[baltclown]

Hi

Im trying to get rid of Spysheriff.

Ive done all the preliminary advice (Cleanup, Adaware, Spybot, Ewido Security Suite, Panda Activescan) and it seemed like it got rid of it for a little while but its reinstalled itself again.

Here is my most recent HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 9:58:23 PM, on 6/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Ahead\InCD\InCD.exe
F:\Program Files\D-Tools\daemon.exe
F:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Daily Weather Forecast\weather.exe
F:\Program Files\AIM95\aim.exe
F:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
F:\Program Files\Semagic\LiveJournalU.exe
F:\Program Files\ewido\security suite\ewidoctrl.exe
F:\Program Files\Ahead\InCD\InCDsrv.exe
F:\WINDOWS\System32\nvsvc32.exe
F:\WINDOWS\System32\svchost.exe
F:\PROGRA~1\MOZILL~1\FIREFOX.EXE
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
F:\Program Files\iTunes\iTunes.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Trend Micro\Internet Security\tmproxy.exe
F:\Program Files\Trend Micro\Internet Security\PccPfw.exe
F:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
F:\Program Files\Trend Micro\Internet Security\PCClient.EXE
F:\Program Files\Trend Micro\Internet Security\PCCGUIDE.EXE
F:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Hijackthis\HijackThis.exe
F:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
F:\WINDOWS\system32\calc.exe

O1 - Hosts: 216.40.230.4 desktop.kazaa.com
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RoxioEngineUtility] "F:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] F:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "F:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [pccguide.exe] "F:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "F:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "F:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] F:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] F:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [PSGuard] F:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [AIM] F:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Startup: Semagic.lnk = F:\Program Files\Semagic\LiveJournalU.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = F:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://F:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://F:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - f:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - f:\program files\partypoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...od/install.html
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - F:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - F:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - F:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - F:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - F:\Program Files\Trend Micro\Internet Security\tmproxy.exe

[Advertisements]

Hi baltclown and welcome

Please right-click: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download smitfraud reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.


Download Ad-Aware SE
Check Here on how setup and use it - please make sure you update it first.
Use the: “Check for Updates Now” option and download the latest reference files
Current def files should read *SE1R50 13.06.2005*
(Don't run it yet we will use it later)

Next
Please download CCleaner and install it. Close out the program when it has completed set up (Don't run it yet we will use it later )

Next

Please go to Add/Remove programs and remove the following please

SpySheriff


Next

Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [PSGuard] F:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe



Next
Next Reboot into SAFE MODE Make sure you can view all Hidden Files/Folders search for and delete the files highlighted in BOLD

C:\Windows\Desktop.html
C:\Program Files\SpySheriff <<< Delete Folder
C:\winstall.exe



Open CCleaner
To clean your machine, it is highly recommended that you clean the following directory contents (but not the directory folder):

Please run CCleaner to assist in this process.
(Setup: go to >options > settings > Uncheck "Only delete files in Windows Temp folders older than 48 hours" for cleaning malware files!)

* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <- This will delete all your cached internet content including cookies.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".

Close out CCleaner.

Next

While still in safe mode

Open Ad-aware Scan your system, when complete have it fix all it finds,
Close out the program,

Reboot to normal mode,

Run a scan with
ActiveScan
Post back what it finds please, it will give you an option to save report, Copy and paste it back here along with a fresh HJT log please



Let us know how your system is running now

[don77]

Hi baltclown and welcome

Please right-click: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download smitfraud reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.


Download Ad-Aware SE
Check Here on how setup and use it - please make sure you update it first.
Use the: “Check for Updates Now” option and download the latest reference files
Current def files should read *SE1R50 13.06.2005*
(Don't run it yet we will use it later)

Next
Please download CCleaner and install it. Close out the program when it has completed set up (Don't run it yet we will use it later )

Next

Please go to Add/Remove programs and remove the following please

SpySheriff


Next

Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [PSGuard] F:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe



Next
Next Reboot into SAFE MODE Make sure you can view all Hidden Files/Folders search for and delete the files highlighted in BOLD

C:\Windows\Desktop.html
C:\Program Files\SpySheriff <<< Delete Folder
C:\winstall.exe



Open CCleaner
To clean your machine, it is highly recommended that you clean the following directory contents (but not the directory folder):

Please run CCleaner to assist in this process.
(Setup: go to >options > settings > Uncheck "Only delete files in Windows Temp folders older than 48 hours" for cleaning malware files!)

* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <- This will delete all your cached internet content including cookies.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".

Close out CCleaner.

Next

While still in safe mode

Open Ad-aware Scan your system, when complete have it fix all it finds,
Close out the program,

Reboot to normal mode,

Run a scan with
ActiveScan
Post back what it finds please, it will give you an option to save report, Copy and paste it back here along with a fresh HJT log please



Let us know how your system is running now

[baltclown]

I followed these instructions last night before bed and this morning Spysheriff had reinstalled itself again.

Here are the requested logs

Panda Activescan:

Adware:Adware/nCase No disinfected Windows Registry
Spyware:Spyware/ISTbar No disinfected F:\Program Files\Daily Weather Forecast
Adware:Adware/CWS No disinfected Windows Registry
Possible Virus. No disinfected F:\BeSweetGUIv0.6b83\BeSweet.exe


HJT:

Logfile of HijackThis v1.99.1
Scan saved at 7:24:59 AM, on 6/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Ahead\InCD\InCD.exe
F:\Program Files\D-Tools\daemon.exe
F:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
F:\Program Files\Trend Micro\Internet Security\pccguide.exe
F:\Program Files\Trend Micro\Internet Security\PCClient.exe
F:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Daily Weather Forecast\weather.exe
F:\Program Files\AIM95\aim.exe
F:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
F:\Program Files\Semagic\LiveJournalU.exe
F:\Program Files\ewido\security suite\ewidoctrl.exe
F:\Program Files\Ahead\InCD\InCDsrv.exe
F:\WINDOWS\System32\nvsvc32.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
F:\Program Files\Trend Micro\Internet Security\tmproxy.exe
F:\Program Files\Trend Micro\Internet Security\PccPfw.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\PROGRA~1\MOZILL~1\FIREFOX.EXE
F:\Program Files\Hijackthis\HijackThis.exe

O1 - Hosts: 216.40.230.4 desktop.kazaa.com
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RoxioEngineUtility] "F:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] F:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "F:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [pccguide.exe] "F:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "F:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "F:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] F:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] F:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKCU\..\Run: [AIM] F:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Startup: Semagic.lnk = F:\Program Files\Semagic\LiveJournalU.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = F:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://F:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://F:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - f:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - f:\program files\partypoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...od/install.html
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - F:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - F:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - F:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - F:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - F:\Program Files\Trend Micro\Internet Security\tmproxy.exe

[don77]

Hiagain baltclown

First, download and install CleanUp! but do not run it yet.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Download, install, and update Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be a big E icon on your desktop, double-click it.
• The program will prompt you to update click the OK button
• The program will now go to the main screen

You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update
• Click on Start

The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido

Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Once in Safe Mode, Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Scan local drives for temporary files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

After Cleanup! is finished:

• Run Ewido.
• Click on scanner
• Make sure the following boxes are checked before scanning:
  • Binder
  • Crypter
  • Archives
• Click on Start Scan
• Let the program scan the machine

While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop
• Exit Ewido

Reboot into normal mode.

Go to Start > Control Panel > Add or Remove Programs and remove the following:

SpySheriff
Daily Weather Forecast

Exit Add or Remove Programs.

Delete the following, in bold, if found:

C:\Documents and Settings\user account\Start Menu\Programs\SpySheriff <-whole folder
C:\Documents and Settings\user account\Application Data\Install.dat
C:\Program Files\SpySheriff <-whole folder
C:\Windows\Desktop.html
C:\winstall.exe

*NOTE* user account is not the actual name of that folder. The name of that folder will be the name of your computer profile.

Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HiJackThis. Place a check next to the following items, if found, and click FIX CHECKED:

O4 - HKLM\..\Run: [Daily Weather Forecast] F:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe


Close HiJackThis.

RIGHT-CLICK HERE and go to Save As (in IE it's "Save Target As") in order to download the smitfraud reg to your desktop.

Double-click smitfraud.reg on your desktop. When asked if you want to merge with the registry click YES.

After the merged successfully prompt, using Windows Explorer, navigate to the following folder:

C:\Windows\Prefetch

If there are any files inside the Prefetch folder, delete ALL of them. (Do NOT delete the folder. Just delete the files inside.)

Reboot your computer.

You should be able to change your desktop back to normal now.

Post the report from Ewido and a new HiJackThis log into this topic

[baltclown]

Thanks for the help again.

I just finished following the new instructions so I dont know if Spysheriff is gone permanently again but I will check back in a few hours and see if it reinstalled itself again and let you know.

FYI when I went to Add/Remove programs there was no listing for Daily Weather Forecast but I did delete its folder in Program Files.

Also after running Ewido and removing Spysheriff the only line left of the ones you said to fix in the HJT log was the one for Daily Weather Forecast. I assume its because the program had already been deleted but I just wanted to make sure you were aware in case the other two lines still should've been there.

Here is the Ewido report:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:43:39 PM, 6/23/2005
+ Report-Checksum: 901D8606

+ Date of database: 6/23/2005
+ Version of scan engine: v3.0

+ Duration: 81 min
+ Scanned Files: 152125
+ Speed: 31.22 Files/Second
+ Infected files: 1
+ Removed files: 1
+ Files put in quarantine: 1
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
F:\
G:\

+ Scan result:
C:\winstall.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup


::Report End

And the new HJT report

Logfile of HijackThis v1.99.1
Scan saved at 6:06:45 PM, on 6/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\ewido\security suite\ewidoctrl.exe
F:\Program Files\Ahead\InCD\InCDsrv.exe
F:\WINDOWS\System32\nvsvc32.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
F:\Program Files\Ahead\InCD\InCD.exe
F:\Program Files\D-Tools\daemon.exe
F:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
F:\Program Files\Trend Micro\Internet Security\tmproxy.exe
F:\Program Files\Trend Micro\Internet Security\pccguide.exe
F:\Program Files\Trend Micro\Internet Security\PCClient.exe
F:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\AIM95\aim.exe
F:\PROGRA~1\MOZILL~1\FIREFOX.EXE
F:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
F:\Program Files\Semagic\LiveJournalU.exe
F:\Program Files\Trend Micro\Internet Security\PccPfw.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\system32\NOTEPAD.EXE
F:\Program Files\Hijackthis\HijackThis.exe

O1 - Hosts: 216.40.230.4 desktop.kazaa.com
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RoxioEngineUtility] "F:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] F:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "F:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [pccguide.exe] "F:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "F:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "F:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] F:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [AIM] F:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Startup: Semagic.lnk = F:\Program Files\Semagic\LiveJournalU.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = F:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://F:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://F:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - f:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - f:\program files\partypoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...od/install.html
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - F:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - F:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - F:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - F:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - F:\Program Files\Trend Micro\Internet Security\tmproxy.exe

[don77]

Keep us updated please,,

Nice job your log is clean !
How is it running ?
Please use the following suggestion to help prevent reinfection

Download the following program, For keeping crap off your system to begin with
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests. Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restrict the actions of potentially dangerous sites in Internet Explorer.
Download Spyware Blaster

Keep AD-Aware. and Spybot 1.3 handy, Check them for updates prior to running and run them weekly
Same with your Anti Virus,

For an added check run an online virus scan, you can use one of the 2 below,
TrendMicro's HouseCall
ActiveScan

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program
Download and install Cleanup
Run "Cleanup" and when it has finished, Reboot

Remeber to Check Windows for updates

Probably a good time to create a new restore point See Here Name it clean or something like that,

[baltclown]

Looks like its still doing fine. No sign of it reinstalling itself.

Thanks so much for all the help! I was beginning to think I would never get rid of it.

[don77]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.