
Data : SpySheriff_1.dat
TAC Rating : 7
Category : Misc
Comment :
Object : C:\Program Files\spysheriff\



SpywareNo Object Recognized!
Type : File
Data : SpySheriff_2.dat
TAC Rating : 7
Category : Misc
Comment :
Object : C:\Program Files\spysheriff\



SpywareNo Object Recognized!
Type : File
Data : Uninstall.exe
TAC Rating : 7
Category : Misc
Comment :
Object : C:\Program Files\spysheriff\



SpywareNo Object Recognized!
Type : File
Data : desktop.html
TAC Rating : 7
Category : Misc
Comment :
Object : C:\WINDOWS\



SpywareNo Object Recognized!
Type : File
Data : SpySheriff.lnk
TAC Rating : 7
Category : Misc
Comment : Shortcut to bad file : C:\Documents and Settings\Sean\Start Menu\Programs\SpySheriff\SpySheriff.lnk
Object : C:\Documents and Settings\Sean\Start Menu\Programs\SpySheriff\



Other Object Recognized!
Type : File
Data : SPYSHERIFF.EXE-06C9BFD9.pf
TAC Rating : 7
Category : Malware
Comment :
Object : C:\WINDOWS\prefetch\



Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 29
Objects found so far: 49

1:14:24 AM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:02:19.401
Objects scanned:67154
Objects identified:43
Objects ignored:0
New critical objects:43

Edited by Inaaca, 25 June 2005 - 03:04 AM.

  • 0

#4
Excal
Posted 26 June 2005 - 11:30 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi Inaaca and welcome to GeeksToGo! My name is Excal and I will be helping you.

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log so I can help you with your Malware Problems.

If you have resolved this issue please let us know.

:tazz:

Excal
  • 0

#5
Inaaca
Posted 26 June 2005 - 11:37 AM

Inaaca

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thank you for your reply. I shut down most of the programs running in my start bar before the scan this time around.

Here it is:


Logfile of HijackThis v1.99.1
Scan saved at 10:35:40 AM, on 6/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Daily Weather Forecast\weather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Sean\spyprogs\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.4guys-1dragoon.cjb.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.4guys-1dragoon.cjb.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.comcast.net/"); (C:\Documents and Settings\Sean\Application Data\Mozilla\Profiles\default\tnu6gl7s.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Sean\Application Data\Mozilla\Profiles\default\tnu6gl7s.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2F18380B-7084-A3F3-6F0C-CDBA4623DFFD} - C:\WINDOWS\system32\byimsxze.dll (file missing)
O2 - BHO: (no name) - {B3D23BDA-B860-08D0-259C-1AF798FB560D} - C:\WINDOWS\system32\hkyctmqu.dll (file missing)
O2 - BHO: (no name) - {D5A8E1ED-8881-741C-1357-0371FB23BBD8} - C:\WINDOWS\system32\yfjcvclu.dll (file missing)
O2 - BHO: (no name) - {E4C21D2E-D0C2-9F6D-9809-DBC81C8D2AE1} - C:\WINDOWS\system32\fdu.dll (file missing)
O4 - HKLM\..\Run: [C-Media Mixer] C:\WINDOWS\NewMixer.exe /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1101450551918
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: emxkzkwjchzr (kyrvmavq6) - Unknown owner - C:\WINDOWS\system32\ufsbotxd6.exe (file missing)
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
  • 0

#6
Excal
Posted 26 June 2005 - 11:56 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi Inaaca and welcome to GeeksToGo! My name is Excal and I will be helping you.

I can see that you have some malware issues. This maybe a few step process in removing it. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

I know you are having problems with Ewido slowing your computer down :tazz:, please use it for this fix, then you may uninstall it, sorry.

Please go here and upload

C:\Windows\System32\wininet.dll

then please post the results in your next reply.



THE FIX
Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with HiJackThis and place a checkmark next to each of the following items:
===================================================
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.4guys-1dragoon.cjb.net/ <=====If you want this has your start page do not check off
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.4guys-1dragoon.cjb.net/ <=====If you want this has your start page do not check off
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {2F18380B-7084-A3F3-6F0C-CDBA4623DFFD} - C:\WINDOWS\system32\byimsxze.dll (file missing)
O2 - BHO: (no name) - {B3D23BDA-B860-08D0-259C-1AF798FB560D} - C:\WINDOWS\system32\hkyctmqu.dll (file missing)
O2 - BHO: (no name) - {D5A8E1ED-8881-741C-1357-0371FB23BBD8} - C:\WINDOWS\system32\yfjcvclu.dll (file missing)
O2 - BHO: (no name) - {E4C21D2E-D0C2-9F6D-9809-DBC81C8D2AE1} - C:\WINDOWS\system32\fdu.dll (file missing)
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O23 - Service: emxkzkwjchzr (kyrvmavq6) - Unknown owner - C:\WINDOWS\system32\ufsbotxd6.exe (file missing)

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

Daily Weather Forecast
PSGuard
SpySheriff

Go to Start->Run and type in services.msc and hit OK. Then look for emxkzkwjchzr (kyrvmavq6) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Please remove the following folders using Windows Explorer (if present):

C:\Program Files\Daily Weather Forecast
C:\Program Files\PSGuard

Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\system32\byimsxze.dll
C:\WINDOWS\system32\hkyctmqu.dll
C:\WINDOWS\system32\yfjcvclu.dll
C:\WINDOWS\system32\fdu.dll
C:\WINDOWS\system32\ufsbotxd6.exe
===================================================

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.


Open Ad-aware and do a full scan. Remove all it finds.


Now open Ewido Security Suite
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save Report
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!

Save the scan log and post it along with a new HijackThis Log and the Ewido Log by using Add Reply.
  • 0

#7
Inaaca
Posted 26 June 2005 - 07:11 PM

Inaaca

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Okay, I followed all of the instructions as closely as possible. Just as a sidenote, the homepage url is an intentional setting. The Ad-Aware SE and Ewido scans came up with very little, but maybe that's a good sign, heh... Anyways, let me know how I'm doing. If SpySherriff ends up popping up again, I'll be sure to let you know...

Alright, here are the logs:


Jotti's Malware Scan:

Scanner results

AntiVir
Found nothing

ArcaVir
Found nothing

Avast
Found nothing

AVG Antivirus
Found nothing

BitDefender
Found nothing

ClamAV
Found nothing

Dr.Web
Found nothing

F-Prot Antivirus
Found nothing

Fortinet
Found nothing

Kaspersky Anti-Virus
Found nothing

NOD32
Found nothing

Norman Virus Control
Found nothing

VBA32
Found nothing


Ewido Security Suite:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:38:14 PM, 6/26/2005
+ Report-Checksum: A79E2A7E

+ Date of database: 6/26/2005
+ Version of scan engine: v3.0

+ Duration: 109 min
+ Scanned Files: 154452
+ Speed: 23.61 Files/Second
+ Infected files: 0
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
E:\

+ Scan result:
No infected files found!


::Report End


Panda Activescan:


Incident Status Location

Adware:Adware/nCase No disinfected C:\WINDOWS\system32\FLEOK

Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\stwsi

Adware:Adware/BlazeFind No disinfected Windows Registry

Adware:Adware/Midaddle No disinfected C:\WINDOWS\system32\preuninstall.exe

Adware:Adware/Comedy-Planet No disinfected Windows Registry

Adware:Adware/PsGuard No disinfected C:\Documents and Settings\Sean\Application Data\PSGuard.com

Spyware:Spyware/TVMedia No disinfected C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EEE54BC6-1B79-48E4-BC8C-7F4632\E574BB86-16A8-46AA-87F1-27B80A

Spyware:Spyware/ISTbar No disinfected C:\Sean\mirror_plugin.exe

Virus:W32/Smitfraud.B Disinfected C:\WINDOWS\$NtUninstallKB883939$\wininet.dll

Adware:Adware/Midaddle No disinfected C:\WINDOWS\system32\PreUninstall.exe

Adware:Adware/nCase No disinfected C:\WINDOWS\system32\saie_gdf.dat

Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\Shex.exe


HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 5:59:12 PM, on 6/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\NewMixer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Sean\spyprogs\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.4guys-1dragoon.cjb.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.4guys-1dragoon.cjb.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.comcast.net/"); (C:\Documents and Settings\Sean\Application Data\Mozilla\Profiles\default\tnu6gl7s.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Sean\Application Data\Mozilla\Profiles\default\tnu6gl7s.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2F18380B-7084-A3F3-6F0C-CDBA4623DFFD} - (no file)
O2 - BHO: (no name) - {B3D23BDA-B860-08D0-259C-1AF798FB560D} - (no file)
O2 - BHO: (no name) - {D5A8E1ED-8881-741C-1357-0371FB23BBD8} - (no file)
O4 - HKLM\..\Run: [C-Media Mixer] C:\WINDOWS\NewMixer.exe /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1101450551918
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

Edited by Inaaca, 26 June 2005 - 07:30 PM.

  • 0

#8
Excal
Posted 26 June 2005 - 08:26 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi Inaaca,


Please remove the following folders using Windows Explorer (if present):

C:\WINDOWS\system32\FLEOK
C:\WINDOWS\stwsi


1. Close all browsers, windows and unneeded programs.

2. Open HiJack and do a scan.

3. Put a Check next to the following items:

O2 - BHO: (no name) - {2F18380B-7084-A3F3-6F0C-CDBA4623DFFD} - (no file)
O2 - BHO: (no name) - {B3D23BDA-B860-08D0-259C-1AF798FB560D} - (no file)
O2 - BHO: (no name) - {D5A8E1ED-8881-741C-1357-0371FB23BBD8} - (no file)

4. click the Fix Checked box




Just a few random bad files to clean up.
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "Delete File on Reboot"
  • Navigate to this file - C:\Sean\mirror_plugin.exe
  • Double click on that file.
  • HJT asks you if you want to reboot, now. Click "no".

    Do that for the following files also, until you get to the last one, then click "yes" when HJT asks you to reboot.

C:\WINDOWS\system32\preuninstall.exe
C:\Documents and Settings\Sean\Application Data\PSGuard.com
C:\WINDOWS\$NtUninstallKB883939$\wininet.dll
C:\WINDOWS\system32\PreUninstall.exe
C:\WINDOWS\system32\saie_gdf.dat
C:\WINDOWS\system32\Shex.exe

Reboot

Post back when you finish and tell me how your computer is running :tazz:
  • 0

#9
Inaaca
Posted 26 June 2005 - 08:49 PM

Inaaca

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Okay, I haven't yet finished the entire step process, but I have a question before I continue.

One of the files you wanted me to get rid of through HijackThis delete on startup:

C:\Documents and Settings\Sean\Application Data\PSGuard.com

is a folder with several subdirectories. I can't seem to select it to be deleted, instead it simply opens the folder. Should I delete it manually?
  • 0

#10
Excal
Posted 26 June 2005 - 09:13 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Yes please delete it.

C:\Documents and Settings\Sean\Application Data\PSGuard.com


Thanks,

:tazz:

Excal
  • 0

#11
Inaaca
Posted 26 June 2005 - 09:34 PM

Inaaca

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Well, my desktop is running normally again and everything seems to be running fine. However, I half expect it to come back, though I hope it doesn't.. >.<

So, these steps should fix it for good this time? Is there anything else I should do?

Thank you very much for your assistance. :tazz:
  • 0

#12
Excal
Posted 26 June 2005 - 09:44 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi Inaaca,

No, it won't come back, unless you get reinfected somewhere :tazz:

But here are some things that can help

Great job, it appears your computer is clean ;)

Ensure you rehide your “hidden files and folders” back to the way they were.

Now that your system is Malware Free, it is important to reset your system Restore. Click Here to learn how to.

Might I suggest the following Free Spyware programs for added security, you can download them at the following links. These programs work great for detection:

Ad-aware SE

Spybot S&D


If you are unhappy with your current antivirus and want to replace it or if you dont already have one, I suggest one of these free programs:
*Note - do not use more than one anti-virus program as it will more than likely cause conflict.

AVG
Avast


The following free programs are great for prevention:

SpywareBlaster 3.4

Spywareguard

IE/Spyad


A Firewall is a must! Here are 3 good free versions:

Sygate

Kerio

ZoneLabs

There are other options other than Internet Explorer for a browser, which some say have better security. Two of them are:

Firefox

Opera

This site is a great source for tightening up security on Internet Explorer settings.

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month.

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program:

Cleanup
Run "Cleanup" and when it has finished, Reboot

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.
  • 0

#13
Inaaca
Posted 26 June 2005 - 09:50 PM

Inaaca

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thank you very much! Your help is greatly appreciated. :tazz:

I'll let you know if anything else occurs. Thanks again! ;)
  • 0

#14
Excal
Posted 26 June 2005 - 10:10 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP