Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Removing SpySheriff for good [RESOLVED]

Started by RamenParty , Aug 05 2005 10:19 AM

  • This topic is locked This topic is locked

#1
RamenParty
Posted 05 August 2005 - 10:19 AM

RamenParty

    New Member

  • Member
  • Pip
  • 6 posts
From what it looks like, I'm not the only one to have fallen to this spyware, with its "your infected" wallpaper and popup warnings. I've run AdAware SE and it still sticks around, and I'd really like ot get rid of it. Here is my HijackThis log. I hope one of you can help me to clean this up.

Logfile of HijackThis v1.99.1
Scan saved at 1:07:04 PM, on 05/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\winstall.exe
C:\Program Files\htdr\rrct.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\w?nspool.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Lindsay Searles\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://

searchforfree.info/browser/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://

searchforfree.info/browser/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://

searchforfree.info/browser/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://

searchforfree.info/?sid=u002
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http

://searchforfree.info/?sid=u002
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://searchforfree.info/browser/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://

searchforfree.info/browser/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://

searchforfree.info/?sid=u002
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://searchforfree.info/browser/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

http://searchforfree.info/browser/
F3 - REG:win.ini: run=C:\WINDOWS\htmlsync.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:

\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {97BDA88C-3042-31B0-4215-6A534E875DC7} - C:

\WINDOWS\System32\bfopnf.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -

c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:

\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [isystem] C:\WINDOWS\System32\isystem.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ldriver] C:\WINDOWS\System32\ldriver.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Aaea] C:\Program Files\htdr\rrct.exe
O4 - HKCU\..\Run: [Kagkwyg] C:\WINDOWS\System32\w?nspool.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT2Net.lnk = C:\Program Files\BT2Net\bt2net.exe
O8 - Extra context menu item: &Google Search - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~

1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:

\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: Yahoo! Graffiti - http://download.game.../games/clients/

y/grt5_x.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http

://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

http://housecall60.t...all/xscan60.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:

\foo.mht!http://82.179.170.82....chm::/file.exe
O16 - DPF: {2B36F775-8CF5-4489-B454-2D1B80984CF2} (FXPluginCtl Object) -

http://www.powerflas...in/powerres.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net

/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.

exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -

http://www.shockwave...aploader_v5.cab
O18 - Protocol: bt2 - {1730B77B-F429-498F-9B15-4514D83C8294} - C:\PROGRA~1

\BT2Net\BT2PLU~1.DLL (file missing)
O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} -

C:\PROGRA~1\BT2Net\BT2PLU~1.DLL
O21 - SSODL: tjkWWzwUOkFQ - {80E2F94D-2A48-53E7-8841-1B2A8A077F78} - C:

\WINDOWS\System32\bpt.dll
O21 - SSODL: System - {931FCA31-1443-4390-97D2-D0A24AAC65AE} - vr_sys.dll (

file missing)
O21 - SSODL: Civilization II Multiplayer Gold Edition - {138EFF43-E964-FBCE

-88C4-23302C94BC96} - c:\program files\microprose software\civilization ii

multiplayer gold edition\esayh32.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2

evxx.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:

\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program

Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe

(file missing)
  • 0

Advertisements

#2
Rawe
Posted 05 August 2005 - 10:23 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hello and welcome.

We'll get this sorted for you.. But can you first please unselect WordWrap from notepad.
Then, create a folder at C:\Program Files\HijackThis. Go to C:\Documents and Settings\Lindsay Searles\Desktop\HijackThis.exe and move HijackThis.exe to the newly created folder. It's important so it can create backups if necessary. Run a new scan with HiJackThis and post a fresh log for me.

- Rawe :tazz:
  • 0

#3
RamenParty
Posted 05 August 2005 - 10:27 AM

RamenParty

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Sure thing. Here is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 1:29:03 PM, on 05/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\winstall.exe
C:\Program Files\htdr\rrct.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\w?nspool.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchforfree.info/browser/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchforfree.info/browser/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchforfree.info/browser/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchforfree.info/?sid=u002
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://searchforfree.info/?sid=u002
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchforfree.info/browser/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchforfree.info/browser/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchforfree.info/?sid=u002
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchforfree.info/browser/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://searchforfree.info/browser/
F3 - REG:win.ini: run=C:\WINDOWS\htmlsync.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {97BDA88C-3042-31B0-4215-6A534E875DC7} - C:\WINDOWS\System32\bfopnf.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [isystem] C:\WINDOWS\System32\isystem.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ldriver] C:\WINDOWS\System32\ldriver.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Aaea] C:\Program Files\htdr\rrct.exe
O4 - HKCU\..\Run: [Kagkwyg] C:\WINDOWS\System32\w?nspool.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT2Net.lnk = C:\Program Files\BT2Net\bt2net.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.c...ex/tdserver.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.170.82....chm::/file.exe
O16 - DPF: {2B36F775-8CF5-4489-B454-2D1B80984CF2} (FXPluginCtl Object) - http://www.powerflas...in/powerres.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...aploader_v5.cab
O18 - Protocol: bt2 - {1730B77B-F429-498F-9B15-4514D83C8294} - C:\PROGRA~1\BT2Net\BT2PLU~1.DLL (file missing)
O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} - C:\PROGRA~1\BT2Net\BT2PLU~1.DLL
O21 - SSODL: tjkWWzwUOkFQ - {80E2F94D-2A48-53E7-8841-1B2A8A077F78} - C:\WINDOWS\System32\bpt.dll
O21 - SSODL: System - {931FCA31-1443-4390-97D2-D0A24AAC65AE} - vr_sys.dll (file missing)
O21 - SSODL: Civilization II Multiplayer Gold Edition - {138EFF43-E964-FBCE-88C4-23302C94BC96} - c:\program files\microprose software\civilization ii multiplayer gold edition\esayh32.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
  • 0

#4
Rawe
Posted 05 August 2005 - 10:44 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Ok, let's get started then. ;)

Please print these instructions out, or write them down, as you can't read them during the fix.

Download smitRem.exe and save the file to your desktop.
Double-click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Download CleanUp!

Run the CleanUp! installer and get the program ready to be used but don't run it yet.

Now do this;

Click Start => Run => and type in;

services.msc

Click "OK".

In the services window find service; svchost.exe (moto)

Right-click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then "Ok". Exit the Services utility.
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "delete an NT service"
  • Copy and paste this in: moto
  • Click "ok", then reboot
Next, please reboot your computer in Safe Mode by doing the following;

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
===================================================
Run a scan with HiJackThis and check the following objects for removal;

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchforfree.info/browser/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchforfree.info/browser/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchforfree.info/browser/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchforfree.info/?sid=u002
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://searchforfree.info/?sid=u002
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchforfree.info/browser/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchforfree.info/browser/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchforfree.info/?sid=u002
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchforfree.info/browser/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://searchforfree.info/browser/
F3 - REG:win.ini: run=C:\WINDOWS\htmlsync.exe
O2 - BHO: (no name) - {97BDA88C-3042-31B0-4215-6A534E875DC7} - C:\WINDOWS\System32\bfopnf.dll
O4 - HKLM\..\Run: [isystem] C:\WINDOWS\System32\isystem.exe
O4 - HKCU\..\Run: [ldriver] C:\WINDOWS\System32\ldriver.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [Aaea] C:\Program Files\htdr\rrct.exe
O4 - HKCU\..\Run: [Kagkwyg] C:\WINDOWS\System32\w?nspool.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe
O4 - Global Startup: BT2Net.lnk = C:\Program Files\BT2Net\bt2net.exe
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.170.82....chm::/file.exe
O18 - Protocol: bt2 - {1730B77B-F429-498F-9B15-4514D83C8294} - C:\PROGRA~1\BT2Net\BT2PLU~1.DLL (file missing)
O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} - C:\PROGRA~1\BT2Net\BT2PLU~1.DLL
O21 - SSODL: tjkWWzwUOkFQ - {80E2F94D-2A48-53E7-8841-1B2A8A077F78} - C:\WINDOWS\System32\bpt.dll
O21 - SSODL: System - {931FCA31-1443-4390-97D2-D0A24AAC65AE} - vr_sys.dll (file missing)
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

Close any other open windows and/or open browsers, making sure that only HiJackThis is running. Make sure that the above mentioned objects are all checked, then hit "Fix Checked".
===================================================

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a Full System Scan. Remove all it finds.

Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE; During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Go to -> Start -> Control Panel -> Add/Remove programs and uninstall the following entries if present;

htdr

Note any programs you don't know from the list if present to your next reply


Using Windows Explorer, locate the following files/folders and delete if present;

C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\bpt.dll
C:\Program Files\htdr\ <= Entire Folder
C:\WINDOWS\htmlsync.exe
C:\PROGRA~1\BT2Net\ <= Entire Folder

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Run CleanUp! making sure to reboot!

Boot up into normal mode and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.

Let me know how's it running now.

- Rawe :tazz:
  • 0

#5
RamenParty
Posted 05 August 2005 - 01:10 PM

RamenParty

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Took me a while, but I got through everything that you said to do. Here are the logs that you asked me to post:

Logfile of HijackThis v1.99.1
Scan saved at 4:09:35 PM, on 05/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mapleglobal.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.c...ex/tdserver.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {2B36F775-8CF5-4489-B454-2D1B80984CF2} (FXPluginCtl Object) - http://www.powerflas...in/powerres.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...aploader_v5.cab
O21 - SSODL: Civilization II Multiplayer Gold Edition - {138EFF43-E964-FBCE-88C4-23302C94BC96} - c:\program files\microprose software\civilization ii multiplayer gold edition\esayh32.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

===================================================


smitRem log file
version 2.3

by noahdfear

The current date is: 05/08/2005
The current time is: 14:35:40.00

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~

SpySheriff


~~~ Shortcuts ~~~

Install.dat


~~~ Favorites ~~~

Online Pharmacy.url


~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~

desktop.html


~~~ Drive root ~~~

winstall.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN! :tazz:

====================================================

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:15:06 PM, 05/08/2005
+ Report-Checksum: EFFCA48E

+ Scan result:

C:\Program Files\MicroProse Software\Civilization II Multiplayer Gold Edition\esayh32.dll -> TrojanDownloader.Murlo.ar : Ignored
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][1].txt -> Spyware.Cookie.Adocean : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][1].txt -> Spyware.Cookie.Adbrite : Cleaned with backup
C:\Documents and Settings\Lindsay Searles\Cookies\lindsay [email protected][1].txt -> Spyware.Cookie.Epilot : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ARCU8G2W\load02[1].exe -> TrojanDropper.Small.aad : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Y9PDDAP0\loadppc[1].exe -> TrojanDropper.Small.abx : Cleaned with backup
C:\Program Files\Internet Explorer\wskkeuyy.exe -> TrojanDownloader.Delf.cb : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.ocx -> Spyware.MediaTickets : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.RiskWare.Downloader.PopCap.a : Cleaned with backup
C:\WINDOWS\htmlsync.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\sys4947.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys4948.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys4949.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys4951.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys4952.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys4953.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys4954.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\system\svchost.dll -> Backdoor.Agent.iw : Cleaned with backup
C:\WINDOWS\system\svchost.exe -> Backdoor.Agent.iw : Cleaned with backup
C:\WINDOWS\system\svchosthook.dll -> Backdoor.Agent.iw : Cleaned with backup
C:\WINDOWS\system32\abirvalg32.dll -> TrojanProxy.Small.cn : Cleaned with backup
C:\WINDOWS\system32\cssrs.exe -> TrojanSpy.PdPinch : Cleaned with backup
C:\WINDOWS\system32\isystem.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\ldriver.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\maxd1.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\TCPService2.exe -> TrojanDownloader.Agent.kx : Cleaned with backup
C:\WINDOWS\system32\ucsi.exe -> TrojanDropper.Agent.hc : Cleaned with backup
C:\WINDOWS\system32\unhtmhlp.exe -> TrojanDropper.Small.wa : Cleaned with backup
C:\WINDOWS\system32\vxgame1.exe -> TrojanDropper.Small.acg : Cleaned with backup
C:\WINDOWS\system32\vxgame2.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq6.exe -> TrojanDownloader.Small.aux : Cleaned with backup
C:\WINDOWS\vr_sys.dll -> TrojanSpy.LdPinch.os : Cleaned with backup
C:\WINDOWS\zlibc.exe -> Spyware.Hijacker.Generic : Cleaned with backup


::Report End

====================================================


Incident Status Location

Adware:adware/xplugin No disinfected C:\WINDOWS\SYSTEM32\tksrv99.exe
Adware:adware/adsmart No disinfected C:\WINDOWS\SYSTEM32\vx.tll
Adware:adware/admess No disinfected C:\WINDOWS\SYSTEM32\WStart.dll
Adware:adware/mediatickets No disinfected Windows Registry
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.INF
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\Shex.exe
Adware:Adware/Adsmart No disinfected C:\WINDOWS\system32\vxgame6.exe
Virus:Trj/Agent.AFI Disinfected C:\WINDOWS\system32\vxh8jkdq2.exe
Adware:Adware/Admess No disinfected C:\WINDOWS\system32\WStart.dll
====================================================

Overall, my computer is acting MUCH better, and the SpySheriff problems seem to have been removed.

Thank you very much, the help was greatly appreciated. I definately couldn't have done that on my own.
  • 0

#6
Rawe
Posted 05 August 2005 - 01:18 PM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Yes, a lot better!! ;)

Few things to do still though. We're not done yet - let's clear out rest of what's left.
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "Delete File on Reboot"
  • Navigate to this file - C:\WINDOWS\SYSTEM32\tksrv99.exe
  • Double click on that file.
  • HJT asks you if you want to reboot, now. Click "no".
  • Do that for the following files also. When you get to the last one, click "yes" when HJT asks you to reboot.
C:\WINDOWS\SYSTEM32\vx.tll
C:\WINDOWS\SYSTEM32\WStart.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.INF
C:\WINDOWS\system32\Shex.exe
C:\WINDOWS\system32\vxgame6.exe
C:\WINDOWS\system32\vxh8jkdq2.exe
C:\WINDOWS\system32\WStart.dll

When rebooted - Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directoy as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
    Disable SpySweeper Shields
    • Click Shields on the left.
    • Click Internet Explorer and uncheck all items.
    • Click Windows System and uncheck all items.
    • Click Startup Programs and uncheck all items.
  • Once the definitions are installed and shields disabled, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Post the SpySweeper session log along with a fresh Panda ActiveScan log.

- Rawe :tazz:
  • 0

#7
RamenParty
Posted 05 August 2005 - 02:01 PM

RamenParty

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Here is the SpySweeper log:

********
4:35 PM: |··· Start of Session, August 5, 2005 ···|
4:35 PM: Spy Sweeper started
4:35 PM: Sweep initiated using definitions version 511
4:35 PM: Starting Memory Sweep
4:36 PM: Memory Sweep Complete, Elapsed Time: 00:01:14
4:36 PM: Starting Registry Sweep
4:36 PM: Found Adware: cws searchcentral.cc hijacker
4:36 PM: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || start page (ID = 123480)
4:36 PM: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || search bar (ID = 123482)
4:36 PM: Found Adware: purityscan
4:36 PM: HKCR\interface\{3517fb25-305d-4012-b531-186e3851e7ed}\ (8 subtraces) (ID = 137348)
4:36 PM: HKCR\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\ (8 subtraces) (ID = 137349)
4:36 PM: HKLM\software\classes\interface\{3517fb25-305d-4012-b531-186e3851e7ed}\ (8 subtraces) (ID = 137678)
4:36 PM: HKLM\software\classes\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\ (8 subtraces) (ID = 137679)
4:36 PM: HKLM\software\classes\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\typelib\ (2 subtraces) (ID = 137680)
4:36 PM: HKLM\software\classes\typelib\{5530d356-0063-41b9-b20d-e9d799e8d907}\ (9 subtraces) (ID = 137687)
4:36 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/conflict.1/mediaticketsinstaller.ocx\ (2 subtraces) (ID = 137984)
4:36 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaticketsinstaller.ocx\ (2 subtraces) (ID = 137986)
4:36 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\conflict.1\mediaticketsinstaller.ocx (ID = 139075)
4:36 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediaticketsinstaller.ocx (ID = 139077)
4:36 PM: HKCR\typelib\{5530d356-0063-41b9-b20d-e9d799e8d907}\ (9 subtraces) (ID = 139091)
4:36 PM: Found Trojan Horse: trojan-backdoor-5sec
4:36 PM: HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\ || {0656a137-b161-cadd-9777-e37a75727e78} (ID = 144013)
4:36 PM: Registry Sweep Complete, Elapsed Time:00:00:05
4:36 PM: Starting Cookie Sweep
4:36 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
4:36 PM: Starting File Sweep
4:37 PM: mediaticketsinstaller.inf (ID = 73158)
4:38 PM: Found Adware: cws-aboutblank
4:38 PM: backup-20050805-143407-603.dll (ID = 120274)
4:38 PM: Found Trojan Horse: vesbiz downloader
4:38 PM: abirvalg.dll (ID = 82746)
4:38 PM: File Sweep Complete, Elapsed Time: 00:01:48
4:38 PM: Full Sweep has completed. Elapsed time 00:03:12
4:38 PM: Traces Found: 73
4:39 PM: Removal process initiated
4:39 PM: Quarantining All Traces: cws searchcentral.cc hijacker
4:39 PM: Quarantining All Traces: purityscan
4:39 PM: Quarantining All Traces: trojan-backdoor-5sec
4:39 PM: Quarantining All Traces: cws-aboutblank
4:39 PM: Quarantining All Traces: vesbiz downloader
4:39 PM: Removal process completed. Elapsed time 00:00:01
********
4:33 PM: |··· Start of Session, August 5, 2005 ···|
4:33 PM: Spy Sweeper started
4:33 PM: Messenger service has been disabled.
4:35 PM: |··· End of Session, August 5, 2005 ···|

====================================================

And the Panda log:


Incident Status Location

Adware:adware/mediatickets No disinfected Windows Registry
It is great to know that my computer is getting better :tazz:
  • 0

#8
Rawe
Posted 05 August 2005 - 02:03 PM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Yes, we're almost there you know :tazz:

Please do the following;
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Uninstall Manager"
  • Click on the button "Save list"
  • Copy and paste the List from the notebook onto your post
Post it along with a fresh HiJackThis log.
  • 0

#9
RamenParty
Posted 05 August 2005 - 02:08 PM

RamenParty

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Uninstall List:

Ad-Aware SE Personal
Adobe Reader 7.0
ATI Display Driver
Civilization II Multiplayer Gold Edition
CleanUp!
EclipseCrossword
ewido security suite
Google Toolbar for Internet Explorer
GTK+ 2.6.7-2 runtime environment
HijackThis 1.99.1
iTunes
Macromedia Flash MX 2004
Macromedia Shockwave Player
MapleStory
Microsoft Office Standard Edition 2003
mIRC
OIN
Panda ActiveScan
QuickTime
Search Helper
SmartDraw 7 Trial Edition
Spy Sweeper
The GIMP 2.2.7
VX2 Cleaner plug-in for Ad-Aware SE
WinRAR archiver

====================================================

Logfile of HijackThis v1.99.1
Scan saved at 5:10:46 PM, on 05/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\System32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mapleglobal.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.c...ex/tdserver.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {2B36F775-8CF5-4489-B454-2D1B80984CF2} (FXPluginCtl Object) - http://www.powerflas...in/powerres.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...aploader_v5.cab
O21 - SSODL: Civilization II Multiplayer Gold Edition - {138EFF43-E964-FBCE-88C4-23302C94BC96} - c:\program files\microprose software\civilization ii multiplayer gold edition\esayh32.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

#10
Rawe
Posted 05 August 2005 - 02:12 PM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Run HiJackThis and check the following objects for removal;

O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)

Hit "Fix Checked" and exit HJT. Then your log is clean.

Now for some preventive measures;

Let's clear out your restore points now.

Disable System Restore;

1. Click Start > Programs > Accessories > Windows Explorer
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Check the "Turn off System Restore"
5. Click Apply. An message shows up.
6. Click "Yes" to do this.
7. Confirm with "Ok".

Reboot.

Enable System Restore;

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck the "Turn off System Restore" check box.
5. Click Apply, and then click "OK".

System Restore will now be active again. :) Be sure to set a new restore point, and if you need additional help with that, here's a link; http://filext.com/in...thread.php?t=27

Here's some tips for future to prevent spyware (And make sure to read it!! ;) );

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kaspersky, this is a must have.
  • Firewall <= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice;
So how did I get infected in the first place? (My favourite)

Visit;
http://www.windowsupdate.com to get Service Pack 2 which is a critical update to get.. It'll increase your protection. Apply it - reboot. After that, apply ANY available critical updates. Reboot.

- Rawe :tazz:

If you want to learn how to help people with malware problems like I helped you, feel free to take a look at this thread; http://www.geekstogo...here-t4817.html
  • 0

#11
Rawe
Posted 05 August 2005 - 02:17 PM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hmm... Do you use OIN for something? It's kinda suspicious to me. If you don't need it, nor use it, you can uninstall it from Add/Remove programs. It's certainly not necessary program for ANYTHING.
  • 0

#12
RamenParty
Posted 05 August 2005 - 02:22 PM

RamenParty

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thank you so much! You really know what you are doing :tazz:

I don't need or use OIN, so I'll remove it from my programs.

And thanks for the links, I'll definately look into them so I don't have to go through this again.

Once again, you were a big help, thanks so much!
  • 0

#13
Rawe
Posted 05 August 2005 - 02:24 PM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Forum
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP