While waiting for a response here, I've been working at this problem myself. I've made a few discoveries, so I thought I'd note them here.
To my delight, when Ad-Aware SE made it's most recent auto-update, it started catching a bunch of SpywareNo/SpySherriff related files that it never caught before. I proceeded to run it in safe mode along with all my other anti-spyware software to try and catch anything I could. (Ad-Aware SE, Spybot-Search and Destroy, Microsoft Antispyware, CounterSpy, TDS-3, CWShredder, and CleanUp! I didn't scan with Ewido due to reasons I described in the above post.) Ad-Aware SE caught a bunch of stuff, and CounterSpy (
http://www.sunbelt-software.com/) caught another SpySherriff related file.
When I booted back up into normal mode (disconnected from the internet), SpySherriff was no longer in the add/remove programs list, nor was it in the Program Files directory. I ran HijackThis, however, and it did detect a running SpySherriff application.. which I quickly had it fix. I added in the registry file to fix my desktop, rebooted and deleted the contents of the Prefetch folder as well.
This seemed to solve the problem, but I decided to hold off celebrations after reconnecting my internet for a while, since last time it took several hours before I found it reappearing again. Sure enough, it came back several hours later, same as always.. This is really getting very disheartening... So even though Ad-Aware is catching things, it doesn't seem to help my situation of SpySherriff returning later anyways..
I'm going to post Ad-Aware's log here from a quick scan I did in normal mode when SpySherriff returned. Maybe it will help. Note that I have not taken action on this scan though, since it doesn't seem to be doing a lot of good. I hope perhaps you can come up with a solution.
Hmm.. I scanned with CounterSpy also after I did the Ad-Aware scan since it had caught stuff before. It caught a lot of SpySherriff stuff, including some that Ad-Aware probably missed. It also a caught a few things relating to winstall. I'd like to show you these results as well, but I can't figure out how to get a log of CounterSpy's results...
Also, if I need to show you a more recent HijackThis log, just let me know.
In any case, here's the Ad-Aware SE scan log:
Ad-Aware SE Build 1.06r1
Logfile Created on:Saturday, June 25, 2005 1:12:05 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R50 13.06.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):7 total references
Other(TAC index:5):1 total references
SpywareNo(TAC index:7):41 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects
6-25-2005 1:12:05 AM - Scan started. (Smart mode)
Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 472
ThreadCreationTime : 6-25-2005 6:09:05 AM
BasePriority : Normal
#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 524
ThreadCreationTime : 6-25-2005 6:09:09 AM
BasePriority : Normal
#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 548
ThreadCreationTime : 6-25-2005 6:09:11 AM
BasePriority : High
#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 592
ThreadCreationTime : 6-25-2005 6:09:13 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe
#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 604
ThreadCreationTime : 6-25-2005 6:09:13 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe
#:6 [ati2evxx.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 792
ThreadCreationTime : 6-25-2005 6:09:16 AM
BasePriority : Normal
FileVersion : 6.14.10.4116
ProductVersion : 6.14.10.4116
ProductName : ATI External Event Utility for WindowsNT and Windows9X
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.
OriginalFilename : ATI2EVXX.EXE
#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 812
ThreadCreationTime : 6-25-2005 6:09:16 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:8 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 868
ThreadCreationTime : 6-25-2005 6:09:16 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 928
ThreadCreationTime : 6-25-2005 6:09:17 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:10 [incdsrv.exe]
FilePath : C:\Program Files\Ahead\InCD\
ProcessID : 952
ThreadCreationTime : 6-25-2005 6:09:17 AM
BasePriority : Normal
FileVersion : 4, 1, 5, 10
ProductVersion : 4, 1, 5, 10
ProductName : Ahead Software AG incdsrv
CompanyName : Ahead Software AG
FileDescription : incdsrv
InternalName : incdsrv
LegalCopyright : Copyright 1995-2004 Ahead Software AG and its licensors. All Rights Reserved.
LegalTrademarks : InCD is a trademark of Ahead Software AG
OriginalFilename : incdsrv.exe
#:11 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1088
ThreadCreationTime : 6-25-2005 6:09:19 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:12 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1164
ThreadCreationTime : 6-25-2005 6:09:20 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:13 [ati2evxx.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1280
ThreadCreationTime : 6-25-2005 6:09:22 AM
BasePriority : Normal
FileVersion : 6.14.10.4116
ProductVersion : 6.14.10.4116
ProductName : ATI External Event Utility for WindowsNT and Windows9X
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.
OriginalFilename : ATI2EVXX.EXE
#:14 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1348
ThreadCreationTime : 6-25-2005 6:09:22 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE
#:15 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1428
ThreadCreationTime : 6-25-2005 6:09:24 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe
#:16 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\
ProcessID : 1584
ThreadCreationTime : 6-25-2005 6:09:24 AM
BasePriority : Normal
FileVersion : 7.00.9064.9150
ProductVersion : 7.00.9064.9150
ProductName : Microsoft Development Environment
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : Copyright © Microsoft Corp. 1997-2000
OriginalFilename : mdm.exe
#:17 [pcctlcom.exe]
FilePath : C:\PROGRA~1\TRENDM~1\INTERN~2\
ProcessID : 1624
ThreadCreationTime : 6-25-2005 6:09:26 AM
BasePriority : Normal
FileVersion : 12.10.0.1034
ProductVersion : 12.10.0
ProductName : Trend Micro Internet Security
CompanyName : Trend Micro Incorporated.
FileDescription : PcCtlCom Module
InternalName : PcCtlCom
LegalCopyright : Copyright © 1995-2004 Trend Micro Incorporated. All rights reserved.
LegalTrademarks : Copyright © Trend Micro Incorporated.
OriginalFilename : PcCtlCom.EXE
#:18 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1756
ThreadCreationTime : 6-25-2005 6:09:28 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:19 [tmntsrv.exe]
FilePath : C:\PROGRA~1\TRENDM~1\INTERN~2\
ProcessID : 1776
ThreadCreationTime : 6-25-2005 6:09:28 AM
BasePriority : Normal
FileVersion : 12.10.0.1034
ProductVersion : 12.10.0
ProductName : Trend Micro Internet Security
CompanyName : Trend Micro Incorporated.
FileDescription : Tmntsrv
InternalName : Tmntsrv
LegalCopyright : Copyright © 1995-2004 Trend Micro Incorporated. All rights reserved.
LegalTrademarks : Copyright © Trend Micro Incorporated.
OriginalFilename : Tmntsrv.exe
#:20 [tmproxy.exe]
FilePath : C:\PROGRA~1\TRENDM~1\INTERN~2\
ProcessID : 1928
ThreadCreationTime : 6-25-2005 6:09:30 AM
BasePriority : Normal
FileVersion : 1.0.0.1125
ProductVersion : 1.0.0
ProductName : Trend Micro Network Security Components 1.0
CompanyName : Trend Micro Inc.
FileDescription : TmProxy.exe
InternalName : TmProxy.exe
LegalCopyright : Copyright © 2001-2004 Trend Micro Inc. All rights reserved.
LegalTrademarks : Copyright © Trend Micro Inc.
OriginalFilename : TmProxy.exe
#:21 [newmixer.exe]
FilePath : C:\WINDOWS\
ProcessID : 2028
ThreadCreationTime : 6-25-2005 6:09:32 AM
BasePriority : Normal
FileVersion : 1.55
ProductVersion : 1.55
ProductName : Mixer
CompanyName : C-Media Electronic Inc. (www.cmedia.com.tw)
FileDescription : Mixer
InternalName : Mixer
LegalCopyright : Copyright © 1997-2002
LegalTrademarks : NONE
OriginalFilename : Mixer.EXE
Comments : Feng Min-Chih (
[email protected])
#:22 [atiptaxx.exe]
FilePath : C:\Program Files\ATI Technologies\ATI Control Panel\
ProcessID : 2036
ThreadCreationTime : 6-25-2005 6:09:33 AM
BasePriority : Normal
FileVersion : 6.14.10.5155
ProductVersion : 6.14.10.5155
ProductName : ATI Desktop Component
CompanyName : ATI Technologies, Inc.
FileDescription : ATI Desktop Control Panel
InternalName : Atiptaxx.exe
LegalCopyright : Copyright © 1998-2005 ATI Technologies Inc.
OriginalFilename : Atiptaxx.exe
#:23 [wdfmgr.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 128
ThreadCreationTime : 6-25-2005 6:09:34 AM
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe
#:24 [incd.exe]
FilePath : C:\Program Files\Ahead\InCD\
ProcessID : 180
ThreadCreationTime : 6-25-2005 6:09:34 AM
BasePriority : Normal
FileVersion : 4, 1, 5, 10
ProductVersion : 4, 1, 5, 10
ProductName : Ahead Software AG InCD
CompanyName : Ahead Software AG
FileDescription : InCD
InternalName : InCD
LegalCopyright : Copyright 1995-2004 Ahead Software AG and its licensors. All Rights Reserved.
LegalTrademarks : InCD is a trademark of Ahead Software AG
OriginalFilename : InCD.exe
#:25 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 224
ThreadCreationTime : 6-25-2005 6:09:35 AM
BasePriority : Normal
FileVersion : 6.4
ProductVersion : QuickTime 6.4
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2003
OriginalFilename : QTTask.exe
#:26 [ituneshelper.exe]
FilePath : C:\Program Files\iTunes\
ProcessID : 264
ThreadCreationTime : 6-25-2005 6:09:36 AM
BasePriority : Normal
FileVersion : 4.7.0.42
ProductVersion : 4.7.0.42
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2004 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iTunesHelper.exe
#:27 [jusched.exe]
FilePath : C:\Program Files\Java\jre1.5.0_02\bin\
ProcessID : 356
ThreadCreationTime : 6-25-2005 6:09:39 AM
BasePriority : Normal
#:28 [weather.exe]
FilePath : C:\Program Files\Daily Weather Forecast\
ProcessID : 376
ThreadCreationTime : 6-25-2005 6:09:40 AM
BasePriority : Normal
#:29 [gcasserv.exe]
FilePath : C:\Program Files\Microsoft AntiSpyware\
ProcessID : 388
ThreadCreationTime : 6-25-2005 6:09:40 AM
BasePriority : Idle
FileVersion : 1.00.0613
ProductVersion : 1.00.0613
ProductName : Microsoft AntiSpyware (Beta 1)
CompanyName : Microsoft Corporation
FileDescription : Microsoft AntiSpyware Service
InternalName : gcasServ
LegalCopyright : Copyright © 2004-2005 Microsoft Corporation. All rights reserved.
LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation. SpyNet is a trademark of Microsoft Corporation.
OriginalFilename : gcasServ.exe
#:30 [pccguide.exe]
FilePath : C:\Program Files\Trend Micro\Internet Security 2005\
ProcessID : 400
ThreadCreationTime : 6-25-2005 6:09:41 AM
BasePriority : Normal
FileVersion : 12.10.0.1014
ProductVersion : 12.10.0
ProductName : Trend Micro Internet Security
CompanyName : Trend Micro Incorporated.
FileDescription : PCCGuide
InternalName : PCCGuide
LegalCopyright : Copyright © 1995-2004 Trend Micro Incorporated. All rights reserved.
LegalTrademarks : Copyright © Trend Micro Incorporated.
OriginalFilename : PCCGuide
#:31 [winampa.exe]
FilePath : C:\Program Files\Winamp\
ProcessID : 416
ThreadCreationTime : 6-25-2005 6:09:41 AM
BasePriority : Normal
#:32 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 464
ThreadCreationTime : 6-25-2005 6:09:43 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE
#:33 [steam.exe]
FilePath : C:\Program Files\Valve\Steam\
ProcessID : 508
ThreadCreationTime : 6-25-2005 6:09:45 AM
BasePriority : Normal
FileVersion : 1.0.0.0
ProductVersion : 1.0.0.0
ProductName : Steam
CompanyName : Valve Corporation
FileDescription : Steam
LegalCopyright : © Copyright 2000-2003 Valve Corporation All rights reserved.
OriginalFilename : Steam.exe
#:34 [gcasdtserv.exe]
FilePath : C:\Program Files\Microsoft AntiSpyware\
ProcessID : 320
ThreadCreationTime : 6-25-2005 6:09:45 AM
BasePriority : Normal
FileVersion : 1.00.0613
ProductVersion : 1.00.0613
ProductName : Microsoft AntiSpyware (Beta 1)
CompanyName : Microsoft Corporation
FileDescription : Microsoft AntiSpyware Data Service
InternalName : gcasDtServ
LegalCopyright : Copyright © 2004-2005 Microsoft Corporation. All rights reserved.
LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation. SpyNet is a trademark of Microsoft Corporation.
OriginalFilename : gcasDtServ.exe
#:35 [tmpfw.exe]
FilePath : C:\PROGRA~1\TRENDM~1\INTERN~2\
ProcessID : 1740
ThreadCreationTime : 6-25-2005 6:10:07 AM
BasePriority : Normal
FileVersion : 2.0.0.1125
ProductVersion : 1.0.0
ProductName : Trend Network Security Component 1.0
CompanyName : Trend Micro Inc.
FileDescription : TmPfw
InternalName : TmPfw
LegalCopyright : Copyright © 2001-2004 Trend Micro Inc. All rights reserved.
LegalTrademarks : Copyright © Trend Micro Inc.
OriginalFilename : TmPfw.exe
#:36 [ipodservice.exe]
FilePath : C:\Program Files\iPod\bin\
ProcessID : 2380
ThreadCreationTime : 6-25-2005 6:10:17 AM
BasePriority : Normal
FileVersion : 4.7.0.42
ProductVersion : 4.7.0.42
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © 2003-2004 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iPodService.exe
#:37 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2476
ThreadCreationTime : 6-25-2005 6:10:19 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe
#:38 [hpohmr08.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\bin\
ProcessID : 2788
ThreadCreationTime : 6-25-2005 6:10:29 AM
BasePriority : Normal
FileVersion : 4.2.0.020
ProductVersion : 2.4.1.020
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Device Objects
InternalName : HPOHMR08
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOHMR08.EXE
Comments : HP OfficeJet <Homer> Series COM Device Objects
#:39 [hpotdd01.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\bin\
ProcessID : 2812
ThreadCreationTime : 6-25-2005 6:10:30 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : Hewlett-Packard hpotdd01
CompanyName : Hewlett-Packard
FileDescription : hpotdd01
InternalName : hpotdd01
LegalCopyright : Copyright © 2002
OriginalFilename : hpotdd01.exe
#:40 [hpoevm08.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\bin\
ProcessID : 2848
ThreadCreationTime : 6-25-2005 6:10:32 AM
BasePriority : Normal
FileVersion : 4.2.0.020
ProductVersion : 2.4.1.020
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Event Manager
InternalName : HPOEVM08
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOEVM08.EXE
Comments : HP OfficeJet COM Event Manager
#:41 [hpzipm12.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2904
ThreadCreationTime : 6-25-2005 6:10:33 AM
BasePriority : Normal
FileVersion : 6, 0, 0, 0
ProductVersion : 6, 0, 0, 0
ProductName : HP PML
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
LegalCopyright : Copyright © 1998, 1999 Hewlett-Packard Company
OriginalFilename : PmlDrv.exe
#:42 [hposts08.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\
ProcessID : 3440
ThreadCreationTime : 6-25-2005 6:10:46 AM
BasePriority : Normal
FileVersion : 4.2.0.020
ProductVersion : 2.4.1.020
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet Status
InternalName : HPOSTS08
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOSTS08.EXE
Comments : HP OfficeJet Status
#:43 [winamp.exe]
FilePath : C:\Program Files\Winamp\
ProcessID : 3972
ThreadCreationTime : 6-25-2005 8:00:14 AM
BasePriority : Normal
FileVersion : 5.093
ProductVersion : 5.093
ProductName : Winamp
CompanyName : Nullsoft
FileDescription : Winamp
InternalName : WINAMP
LegalCopyright : Copyright © 1997-2005, Nullsoft, Inc.
LegalTrademarks : Nullsoft and Winamp are trademarks of Nullsoft, Inc.
OriginalFilename : Winamp.exe
Comments : Visit
http://www.winamp.com/ for updates.
#:44 [pol.exe]
FilePath : C:\Program Files\PlayOnline\SquareEnix\PlayOnlineViewer\
ProcessID : 1456
ThreadCreationTime : 6-25-2005 8:04:39 AM
BasePriority : Normal
FileVersion : 1.15.02
ProductVersion : 1.14.00
ProductName : PlayOnline Viewer
CompanyName : SQUARE ENIX CO., LTD.
FileDescription : PlayOnline Viewer
InternalName : PlayOnline Viewer
LegalCopyright : Copyright © 2002-2005 SQUARE ENIX CO., LTD.
LegalTrademarks : PlayOnline Viewer
OriginalFilename : pol.exe
Comments : Provides integrated entertainment and network service, complete with online games and communication tools.
#:45 [firefox.exe]
FilePath : C:\Program Files\Mozilla Firefox\
ProcessID : 1620
ThreadCreationTime : 6-25-2005 8:08:30 AM
BasePriority : Normal
#:46 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 1788
ThreadCreationTime : 6-25-2005 8:11:50 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
SpywareNo Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-725345543-1677128483-1060284298-1003\software\spysheriff
SpywareNo Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-725345543-1677128483-1060284298-1003\software\spysheriff
Value : PlaySounds
SpywareNo Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-725345543-1677128483-1060284298-1003\software\spysheriff
Value : ScheduledScan
SpywareNo Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-725345543-1677128483-1060284298-1003\software\spysheriff
Value : ScheduledScanHour
SpywareNo Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-725345543-1677128483-1060284298-1003\software\spysheriff
Value : ScheduledScanMin
SpywareNo Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-725345543-1677128483-1060284298-1003\software\spysheriff
Value : SecurityLevel
SpywareNo Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-725345543-1677128483-1060284298-1003\software\spysheriff
Value : Uninstall
SpywareNo Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-725345543-1677128483-1060284298-1003\software\spysheriff
Value : Security
SpywareNo Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\spysheriff
SpywareNo Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\spysheriff
Value : DisplayName
SpywareNo Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\spysheriff
Value : URLInfoAbout
SpywareNo Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\spysheriff
Value : HelpLink
SpywareNo Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\spysheriff
Value : UninstallString
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 13
Objects found so far: 13
Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 13
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 13
Deep scanning and examining files...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 13
Disk Scan Result for C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 13
Disk Scan Result for C:\DOCUME~1\Sean\LOCALS~1\Temp\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 13
Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 13
MRU List Object Recognized!
Location: : C:\Documents and Settings\Sean\recent
Description : list of recently opened documents
MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d
MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X
MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw
MRU List Object Recognized!
Location: : S-1-5-21-725345543-1677128483-1060284298-1003\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput
MRU List Object Recognized!
Location: : S-1-5-21-725345543-1677128483-1060284298-1003\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput
MRU List Object Recognized!
Location: : S-1-5-21-725345543-1677128483-1060284298-1003\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened
Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
SpywareNo Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\sno
SpywareNo Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\desktop\general
Value : WallpaperLocalFileTime
SpywareNo Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : control panel\desktop
Value : WallpaperStyle
SpywareNo Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\desktop\general
Value : WallpaperFileTime
SpywareNo Object Recognized!
Type : RegData
Data : 0
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\policies\activedesktop
Value : NoAddingComponents
Data : 0
SpywareNo Object Recognized!
Type : RegData
Data : 0
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\policies\activedesktop
Value : NoChangingWallpaper
Data : 0
SpywareNo Object Recognized!
Type : RegData
Data : 0
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\policies\activedesktop
Value : NoComponents
Data : 0
SpywareNo Object Recognized!
Type : RegData
Data : 0
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\policies\activedesktop
Value : NoEditingComponents
Data : 0
SpywareNo Object Recognized!
Type : RegData
Data : 0
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\policies\activedesktop
Value : NoHTMLWallPaper
Data : 0
SpywareNo Object Recognized!
Type : RegData
Data : 0
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\policies\explorer
Value : ClassicShell
Data : 0
SpywareNo Object Recognized!
Type : RegData
Data : 1
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\policies\explorer
Value : ForceActiveDesktopOn
Data : 1
SpywareNo Object Recognized!
Type : RegData
Data : 0
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\policies\explorer
Value : NoActiveDesktop
Data : 0
SpywareNo Object Recognized!
Type : Folder
TAC Rating : 7
Category : Misc
Comment : SpywareNo
Object : C:\Documents and Settings\Sean\Start Menu\Programs\SpySheriff
SpywareNo Object Recognized!
Type : Folder
TAC Rating : 7
Category : Misc
Comment : SpywareNo
Object : C:\Program Files\SpySheriff
SpywareNo Object Recognized!
Type : File
Data : Install.dat
TAC Rating : 7
Category : Misc
Comment :
Object : C:\Documents and Settings\Sean\Application Data\
SpywareNo Object Recognized!
Type : File
Data : SpySheriff.lnk
TAC Rating : 7
Category : Misc
Comment :
Object : C:\Documents and Settings\Sean\Start Menu\Programs\spysheriff\
SpywareNo Object Recognized!
Type : File
Data : found.wav
TAC Rating : 7
Category : Misc
Comment :
Object : C:\Program Files\spysheriff\
SpywareNo Object Recognized!
Type : File
Data : IESecurity.dll
TAC Rating : 7
Category : Misc
Comment :
Object : C:\Program Files\spysheriff\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : SpySheriff
CompanyName : SpySheriff
FileDescription : IE Security Module
InternalName : IE Security
LegalCopyright : Copyright 2005 SpySheriff
OriginalFilename : IESecurity.dll
SpywareNo Object Recognized!
Type : File
Data : notfound.wav
TAC Rating : 7
Category : Misc
Comment :
Object : C:\Program Files\spysheriff\
SpywareNo Object Recognized!
Type : File
Data : ProcMon.dll
TAC Rating : 7
Category : Misc
Comment :
Object : C:\Program Files\spysheriff\
SpywareNo Object Recognized!
Type : File
Data : removed.wav
TAC Rating : 7
Category : Misc
Comment :
Object : C:\Program Files\spysheriff\
SpywareNo Object Recognized!
Type : File
Data : SpySheriff.dvm
TAC Rating : 7
Category : Misc
Comment :
Object : C:\Program Files\spysheriff\
SpywareNo Object Recognized!
Type : File
Data : SpySheriff.exe
TAC Rating : 7
Category : Misc
Comment :
Object : C:\Program Files\spysheriff\
SpywareNo Object Recognized!
Type : File
Data : SpySheriff_1.dat
TAC Rating : 7
Category : Misc
Comment :
Object : C:\Program Files\spysheriff\
SpywareNo Object Recognized!
Type : File
Data : SpySheriff_2.dat
TAC Rating : 7
Category : Misc
Comment :
Object : C:\Program Files\spysheriff\
SpywareNo Object Recognized!
Type : File
Data : Uninstall.exe
TAC Rating : 7
Category : Misc
Comment :
Object : C:\Program Files\spysheriff\
SpywareNo Object Recognized!
Type : File
Data : desktop.html
TAC Rating : 7
Category : Misc
Comment :
Object : C:\WINDOWS\
SpywareNo Object Recognized!
Type : File
Data : SpySheriff.lnk
TAC Rating : 7
Category : Misc
Comment : Shortcut to bad file : C:\Documents and Settings\Sean\Start Menu\Programs\SpySheriff\SpySheriff.lnk
Object : C:\Documents and Settings\Sean\Start Menu\Programs\SpySheriff\
Other Object Recognized!
Type : File
Data : SPYSHERIFF.EXE-06C9BFD9.pf
TAC Rating : 7
Category : Malware
Comment :
Object : C:\WINDOWS\prefetch\
Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 29
Objects found so far: 49
1:14:24 AM Scan Complete
Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:02:19.401
Objects scanned:67154
Objects identified:43
Objects ignored:0
New critical objects:43
Edited by Inaaca, 25 June 2005 - 03:04 AM.