Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Spy Sheriff problem [resolved]

Started by Cyclone , Jul 08 2005 11:30 PM

  • This topic is locked This topic is locked

#1
Cyclone
Posted 08 July 2005 - 11:30 PM

Cyclone

    New Member

  • Member
  • Pip
  • 3 posts
Somehow I managed to get SpySheriff (and others possibly...) on my system and am having a heck of a time getting rid of them. I cannot change my desktop background at the moment. I walked through the first steps (http://www.geekstogo..._Log-t2852.html) and downloaded and ran the recommended programs, with the exception of SpyBots which kept hanging about 5% into the scan. Thanks for any advice you can offer!

Here is the Ewido log:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:12:22 PM, 7/8/2005
+ Report-Checksum: 47892E49

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{417386C3-8D4A-4611-9B91-E57E89D603AC} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B75F75B8-93F3-429D-FF34-660B206D897A} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{10D7DB96-56DC-4617-8EAB-EC506ABE6C7E} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6CDC3337-01F7-4A79-A4AF-0B19303CC0BE} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{795398D0-DC2F-4118-A69C-592273BA9C2B} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B288F21C-A144-4CA2-9B70-8AFA1FAE4B06} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\PopOops2.PopOops -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\PopOops2.PopOops\Clsid -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\SWLAD1.SWLAD -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\SWLAD1.SWLAD\Clsid -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{D0C29A75-7146-4737-98EE-BC4D7CF44AF9} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{E0D3B292-A0B0-4640-975C-2F882E039F52} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\YSBactivex.Installer -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Classes\YSBactivex.Installer\CLSID -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.activator -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.activator\CLSID -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.activator\CurVer -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.ParamWr -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.ParamWr\CLSID -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.ParamWr\CurVer -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.StockBar -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.StockBar\CLSID -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.StockBar\CurVer -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B75F75B8-93F3-429D-FF34-660B206D897A} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDH -> Spyware.DealHelper : Cleaned with backup
HKU\S-1-5-21-484763869-1563985344-1060284298-1003\Software\WareOut -> TrojanDownloader.Wareout : Cleaned with backup
HKU\S-1-5-21-484763869-1563985344-1060284298-1003\Software\WareOut\FirstRun -> TrojanDownloader.Wareout : Cleaned with backup
HKU\S-1-5-21-484763869-1563985344-1060284298-1003\Software\WareOut\Options -> TrojanDownloader.Wareout : Cleaned with backup
HKU\S-1-5-21-484763869-1563985344-1060284298-1003\Software\WareOut\Registration -> TrojanDownloader.Wareout : Cleaned with backup
[2124] VM_10000000 -> TrojanSpy.Agent.am : Error during cleaning
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\__delete_on_reboot__tatr.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\Documents and Settings\Mer\Cookies\mer@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Mer\Cookies\mer@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Mer\Cookies\mer@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Mer\Cookies\mer@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Program Files\Aprps\CxtPls.dll -> Heuristic.Win32.Hijacker1 : Cleaned with backup
C:\Program Files\Common Files\iwfq\iwfql.exe -> TrojanDownloader.TSUpdate.j : Cleaned with backup
C:\Program Files\Common Files\iwfq\iwfqp.exe -> Spyware.Xupiter : Cleaned with backup
C:\Program Files\Common Files\iwfq\mytsp -> Spyware.Xupiter : Cleaned with backup
C:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL -> Spyware.MyWay : Cleaned with backup
C:\Program Files\MySearch\bar\1.bin\S42NS.EXE -> Spyware.MyWay : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP128\A0006585.dll -> TrojanDownloader.Apropo.w : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP128\A0006589.dll -> Spyware.AproposMedia : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP128\A0006590.exe -> Spyware.AproposMedia : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP128\A0006595.exe -> TrojanDownloader.Apropo.r : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP130\A0006626.dll -> TrojanDownloader.Apropo.w : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP130\A0006627.exe -> TrojanDownloader.Apropo.r : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP130\A0006631.dll -> Spyware.AproposMedia : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP130\A0006632.exe -> Spyware.AproposMedia : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008037.exe -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008044.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008054.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008067.exe -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008068.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008069.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008070.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008071.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008072.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008073.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008077.exe -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008084.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008094.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008101.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008102.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008103.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008112.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008138.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008152.exe -> TrojanDownloader.TSUpdate.k : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008154.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008160.exe -> Spyware.CashBack : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008161.exe -> Spyware.CashBack : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008175.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008177.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008184.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008186.exe -> TrojanDownloader.Small.abd : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008190.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008207.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008218.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008220.exe -> Spyware.AproposMedia : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008224.dll -> Backdoor.Agent.bc : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008225.exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008232.exe -> Backdoor.Agent.bc : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008234.exe -> TrojanDownloader.IstBar.gi : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008243.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008251.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008264.exe -> TrojanDownloader.Small.aom : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008271.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP202\A0008281.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP203\A0008282.exe -> TrojanDownloader.Apropo.ac : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP204\A0008283.exe -> TrojanDownloader.Agent.ed : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP205\A0008284.exe -> Adware.SAHA : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP206\A0008285.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP207\A0008286.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008287.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008290.exe -> TrojanDropper.Vidro.p : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008299.exe -> TrojanDropper.Vidro.p : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008303.dll -> Backdoor.Agent.iw : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008310.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008311.exe -> TrojanDownloader.Small.agq : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008312.exe -> Trojan.Crypt.c : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008324.exe -> TrojanDropper.Vidro.p : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008327.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008330.dll -> Backdoor.Agent.iw : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008333.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008334.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008335.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008340.exe -> TrojanDropper.Vidro.p : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008344.dll -> Backdoor.Agent.iw : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008345.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008352.exe -> TrojanDropper.Vidro.p : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008355.dll -> Backdoor.Agent.iw : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008356.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008357.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008362.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008379.exe -> TrojanDropper.Vidro.p : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008382.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008383.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008385.dll -> Backdoor.Agent.iw : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008389.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008390.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008544.exe -> Trojan.Crypt.c : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008593.dll -> Spyware.ImiBar : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008594.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008595.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008598.exe -> TrojanDropper.Vidro.p : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008603.dll -> Backdoor.Agent.iw : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008604.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008609.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008612.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\file.exe -> TrojanDownloader.Small.xk : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\win32.exe -> TrojanDownloader.Small.agq : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\ysbactivex.dll -> TrojanDownloader.IstBar : Cleaned with backup
C:\WINDOWS\Nail.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\pss\tatr.exeCommon Startup -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\WINDOWS\qa0mvo3g.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\sys5110.exe -> Backdoor.Small.fv : Cleaned with backup
C:\WINDOWS\sys5111.exe -> Trojan.Crypt.c : Cleaned with backup
C:\WINDOWS\sys5112.exe -> Backdoor.Small.fv : Cleaned with backup
C:\WINDOWS\sys519.exe -> Trojan.Crypt.c : Cleaned with backup
C:\WINDOWS\system\__delete_on_reboot__svchosthook.dll -> Backdoor.Agent.iw : Cleaned with backup
C:\WINDOWS\system32\dist001.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\WINDOWS\system32\drv2cltr.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\WINDOWS\system32\elitefpv32.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\elitegym32.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\elitepcl32.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\exp.exe -> TrojanDownloader.Small.abd : Cleaned with backup
C:\WINDOWS\system32\gpsresl32.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\HookPopup.dll -> Spyware.DealHelper : Cleaned with backup
C:\WINDOWS\system32\init32m.exe -> TrojanDownloader.Agent.ho : Cleaned with backup
C:\WINDOWS\system32\Knlhhu.exe -> Trojan.Popmon.a : Cleaned with backup
C:\WINDOWS\system32\latest.exe -> Trojan.Crypt.c : Cleaned with backup
C:\WINDOWS\system32\LeisureBoxInst_ppi1a.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINDOWS\system32\mamham.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\WINDOWS\system32\maxd1.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\nknik.dll -> TrojanDownloader.Qoologic.t : Cleaned with backup
C:\WINDOWS\system32\nsl5D.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\system32\PSof1.exe -> Spyware.Pacer : Cleaned with backup
C:\WINDOWS\system32\rdsndin.exe -> Spyware.FindSpy : Cleaned with backup
C:\WINDOWS\system32\redit.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\system32\SSK3_B5 Seedcorn 4.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINDOWS\system32\supdate.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\system32\sysupd1003.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\Tgmqku.exe -> Spyware.DealHelper : Cleaned with backup
C:\WINDOWS\system32\thn32.dll -> TrojanProxy.Small.bk : Cleaned with backup
C:\WINDOWS\system32\uci.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINDOWS\system32\vxgame1.exe -> TrojanDropper.Small.wv : Cleaned with backup
C:\WINDOWS\system32\vxgame2.exe -> Trojan.Crypt.c : Cleaned with backup
C:\WINDOWS\system32\vxgame3.exe -> TrojanDownloader.Agent.ho : Cleaned with backup
C:\WINDOWS\system32\vxgame4.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\vxgamet2.exe -> Trojan.LowZones.y : Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq6.exe -> TrojanDownloader.Small.aux : Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq7.exe -> TrojanDownloader.Small.atl : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__qcixw.dll -> Spyware.SBSoft : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__ukunkuy.dll -> TrojanDownloader.Qoologic.s : Cleaned with backup
C:\WINDOWS\wnoxmpla.exe -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\__delete_on_reboot__svcproc.exe -> Adware.BetterInternet : Cleaned with backup


::Report End



Followed by my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:28:31 AM, on 7/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\SpySheriff\SpySheriff.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Mer\Desktop\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {5D68A1E7-E6DB-13B1-4B25-F6A04898AB65} - scanSYS.dll (file missing)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\qcixw.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZToolbar Activator Class - {FFF5092F-7172-4018-827B-FA5868FB0478} - C:\WINDOWS\System32\ztoolb003.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\qcixw.dll (file missing)
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [wgjfcj] c:\windows\system32\hwurqnj.exe r
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\mamham.exe reg_run
O4 - HKLM\..\RunOnce: [AVP] C:\WINDOWS\System32\2750645.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [iwfq] C:\PROGRA~1\COMMON~1\iwfq\iwfqm.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [cmon14] SysEntry.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Startup: Forget Me Not Reminders.lnk = C:\CACARD\FMREMIND.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://www.ssd.k12.mn.us/iNotes.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{66214D2F-4328-4F5F-9D39-6471CFA3A404}: NameServer = 69.50.188.180,85.255.112.5
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)


Thanks again!
  • 0

Advertisements

#2
coachwife6
Posted 10 July 2005 - 03:17 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Enter your control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically

Press OK twice to get out of the properties screen and reboot if it asks.

Download and install CleanUp! but do not run it yet.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Download, install, and update Ewido Security Suite
  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido

Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Once in Safe Mode, Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

After Cleanup! is finished:
  • Run Ewido
  • Click on scanner
  • Click Complete System Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
  • Exit Ewido
Reboot into normal mode.

Go to Start > Control Panel > Add or Remove Programs and remove the following:

SpySheriff

Exit Add or Remove Programs.

Delete the following, in bold, if found:

C:\Documents and Settings\user account\Start Menu\Programs\SpySheriff <-whole folder
C:\Documents and Settings\user account\Application Data\Install.dat
C:\Program Files\SpySheriff <-whole folder
C:\Windows\Desktop.html
C:\winstall.exe

*NOTE* user account is not the actual name of that folder. The name of that folder will be the name of your computer profile.

Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HiJackThis. Place a check next to the following items, if found, and click FIX CHECKED:


R3 - URLSearchHook: (no name) - {5D68A1E7-E6DB-13B1-4B25-F6A04898AB65} - scanSYS.dll (file missing)

O1 - Hosts: 64.91.255.87 www.dcsresearch.com

O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\qcixw.dll (file missing)
O2 - BHO: ZToolbar Activator Class - {FFF5092F-7172-4018-827B-FA5868FB0478} - C:\WINDOWS\System32\ztoolb003.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\qcixw.dll (file missing)

O4 - HKLM\..\Run: [wgjfcj] c:\windows\system32\hwurqnj.exe r
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\mamham.exe reg_run
O4 - HKLM\..\RunOnce: [AVP] C:\WINDOWS\System32\2750645.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [iwfq] C:\PROGRA~1\COMMON~1\iwfq\iwfqm.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [cmon14] SysEntry.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE<<resource hog

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

O17 - HKLM\System\CCS\Services\Tcpip\..\{66214D2F-4328-4F5F-9D39-6471CFA3A404}: NameServer = 69.50.188.180,85.255.112.5<<if it is there.


Close HiJackThis.

RIGHT-CLICK HERE and go to Save As (in IE it's "Save Target As") in order to download the smitfraud reg to your desktop.

Double-click smitfraud.reg on your desktop. When asked if you want to merge with the registry click YES.

After the merged successfully prompt, using Windows Explorer, navigate to the following folder:

C:\Windows\Prefetch

If there are any files inside the Prefetch folder, delete ALL of them. (Do NOT delete the folder. Just delete the files inside.)

Reboot your computer.

You should be able to change your desktop back to normal now.

Please download and follow these instructions for setting up and running Ad-Aware SE 1.06:
Ad-Aware SE Setup (if you already have Ad-Aware 1.06, please update to the latest definitions then set the program up per the instructions on the page).

Post the report from Ewido and a new HiJackThis log into this topic.
  • 0

#3
Cyclone
Posted 10 July 2005 - 08:33 PM

Cyclone

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Thanks for your help! I have control of my desktop back now and SpySheriff no longer appears to be on the system. :tazz: I ran AdAware at the end of the process and it found a VX2 program but it appears to have cleaned it succesfully.

Here's a copy of the Ewido log and a new HijackThis log as you requested.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:35:41 PM, 7/10/2005
+ Report-Checksum: F3F7DFB2

+ Scan result:

C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP201\A0008266.dll -> Adware.SAHA : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008337.exe -> TrojanDownloader.Agent.qx : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008614.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008615.dll -> Heuristic.Win32.Hijacker1 : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008616.exe -> TrojanDownloader.TSUpdate.j : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008617.exe -> Spyware.Xupiter : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008618.DLL -> Spyware.MyWay : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008619.EXE -> Spyware.MyWay : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008620.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008621.exe -> Adware.SAHA : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008622.exe -> Backdoor.Small.fv : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008623.exe -> Trojan.Crypt.c : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008624.exe -> Backdoor.Small.fv : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008625.exe -> Trojan.Crypt.c : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008626.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008627.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008628.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008629.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008630.exe -> TrojanDownloader.Small.abd : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008631.exe -> Dialer.Generic : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008632.dll -> Spyware.DealHelper : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008633.exe -> TrojanDownloader.Agent.ho : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008634.exe -> Trojan.Popmon.a : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008635.exe -> Trojan.Crypt.c : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008636.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008637.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008638.exe -> Dialer.Generic : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008639.dll -> TrojanDownloader.Qoologic.t : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008640.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008641.exe -> Spyware.Pacer : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008642.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008643.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008644.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008645.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008646.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008647.exe -> Spyware.DealHelper : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008648.dll -> TrojanProxy.Small.bk : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008649.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008650.exe -> TrojanDropper.Small.wv : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008651.exe -> Trojan.Crypt.c : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008652.exe -> TrojanDownloader.Agent.ho : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008653.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008654.exe -> Trojan.LowZones.y : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008655.exe -> TrojanDownloader.Small.aux : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008656.exe -> TrojanDownloader.Small.atl : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008657.dll -> Spyware.SBSoft : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008658.dll -> TrojanDownloader.Qoologic.s : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008659.exe -> Spyware.BookedSpace : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008660.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008677.dll -> Backdoor.Agent.iw : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008680.exe -> TrojanDropper.Vidro.p : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008691.exe -> TrojanDropper.Vidro.p : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008699.exe -> TrojanDropper.Vidro.p : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008707.exe -> TrojanDropper.Vidro.p : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008708.exe -> TrojanDropper.Vidro.p : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008709.exe -> TrojanDropper.Vidro.p : Cleaned with backup
C:\System Volume Information\_restore{D1B58BE1-BA4A-4D32-8D92-9771C1F74AA1}\RP208\A0008716.exe -> TrojanDropper.Vidro.p : Cleaned with backup
C:\WINDOWS\system\svchost.exe -> Backdoor.Agent.iw : Cleaned with backup
C:\WINDOWS\system32\drv2cltr.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\WINDOWS\system32\ztoolb003.dll -> Spyware.Zbar : Cleaned with backup


::Report End



---- HijackThis Log ----

Logfile of HijackThis v1.99.1
Scan saved at 9:22:51 PM, on 7/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Mer\Desktop\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: Forget Me Not Reminders.lnk = C:\CACARD\FMREMIND.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://www.ssd.k12.mn.us/iNotes.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)


Anything else look out of place in the new log? Thanks again for the help!!
  • 0

#4
coachwife6
Posted 10 July 2005 - 09:15 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
You did awesome. How is it running? I will leave this topic open for a few days and that way you can post back then and tell me if everything is going OK. :tazz:
  • 0

#5
Cyclone
Posted 11 July 2005 - 04:42 PM

Cyclone

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Everything is running great now, no signs of any lingering problems at all! Thanks again for your help and the great instructions, it made the repair process amazingly easy. I'm sooo thankful I came across this site or I'd still be sitting here trying to figure out what to do next :tazz:
  • 0

#6
coachwife6
Posted 11 July 2005 - 07:31 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Thanks for the thank you, but the staffers who figure out the automatic fixes are the true heroes. They are a smart crew. ;)

Congratulations! Your system is CLEAN :tazz:

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use) Click Here.

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox Posted Image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats. ;)

We highly recommend installing SP2. Click here: http://windowsupdate.microsoft.com/.
-or-
It's a very large download, so if you're on dial-up, order a free CD here:
http://www.microsoft...default810.mspx
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP