Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

SpySheriff and HiJack This log [RESOLVED]

Started by luckyboym , Jun 23 2005 10:05 AM

  • This topic is locked This topic is locked

#1
luckyboym
Posted 23 June 2005 - 10:05 AM

luckyboym

    Member

  • Member
  • PipPip
  • 77 posts
hey guys, here is my hijackthis log file. I have tried everything and really need some expert help. any advice would be greatly appreciated. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 11:03:17 AM, on 6/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\All Users\Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.fitsvc...sp?UserID=18494
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.fitsvc...sp?UserID=18494
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://portal.fitsvc...sp?UserID=18494
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://portal.fitsvc...sp?UserID=18494
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.41.123.38:80
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\nsm3.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://webmail4.fitsvcs.com/iNotes.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7BDCFF75-074F-11D6-92EE-00A0C9119E92} (Project1.AxleLoadCtl) - http://tis.toyota.co...AxleLoadCtl.cab
O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} (Lernout & Hauspie TruVoice American English TTS Engine) - http://tis.toyota.co...ads/tv_enua.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5263E95-2689-46D7-8437-9F3B5018CCE7}: Domain = gsag.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5263E95-2689-46D7-8437-9F3B5018CCE7}: NameServer = 172.16.1.35,172.16.1.36
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Edited by luckyboym, 23 June 2005 - 10:05 AM.

  • 0

Advertisements

#2
Trevuren
Posted 23 June 2005 - 12:07 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi luckyboym welcome to Geeks 2 Go.

My name is Trevuren and I will be assisting you with your log.

However, before I am able to analyze your problem, you must read the information provided in the following link and I would like you to follow the steps that are recommended before posting a new log:

You Must Read This Before Posting A Log


Regards,

Trevuren

Edited by Trevuren, 23 June 2005 - 12:08 PM.

  • 0

#3
luckyboym
Posted 23 June 2005 - 01:00 PM

luckyboym

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
hello, first I would like to thank you for taking the time to help me out.

I followed the intructions in that thread while trying to get rid of this thing myself, but
it seems that whatever I do everything just keeps popping back up.

Also, now I can only get on the computer in safe mode because a blue screen comes up telling me to remove anti-spyware programs. This is the first time I have seen this screen and it is making things especially hard.

The four trusted sites on the HJT log never go away. They are present even though I check them to be fixed.

I am at your mercy, just tell me what to do and I will do it. Hopefully, with your knowledge we can knock this thing out.
  • 0

#4
Trevuren
Posted 23 June 2005 - 02:24 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Questions:

1. Do you recognize the IP adress found in line 017 of HIjackThis. I can't get a positive ID and I have to make sure that it isn't a hijack?

2. I need you to run those scans anew. I don't see any signs in your log of you having Ad-Aware on your system.


Regards,

Trevuren
  • 0

#5
luckyboym
Posted 23 June 2005 - 04:05 PM

luckyboym

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
1. I do recognize 017

2. I ran everything again but I have to leave work and wont be able to post a new log until morning.

Thanks
  • 0

#6
luckyboym
Posted 24 June 2005 - 07:55 AM

luckyboym

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
okay, I ran everything and here is the newest log file

Logfile of HijackThis v1.99.1
Scan saved at 8:54:20 AM, on 6/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\All Users\Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.fitsvc...sp?UserID=18494
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.fitsvc...sp?UserID=18494
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://portal.fitsvc...sp?UserID=18494
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\nsc20.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKLM\..\RunOnce: [GIANTAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://webmail4.fitsvcs.com/iNotes.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7BDCFF75-074F-11D6-92EE-00A0C9119E92} (Project1.AxleLoadCtl) - http://tis.toyota.co...AxleLoadCtl.cab
O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} (Lernout & Hauspie TruVoice American English TTS Engine) - http://tis.toyota.co...ads/tv_enua.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5263E95-2689-46D7-8437-9F3B5018CCE7}: Domain = gsag.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5263E95-2689-46D7-8437-9F3B5018CCE7}: NameServer = 172.16.1.35,172.16.1.36
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#7
Trevuren
Posted 24 June 2005 - 09:11 AM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Run HijackThis. Click on "Config...", "Misc Tools", "Open process manager". Select the following files and click on "Kill process". Answer Yes to the "Are you sure..." question.

desktop.exe

edmond.exe

ffisearch.exe


2. Launch Wordpad, and copy/paste the box below into a new text file. Save it as fixme.reg and save it on your Desktop.


REGEDIT4

[-HKEY_CLASSES_ROOT\clsid\{5b4ab8e2-6dc5-477a-b637-bf3c1a2e5993}]

[-HKEY_CLASSES_ROOT\clsid\{950238fb-c706-4791-8674-4d429f85897e}]

[-HKEY_CLASSES_ROOT\mfiltis]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\ext\clsid\{5b4ab8e2-6dc5-477a-b637-bf3c1a2e5993}]

[-HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_delprot]

[-HKEY_LOCAL_MACHINE\system\currentcontrolset\services\delprot]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"desktop search"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ffis"=-


3. Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

4. Restart your computer.

5. Launch Wordpad, and copy/paste the box below into a new text file. Save it as Unreg.bat and save it on your Desktop.

regsvr32 /u C:\Windows\isrvs\msfiltis.dll
regsvr32 /u C:\Windows\isrvs\msdbhk.dll
regsvr32 /u C:\Windows\isrvs\sysupd.dll


Locate Unreg.bat on your Desktop and double-click on it.


6. Delete the following files/folders (if present) in C:\Windows or C:\Windows\System32
delprot.ini

delprot.log

desktop.exe

isrvs (delete the entire folder)



Delete the following file: C:\Windows\System32\Drivers\Delprot.sys


Delete the following files/folder (if present) in C:\Documents and Settings\<your user name>\Desktop
anal exploits.url

big d*** school for 2.95.url

evidence eraser.lnk

popup blocker stops popups.lnk

spyware avenger.lnk

virus hunter security.lnk

your platinum visa.lnk

7. REBOOT your system

8. Run HJT, click SCAN, produce a LOG and Post it into this thread for review.

Regards

Trevuren
  • 0

#8
luckyboym
Posted 24 June 2005 - 04:50 PM

luckyboym

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
5. it said "no module found" each time
6. i didn't find any of those files.

here is my new log but I won't be able to do anything else until Monday morning

Thanks

Logfile of HijackThis v1.99.1
Scan saved at 5:47:02 PM, on 6/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Allen Toyota\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.fitsvc...sp?UserID=18494
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.fitsvc...sp?UserID=18494
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://portal.fitsvc...sp?UserID=18494
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://portal.fitsvc...sp?UserID=18494
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.41.123.38:80
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - (no file)
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\nsa3.dll
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://webmail4.fitsvcs.com/iNotes.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7BDCFF75-074F-11D6-92EE-00A0C9119E92} (Project1.AxleLoadCtl) - http://tis.toyota.co...AxleLoadCtl.cab
O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} (Lernout & Hauspie TruVoice American English TTS Engine) - http://tis.toyota.co...ads/tv_enua.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5263E95-2689-46D7-8437-9F3B5018CCE7}: Domain = gsag.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5263E95-2689-46D7-8437-9F3B5018CCE7}: NameServer = 172.16.1.35,172.16.1.36
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#9
Trevuren
Posted 24 June 2005 - 05:15 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

First we need to make all files and folders VISIBLE:

Go to start>control panel>folder options>view (tab)
*choose to "show hidden files and folders,"
*uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
*Close the window with ok
*All hidden files will now be visible

Please RUN HijackThis.
. Click the SCAN button to produce a log.

Place a check mark beside each one of the following items:

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - (no file)
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\nsa3.dll
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)


Now with all the items selected, delete them by clicking the FIX checked button. Close the HijackThis window and Reboot Your System in Safe Mode

How to use the F8 method to Start Your Computer in Safe Mode

*Restart the computer.
*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
*Use the arrow keys to select the Safe mode menu item
*press Enter.


Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):

FILES

C:\WINDOWS\nem220.dll
C:\WINDOWS\system32\nsa3.dll
C:\winstall.exe

FOLDERS (with all their content)

C:\Program Files\DNS

Exit Explorer, and REBOOT BACK INTO NORMAL MODE

Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everytjhing looks now.

Regards,

Trevuren
  • 0

#10
luckyboym
Posted 28 June 2005 - 02:16 PM

luckyboym

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
okay, I finally got to work on the computer again.

I followed your steps and will post the log below, but I have one question first.
When I did the registry step and the other notepad step the desktop warning went away, but its back now. Do I need to do that stuff again?


Logfile of HijackThis v1.99.1
Scan saved at 3:02:47 PM, on 6/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\All Users\Documents\hijackthis\HijackThis.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.fitsvc...sp?UserID=18494
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.fitsvc...sp?UserID=18494
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://portal.fitsvc...sp?UserID=18494
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://portal.fitsvc...sp?UserID=18494
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.41.123.38:80
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://webmail4.fitsvcs.com/iNotes.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7BDCFF75-074F-11D6-92EE-00A0C9119E92} (Project1.AxleLoadCtl) - http://tis.toyota.co...AxleLoadCtl.cab
O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} (Lernout & Hauspie TruVoice American English TTS Engine) - http://tis.toyota.co...ads/tv_enua.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

Advertisements

#11
Trevuren
Posted 28 June 2005 - 03:05 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Please run the following program:
  • Please download WinHelp2002's DelDomains by right-clicking on the following link, and choosing "Save Target As":
    http://www.mvps.org/.../DelDomains.inf
  • Save the file to the desktop.
  • Then go to the desktop, right click on DelDomains.inf, and choose Install. You may not see any noticeable changes or prompts; this is normal.
  • Then please restart your computer, and post a new HijackThis log.

    Note: You will have to reimmunize with SpywareBlaster, IE-SPYADS, and/or Spybot after doing this if you were using these features before.
2. Now please describe to me in detail again what your screen is doing.

Regards,

Trevuren
  • 0

#12
luckyboym
Posted 29 June 2005 - 02:15 PM

luckyboym

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
1. I will post the log below include the start up list if that will be helpfull.

2. the screen show a waring that replaced the background picture. I think this might be related to spy sheriff because I read others had this problem as well.

Logfile of HijackThis v1.99.1
Scan saved at 2:50:21 PM, on 6/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\All Users\Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.fitsvc...sp?UserID=18494
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.fitsvc...sp?UserID=18494
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://portal.fitsvc...sp?UserID=18494
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://portal.fitsvc...sp?UserID=18494
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.41.123.38:80
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://webmail4.fitsvcs.com/iNotes.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7BDCFF75-074F-11D6-92EE-00A0C9119E92} (Project1.AxleLoadCtl) - http://tis.toyota.co...AxleLoadCtl.cab
O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} (Lernout & Hauspie TruVoice American English TTS Engine) - http://tis.toyota.co...ads/tv_enua.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

StartupList report, 6/27/2005, 11:08:09 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\All Users\Documents\hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\mc-58-12-0000093.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\All Users\Documents\hijackthis\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

MicrosoftAntiSpywareCleaner = C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Windows installer = C:\winstall.exe
DNS = C:\Program Files\Common Files\mc-58-12-0000093.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssmypics.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~2\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft Office Template and Media Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\IEAWSDC.DLL
CODEBASE = http://office.micros...tes/ieawsdc.cab

[iNotes Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\inotes.dll
CODEBASE = http://webmail4.fitsvcs.com/iNotes.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.micros...ontent/opuc.cab

[OPUCatalog Class]
InProcServer32 = C:\WINDOWS\System32\opuc.dll
CODEBASE = http://office.micros...ontent/opuc.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai...all/xscan53.cab

[Project1.AxleLoadCtl]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\AxleLoadCtl.ocx
CODEBASE = http://tis.toyota.co...AxleLoadCtl.cab

[Lernout & Hauspie TruVoice American English TTS Engine]
InProcServer32 = C:\WINDOWS\lhsp\tv\tvenuax.dll
CODEBASE = http://tis.toyota.co...ads/tv_enua.exe

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.ma...ash/swflash.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: c:\windows\isrvs\desktop.exe||c:\windows\isrvs\ffisearch.exe||C:\WINDOWS\isrvs\edmond.exe||c:\windows\isrvs\sysupd.dll||C:\WINDOWS\isrvs\mfiltis.dll||C:\WINDOWS\isrvs\msdbhk.dll||c:\windows\isrvs\desktop.exe||c:\windows\isrvs\ffisearch.exe||c:\windows\isrvs\isearch.xpi||c:\windows\isrvs\sysupd.dll||C:\WINDOWS\SYSTEM32\DRIVERS\delprot.sys||C:\WINDOWS\isrvs\edmond.exe||C:\WINDOWS\isrvs\mfiltis.dll||C:\WINDOWS\isrvs\msdbhk.dll||c:\windows\isrvs\desktop.exe||c:\windows\isrvs\edmond.exe||c:\windows\isrvs\ffisearch.exe||c:\windows\isrvs\isearch.xpi||c:\windows\isrvs\mfiltis.dll||c:\windows\isrvs\msdbhk.dll||c:\windows\isrvs\sysupd.dll


--------------------------------------------------
End of report, 5,599 bytes
Report generated in 0.031 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
  • 0

#13
Trevuren
Posted 29 June 2005 - 02:33 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
I guess we are at the point where we try and get you a normal desktop back

Try this:


1. Right click on http://www.greyknigh...pairDesktop.reg and download that file. Double click on it and click on Yes when it asks you if you want to merge it into the registry. Once that's done, restart your computer.

2. Login as usual and now right click on your Desktop and go to Properties. Next go to Desktop tab->Customize Desktop button->Web tab. Uncheck everything listed there. Then delete all the entries listed except for 'My Current Home Page'. Click OK and OK.


Regards,

Trevuren
  • 0

#14
luckyboym
Posted 29 June 2005 - 02:51 PM

luckyboym

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
okay once I do the desktop thing are we done? I just checked and spy sheriff is still in the program files. If I unistall it,it would pop back up right? Also, there are a couple of files that I think are problems.

C:\Program Files\Common Files\mc-58-12-0000093.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\services.exe

I have deleted them before but should I try agian.

thanks.
  • 0

#15
Trevuren
Posted 29 June 2005 - 03:03 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
To make sure. I recommend that we go through the whole cure for SPySheriff

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items:
===================================================
We have no files here
===================================================

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.


Open Ad-Aware and do a full scan. Remove all it finds.


Now open Ewido Security Suite
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save Report
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!

Save the scan log and post it along with a new HijackThis Log and the Ewido Log by using Add Reply.

Let us know if any problems persist.

Finally, run HJT, click SCAN, and post a log back into this thread for review.

Regards,

Trevuren
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP