Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

SpySheriff has locked down my Desktop! [RESOLVED]


  • This topic is locked This topic is locked

#1
Decepti0n

Decepti0n

    New Member

  • Member
  • Pip
  • 4 posts
I am new, I have read a few of these SpySheriff complaints in these forums. I hope Someone can help me with my frustrating situation.
I uninstalled SpySheriff, but it has still locked down my Desktop. I can't change my Wallpaper anymore. Help! I don't want to wake up to this blue screen anymore. :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 12:12:36 AM, on 6/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Parallel Tasking\ptask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lrnv\Spciln.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\EPOX\USDM\USDM.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\winupdt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\phohrui.exe
C:\WINDOWS\system32\wintask.exe
C:\WINDOWS\system32\vidctrl\vidctrl.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\steam\steam.exe
C:\WINDOWS\system32\pdvpio.exe
C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\windows\system32\iwguqs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Aprps\CxtPls.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\Program Files\SpySheriff\SpySheriff.exe
C:\Program Files\PeDevice\PeDev.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotf...count_id=133720
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: SearchToolbarBHOObject - {12EE7A5E-0674-42f9-A76A-000000004D00} - C:\WINDOWS\system32\stlb2.dll
O2 - BHO: CookieHlprObj Class - {4DF1DB24-A57C-11d3-A180-00A0C90AE44B} - C:\PROGRA~1\BULLET~1\BPSPOP~1\BPSBHO.dll (file missing)
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PEDEV_IEListener Class - {E1412445-4FF8-410e-8D24-F2CF86B171A4} - C:\Program Files\PeDevice\PeDev.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINDOWS\system32\stlb2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -lock
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\ACE Mega CoDecS Pack\SystemS\RealMedia\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Parallel Tasking] C:\Program Files\Parallel Tasking\ptask.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Eeslp] C:\Program Files\Lrnv\Spciln.exe
O4 - HKLM\..\Run: [EleFunAnimatedWallpaper] "C:\WINDOWS\Web\Wallpaper\animated - Autumn Sunset Wallpaper\Autumn Sunset.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [EPoXUSDM] "C:\Program Files\EPOX\USDM\USDM.EXE" "5000"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\system32\winupdt.exe
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [q3oh38l] phohrui.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft Hardware\Mouse\point32.exe"
O4 - HKLM\..\Run: [eptomhh] c:\windows\system32\iwguqs.exe r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [b07nRUJ6O] pdvpio.exe
O4 - HKCU\..\Run: [BPS Popup Cookie Shield] C:\Program Files\bulletproffsoft\BPS Popup and Cookie Shield\BPSPopup.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {00350865-065A-63B9-683F-58D254B8C8C3} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {0A678265-6F47-0CF3-763D-378E3F63F715} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {107A9A4C-3D92-2AB0-1EF7-65F74157F301} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {14A032FA-E3C8-10F9-8305-166F33890454} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c11.cab
O16 - DPF: {15B360CC-9D01-502B-043F-1D006DA83F22} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {26278476-B7CF-7A8D-E384-3271218D4DF0} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {292C1285-9FC6-332B-19B4-697117798490} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {32DAC9E9-E4E7-1414-6B9A-229835304F38} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {380E4193-7D37-2FF8-83ED-47277F5BA720} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {3FDE1510-5F7B-7031-1B9C-5D3B74337DF3} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {4355D264-0F7E-3088-E807-40783255D87E} - http://67.19.99.165/1/rdgUS870.exe
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupd...ll/aun_0037.exe
O16 - DPF: {48BDF389-2A6B-40CD-292A-421B33C11863} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-17.cab
O16 - DPF: {504155CF-F168-5D3D-4CA9-710A0782FF4C} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {6207C176-0AC8-164C-D8DB-189678217C0B} - http://67.19.99.165/1/rdgUS870.exe
O16 - DPF: {6FE84FCC-161D-09DC-EFD0-778659679404} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {7940964C-A261-01F3-6A6B-74557A6B7769} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {79FE97AB-DA66-4F83-EA6D-0B180AF6CBCF} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {7ADAC374-C994-6844-5E26-268A689A6071} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe


Thank you! If anything else is needed, please let me know.
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello,

You sure have a nice collection over here, so we can't deal with this in one flow.
That's why it is important you follow all my steps exactly as I tell you to.

Go to start > controlpanel > software > add/remove programs and uninstall next if present:

Aprps (Apropos -- Apropos Media)
Browser Aid
Web_Rebates
ViewPoint (ViewPoint Manager)
Internet Optimizer
Parallel Tasking
AutoUpdate
Cas
bulletproffsoft
SpySheriff


Do you know what next is? For what do you use it? If you don't know, I strongly suggest you uninstall next also:

PeDevice

REBOOT afterwards

Download the latest version of Ad-Aware:
http://www.lavasoft....pport/download/

After installing AAW, and before running the program.
Please be sure to update the reference file following the instructions here:
http://www.lavahelp.net/howto/updref/

Reconfigure Ad-Aware for Full Scan:

Launch the program, and click on the Gear at the top of the start screen.

Click the 'Scanning' button.
Under Drives, Folders and Files, select 'Scan within Archives'.
Click 'Click here to select Drives + folders' and select your installed hard drives.

Under Memory & Registry, select all options.
Click the 'Advanced' button.
Under 'Log-file detail level', select all options.
Click the 'Tweaks' button.

Under 'Scanning Engine', select the following:
'Unload recognized processes during scanning.'
Under 'Cleaning Engine', select the following:
'Let Windows remove files in use after reboot.'
Click on 'Proceed' to save these Preferences.

Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT to allow it to finish.

Install an antivirus and a firewall:

AVG, Bitdefender OR Avast are good FREE antivirus.
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decreases the reliability of it seriously!
Zonealarm, Kerio OR Sygate are FREE firewalls.

Understanding and using firewalls:
http://www.bleepingc...showtutorial=60

Update your antivirus and let it perform a full scan an let it delete everything it is finding!!

REBOOT again and post a new hijackthislog.

We'll deal with the rest afterwards, so this wont be fixed in once.
  • 0

#3
Decepti0n

Decepti0n

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Very cool, thanks for the Software links. Alright, I got rid of a bunch of malicious files and the like.
I did another scan with HighJackThis, here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 12:55:09 PM, on 6/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Parallel Tasking\ptask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lrnv\Spciln.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\EPOX\USDM\USDM.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\vidctrl\vidctrl.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\steam\steam.exe
C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: CookieHlprObj Class - {4DF1DB24-A57C-11d3-A180-00A0C90AE44B} - C:\PROGRA~1\BULLET~1\BPSPOP~1\BPSBHO.dll (file missing)
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PEDEV_IEListener Class - {E1412445-4FF8-410e-8D24-F2CF86B171A4} - C:\Program Files\PeDevice\PeDev.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -lock
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\ACE Mega CoDecS Pack\SystemS\RealMedia\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Parallel Tasking] C:\Program Files\Parallel Tasking\ptask.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Eeslp] C:\Program Files\Lrnv\Spciln.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [EPoXUSDM] "C:\Program Files\EPOX\USDM\USDM.EXE" "5000"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft Hardware\Mouse\point32.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [BPS Popup Cookie Shield] C:\Program Files\bulletproffsoft\BPS Popup and Cookie Shield\BPSPopup.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {00350865-065A-63B9-683F-58D254B8C8C3} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {0A678265-6F47-0CF3-763D-378E3F63F715} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {107A9A4C-3D92-2AB0-1EF7-65F74157F301} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {14A032FA-E3C8-10F9-8305-166F33890454} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {15B360CC-9D01-502B-043F-1D006DA83F22} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {26278476-B7CF-7A8D-E384-3271218D4DF0} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {292C1285-9FC6-332B-19B4-697117798490} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {32DAC9E9-E4E7-1414-6B9A-229835304F38} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {380E4193-7D37-2FF8-83ED-47277F5BA720} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {3FDE1510-5F7B-7031-1B9C-5D3B74337DF3} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {4355D264-0F7E-3088-E807-40783255D87E} - http://67.19.99.165/1/rdgUS870.exe
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupd...ll/aun_0037.exe
O16 - DPF: {48BDF389-2A6B-40CD-292A-421B33C11863} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-17.cab
O16 - DPF: {504155CF-F168-5D3D-4CA9-710A0782FF4C} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {6207C176-0AC8-164C-D8DB-189678217C0B} - http://67.19.99.165/1/rdgUS870.exe
O16 - DPF: {6FE84FCC-161D-09DC-EFD0-778659679404} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {7940964C-A261-01F3-6A6B-74557A6B7769} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {79FE97AB-DA66-4F83-EA6D-0B180AF6CBCF} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {7ADAC374-C994-6844-5E26-268A689A6071} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
  • 0

#4
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello,

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Download and install CCleaner
Do not use it yet.

* Download Nail/Aurora Spyware Fix
Unzip/extract it.
Do not use it yet!

* Download ewido security suite here: http://www.ewido.net/en/download/
Install and update it. Don't let it scan yet!!

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

* Reboot into Safe Mode`:
To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Open the nailfix-folder and doubleclick on nailfix.cmd. <== don't forget this step!!
Your taskbar and icons will disappear for a couple of seconds, that is normal.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\Program Files\Parallel Tasking <== folder
C:\Program Files\Lrnv <== folder
C:\WINDOWS\system32\vidctrl <== folder
C:\WINDOWS\system32\exp.exe
C:\Program Files\bulletproffsoft <== folder
C:\Program Files\Cas <== folder
C:\winstall.exe
C:\Windows\desktop.html

Search for next and delete it:

D0CE0C16B1

(most probably present in your C:\windows or C:\Windows\system32

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: CookieHlprObj Class - {4DF1DB24-A57C-11d3-A180-00A0C90AE44B} - C:\PROGRA~1\BULLET~1\BPSPOP~1\BPSBHO.dll (file missing)
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll
O4 - HKLM\..\Run: [Parallel Tasking] C:\Program Files\Parallel Tasking\ptask.exe
O4 - HKLM\..\Run: [Eeslp] C:\Program Files\Lrnv\Spciln.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
O4 - HKCU\..\Run: [BPS Popup Cookie Shield] C:\Program Files\bulletproffsoft\BPS Popup and Cookie Shield\BPSPopup.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {00350865-065A-63B9-683F-58D254B8C8C3} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {0A678265-6F47-0CF3-763D-378E3F63F715} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {107A9A4C-3D92-2AB0-1EF7-65F74157F301} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {14A032FA-E3C8-10F9-8305-166F33890454} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {15B360CC-9D01-502B-043F-1D006DA83F22} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {26278476-B7CF-7A8D-E384-3271218D4DF0} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {292C1285-9FC6-332B-19B4-697117798490} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {32DAC9E9-E4E7-1414-6B9A-229835304F38} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {380E4193-7D37-2FF8-83ED-47277F5BA720} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {3FDE1510-5F7B-7031-1B9C-5D3B74337DF3} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {4355D264-0F7E-3088-E807-40783255D87E} - http://67.19.99.165/1/rdgUS870.exe
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupd...ll/aun_0037.exe
O16 - DPF: {48BDF389-2A6B-40CD-292A-421B33C11863} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {504155CF-F168-5D3D-4CA9-710A0782FF4C} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {6207C176-0AC8-164C-D8DB-189678217C0B} - http://67.19.99.165/1/rdgUS870.exe
O16 - DPF: {6FE84FCC-161D-09DC-EFD0-778659679404} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {7940964C-A261-01F3-6A6B-74557A6B7769} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {79FE97AB-DA66-4F83-EA6D-0B180AF6CBCF} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {7ADAC374-C994-6844-5E26-268A689A6071} - http://67.19.99.165/1/gdnUS870.exe
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)


* Click on Fix Checked when finished and exit HijackThis.

* Run Ccleaner and click Run Cleaner (bottom right)

* Still in safe mode; Perform a full scan with ewido.
Let it delete everything it is finding.
When finished, you'll get the option to make a log.
Save this log, because I'll need that later.

* Reboot your system back to normal mode.

* Download http://metallica.gee...m/smitfraud.reg and save it on your desktop
Doubleclick on it and when it asks you if you want to add the content to the registry, click yes/ok.

* Download the Hoster from HERE Press "Restore Original Hosts" and press "OK". Exit Program.

open notepad and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallpaper"=-
"NoComponents"=-
"NoAddingComponents"=-
"NoDeletingComponents"=-
"NoEditingComponents"=-
"NoHTMLWallPaper"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Desktop\General]
"WallpaperFileTime"=-
"WallpaperLocalFileTime"=-

[-HKEY_CURRENT_USER\Software\SpySheriff]



Save this as fix.reg Choose to save as *all files and place it on your desktop.
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Download Findit
Unzip it to your desktop. Make sure the FindIt's.bat and XFind.com are together in the same UNZIPPED folder!
Disconnect from the internet, if you use an always on internet connection unplug it.
Let your PC be idle for 15 minutes !!

Doubleclick FindIt's.bat. When the scan is done, it will produce a log.
If you're getting an error while running findit's.bat similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application..", go to next site and download and run the fix for your system:
http://www.tech-foru...opic/29806.html
Try to run findit's again afterwards.
Post that log in your next reply together with a fresh HijackThis log and the log from ewido and I'll take another look.

If you had any problems with deleting files or noticed any other problems during your fix, let me also know in your next reply.
Can you also tell me what PeDevice is?
  • 0

#5
Decepti0n

Decepti0n

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hiya^^
Alright! No more Blue Screen of Death for Wallpaper!

Everything is accessible and seems to be back to normal. Thanks for coming to the rescue. Those rpograms dug up alot of bad and infectious files. Thanks for those.

Here are the three logs:


Logfile of HijackThis v1.99.1
Scan saved at 12:02:17 AM, on 6/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\EPOX\USDM\USDM.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\steam\steam.exe
C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ewido\security suite\securitysuite.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\PeDevice\PeDev.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PEDEV_IEListener Class - {E1412445-4FF8-410e-8D24-F2CF86B171A4} - C:\Program Files\PeDevice\PeDev.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -lock
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\ACE Mega CoDecS Pack\SystemS\RealMedia\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [EPoXUSDM] "C:\Program Files\EPOX\USDM\USDM.EXE" "5000"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft Hardware\Mouse\point32.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-17.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:58:50 PM, 6/27/2005
+ Report-Checksum: 31E85002

+ Date of database: 6/28/2005
+ Version of scan engine: v3.0

+ Duration: 56 min
+ Scanned Files: 250532
+ Speed: 73.83 Files/Second
+ Infected files: 26
+ Removed files: 26
+ Files put in quarantine: 26
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Rob\Cookies\rob@doubleclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\backups\backup-20050627-165509-184.dll -> TrojanDownloader.Agent.li -> Cleaned with backup
C:\Program Files\Call of Duty\LOMALKA[1].RU-Call_of_Duty_United_Offensive_by_Citron-X.zip/ncx.exe -> TrojanDownloader.INService.l -> Cleaned with backup
C:\Program Files\Call of Duty\LOMALKA[1].RU-Call_of_Duty_United_Offensive_by_Revelation.zip/rtn.exe -> TrojanDownloader.INService.l -> Cleaned with backup
C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe -> Spyware.DelphinMedia.Viewer.f -> Cleaned with backup
C:\Program Files\Emulators\G~[^[{\Xbox\xbox_emulator.0.34.exe -> Trojan.Concon.b -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\522EE36E-2E45-44A2-974F-CD142F\EFFDF679-4575-4A78-8DF2-D7C17A -> TrojanDownloader.Small.abd -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\76B75EDB-AD24-4DDF-AA66-21CDBC\5F3AA7EE-7BB9-40FF-9398-60F95E -> TrojanDownloader.Agent.li -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\9E649521-0877-4C4F-84F5-75A9DE\8358E632-6868-458E-BF96-1827B1 -> Spyware.Agent.dh -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\C3630DAF-0BB3-44B8-9ADE-56AF85\317E3722-D015-4C33-BE24-0734E1 -> TrojanDownloader.Braidupdate.d -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\C616E5A9-B4D0-48C6-BC60-090791\F21E528D-3682-4C3D-A174-2E033D -> Spyware.180Solutions -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\C616E5A9-B4D0-48C6-BC60-090791\F7965D59-5606-4FDD-A617-8D4034 -> Spyware.180Solutions -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\DA3E9085-2377-4FB2-9321-AF3A68\289FC540-19C4-49BB-AFF5-3CB77E -> TrojanDownloader.Apropo.ac -> Cleaned with backup
C:\WINDOWS\cfgmgr52\EECH1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\cfgmgr52\SPZ3.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gdnUS870.exe -> Dialer.Generic -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gdnUS2053.exe -> Dialer.Generic -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gdnUS870.exe -> Dialer.Generic -> Cleaned with backup
C:\WINDOWS\system32\AOLOpt(2).exe -> Backdoor.SdBot -> Cleaned with backup
C:\WINDOWS\system32\AOLOpt(3).exe -> Backdoor.SdBot -> Cleaned with backup
C:\WINDOWS\system32\bbnxzxr.dll.tmp -> TrojanDownloader.Qoologic.q -> Cleaned with backup
C:\WINDOWS\system32\Cache\dist006.exe -> TrojanDownloader.Agent.qg -> Cleaned with backup
C:\WINDOWS\system32\Cache\SSK3_B5 Advagency.exe -> TrojanDropper.Small.qn -> Cleaned with backup
C:\WINDOWS\system32\Cache\SSK3_B5.exe -> TrojanDropper.Small.qn -> Cleaned with backup
C:\WINDOWS\system32\yygup.dat -> TrojanDownloader.Qoologic.n -> Cleaned with backup
C:\WINDOWS\test.hta -> TrojanDownloader.Psyme.av -> Cleaned with backup

::Report End


Findit's:

Microsoft Windows XP [Version 5.1.2600]
The current date is: Mon 06/27/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Todo Files found


aurora Files found


Suspect's
Dont delete file's in the section without guidance
If any doubt back them up first


lagitamate file's can/will show in this section.

* UPX! C:\WINDOWS\DAEMON.DLL
Buddy file's

SAHAgent Files found

Misc checks


Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 34FD-3A18

Directory of C:\WINDOWS\SYSTEM32

Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 34FD-3A18

Directory of C:\WINDOWS\system32

.
--------------------------------------end reports

Also, PeDevice installed itself a few days ago. I'm not sure what it was or where it came from. It wasn't a Toolbar or an anti-spyware/adware program. My guess is it was a popup engine...but it is gone now.


Thanks again for all your help, Miekiemoes!!!
  • 0

#6
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Looking much better and almost done. Thx for telling me about PeDevice, because this one needs to go.

But.. first, can you upload next files please at next forum:
http://www.thespykil...x.php?board=1.0

C:\Program Files\PeDevice\PeDev.dll
C:\Program Files\PeDevice\PeDev.exe

After being uploaded, open your taskmanager (pressing CTRL-ALT-DEL together), choose tab processes and kill next process:
PeDev.exe

Then fix next in hijackthis:

O2 - BHO: PEDEV_IEListener Class - {E1412445-4FF8-410e-8D24-F2CF86B171A4} - C:\Program Files\PeDevice\PeDev.dll

Delete next folder:

C:\Program Files\PeDevice

When you're having problems with deleting it.. try it in safe mode.

Reboot and post a last hijackthislog as a final checkup. :tazz:
  • 0

#7
Decepti0n

Decepti0n

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hi,
Alright, done.
Here is the link to my Topic at thespykiller.com :
http://www.thespykil...php?topic=409.0

There were no problems Uploading the files, or deleting files.
And HiJackThis fixed the line without difficulty.

Here is the log:


Logfile of HijackThis v1.99.1
Scan saved at 5:34:29 AM, on 6/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\EPOX\USDM\USDM.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\steam\steam.exe
C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Anti-spyware-adware-malicous files Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -lock
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\ACE Mega CoDecS Pack\SystemS\RealMedia\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [EPoXUSDM] "C:\Program Files\EPOX\USDM\USDM.EXE" "5000"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft Hardware\Mouse\point32.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-17.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
  • 0

#8
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Clean log :tazz:

To keep this clean in the future, I would suggest the following things:

Install an antivirus and firewall:

AVG, Bitdefender OR Avast are good FREE antivirus.
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decreases the reliability of it seriously!
Zonealarm, Kerio OR Sygate are FREE firewalls.

Understanding and using firewalls:
http://www.bleepingc...showtutorial=60

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

Avoid illegal sites, because that's where most malware is present.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Kaspersky online and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

More info on how to prevent malware you can also find here (By Tony Klein)

Happy surfing again! ;)
  • 0

#9
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP