Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Spysheriff [resolved]


  • This topic is locked This topic is locked

#1
tunidawn

tunidawn

    New Member

  • Member
  • Pip
  • 7 posts
Spysheriff attacked my computer. I did all the stuff it says to do on " You Must Read This Before Posting A Hijackthis Log, Required steps before posting your log."
Clean up
Ad-aware SE
CWShredder
Spybot S&D
Ewido Security Suite
Windows Update

I did everything while in safe mode (including the downloading) because I couldn't really get anything done otherwise. I don't know if that really matters. Anyways, after all is done, most stuff seems toe be ok and I'm back in my normal windows but I still can't access the task manager. The popup says it has been disabled by the administor as it did when I when I was really infected. Also I can't change my desktop background which I heard is a common side effect of the spysheriff. Also, when I first load into windows I get 2 popups that read:
1. "Error loading D:\WINDOWS\cpu.dll
The specified module could not be found."
2. "Windows cannot find "C:\WINDOWS\System32\divxenc.exe." Make sure you typed the name correctly, and then try again. To search for a file, click the start button and then click Search."

Thanks in advance for any help.

Logfile of HijackThis v1.99.1
Scan saved at 2:02:14 AM, on 8/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManager.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\load.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\MsiExec.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: YBIOCtrl Class - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManager.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Service] C:\WINDOWS\System32\service.exe
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 - HKLM\..\Run: [msresearch] C:\WINDOWS\tool3.exe
O4 - HKLM\..\Run: [AVShell] C:\WINDOWS\System32\load.exe
O4 - HKLM\..\Run: [winsock32] msupdate32.exe
O4 - HKLM\..\Run: [Service Process] C:\WINDOWS\system32\config\service.exe
O4 - HKLM\..\Run: [Instance 001] c:\sys1367017508.exe
O4 - HKLM\..\Run: [CPU Watcher] rundll32.exe C:\WINDOWS\cpu.dll,load
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Owner\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\tool2.exe
O4 - HKCU\..\Run: [Notn] C:\Program Files\apsi\wtta.exe
O4 - HKCU\..\Run: [Lcuhpkki] C:\WINDOWS\System32\?ti2evxx.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"
O4 - HKCU\..\Run: [divx] "C:\WINDOWS\System32\divxenc.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: *.asdbiz.biz (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125372499765
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: tcpG4T - C:\WINDOWS\SYSTEM32\tcpG4T.dll
O21 - SSODL: AOL Instant Messenger - {F430CAD2-C18F-5523-690A-AB76EA020655} - c:\program files\aim95\wincujbd32.dll (file missing)
O21 - SSODL: SysTray.Exsh - {1768ECFC-4F5C-4f5b-B134-D67294FC78E9} - C:\WINDOWS\System32\ijddnldl.dll (file missing)
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Mqhage32.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe (file missing)
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Edited by tunidawn, 30 August 2005 - 01:08 AM.

  • 0

Advertisements


#2
tunidawn

tunidawn

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I also noticed OIN in the add/remove programs where the only way to remove it is to download the uninstall which I won't do. Help with that removal would be great also.
  • 0

#3
tunidawn

tunidawn

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I'm reposting this because I stupidly replied to my original post (before I read that we're not supposed to do that) to add something and now I'm getting no help. My original post:

Spysheriff attacked my computer. I did all the stuff it says to do on " You Must Read This Before Posting A Hijackthis Log, Required steps before posting your log."
Clean up
Ad-aware SE
CWShredder
Spybot S&D
Ewido Security Suite
Windows Update

I did everything while in safe mode (including the downloading) because I couldn't really get anything done otherwise. I don't know if that really matters. Anyways, after all is done, most stuff seems toe be ok and I'm back in my normal windows but I still can't access the task manager. The popup says it has been disabled by the administor as it did when I when I was really infected. Also I can't change my desktop background which I heard is a common side effect of the spysheriff. Also, when I first load into windows I get 2 popups that read:
1. "Error loading D:\WINDOWS\cpu.dll
The specified module could not be found."
2. "Windows cannot find "C:\WINDOWS\System32\divxenc.exe." Make sure you typed the name correctly, and then try again. To search for a file, click the start button and then click Search."

I reran all of the scans (in normal Windows) and took a fresh HJT log which is posted below.

I also noticed OIN in my add/remove programs and would like to get rid of that as well.

Thanks in advance for any help.

Logfile of HijackThis v1.99.1
Scan saved at 2:02:14 AM, on 8/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManager.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\load.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\MsiExec.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: YBIOCtrl Class - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManager.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Service] C:\WINDOWS\System32\service.exe
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 - HKLM\..\Run: [msresearch] C:\WINDOWS\tool3.exe
O4 - HKLM\..\Run: [AVShell] C:\WINDOWS\System32\load.exe
O4 - HKLM\..\Run: [winsock32] msupdate32.exe
O4 - HKLM\..\Run: [Service Process] C:\WINDOWS\system32\config\service.exe
O4 - HKLM\..\Run: [Instance 001] c:\sys1367017508.exe
O4 - HKLM\..\Run: [CPU Watcher] rundll32.exe C:\WINDOWS\cpu.dll,load
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Owner\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\tool2.exe
O4 - HKCU\..\Run: [Notn] C:\Program Files\apsi\wtta.exe
O4 - HKCU\..\Run: [Lcuhpkki] C:\WINDOWS\System32\?ti2evxx.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"
O4 - HKCU\..\Run: [divx] "C:\WINDOWS\System32\divxenc.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: *.asdbiz.biz (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125372499765
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: tcpG4T - C:\WINDOWS\SYSTEM32\tcpG4T.dll
O21 - SSODL: AOL Instant Messenger - {F430CAD2-C18F-5523-690A-AB76EA020655} - c:\program files\aim95\wincujbd32.dll (file missing)
O21 - SSODL: SysTray.Exsh - {1768ECFC-4F5C-4f5b-B134-D67294FC78E9} - C:\WINDOWS\System32\ijddnldl.dll (file missing)
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Mqhage32.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe (file missing)
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#4
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome tunidawn to Geeks to Go!

You have a lot more trouble than 'just' Spysheriff.

Use another computer to change all passwords, notify police and your bank if you do online banking. Be sure to use this computer only to visit this topic and clean the computer.


Download ZoneAlarm free firewall.

Allow access on a case to case base.


Download the SSA cleaner and let it run.


I'll prepare a cleaning advise in the meantime.
  • 0

#5
tunidawn

tunidawn

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks for the response...I'm following your instructions right away.
  • 0

#6
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!



Download CleanUp!.
If that doesn’t work, use this link.
Here is a tutorial which describes its usage:
http://www.bleepingc...tutorial93.html

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options"
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Scan local drives for temporary files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

Once it's done, press Close. Reboot the system. This will remove files that were in use during the scan.

***

Go to start - run
type the following lines, press ok after each one.

regsvr32.exe /u /s C:\WINDOWS\cpu.dll

regsvr32.exe /u /s C:\WINDOWS\SYSTEM32\tcpG4T.dll

regsvr32.exe /u /s C:\WINDOWS\System32\ijddnldl.dll

regsvr32.exe /u /s C:\WINDOWS\System32\Mqhage32.dll

Grant permission when asked to.

***

Go to Start > Run and type in Services.msc then click OK

Click the Extended tab.

Scroll down until you find

Loading Outpost Connections

Click once on the service to highlight it.

Click Stop

Right-Click on the service.

Click on 'Properties'

Select the 'General' tab

Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box

From the drop-down menu, click on 'Disabled'

Click the 'Apply' tab, then click 'OK'

The service is now stopped and disabled.

***

Open HijackThis
click on "None of the above, just start the program".
click on the "Config" button (bottom right),
click on "Misc Tools"
click on "Delete an NT Service" (a window will pop up)
Enter the below item into that field (make sure there are NO spaces before or after the name):

Loading Outpost Connections (KDE)

Click OK.

It should pull up information about the service, then ask if you want to reboot. Click YES.


***

Please download, install, and update the free version of Ewido trojan scanner:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Run Ewido --- When you run it for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Exit Ewido. DO NOT scan yet.
***

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

***

Place a shortcut to Panda ActiveScan on your desktop.

***

If you have not already installed Ad-Aware SE 1.06, please download and install AdAware SE 1.06.
Check Here on how setup and use it - please make sure you update it first.

***

Download the Killbox.
Unzip it to the desktop

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

c:\windows\system32\mdms.exe
C:\WINDOWS\tool3.exe
C:\WINDOWS\System32\load.exe
C:\WINDOWS\System32\msupdate32.exe
C:\WINDOWS\system32\config\service.exe
c:\sys1367017508.exe
C:\WINDOWS\cpu.dll
C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
C:\WINDOWS\System32\symcsvc.exe
C:\winstall.exe
C:\WINDOWS\tool2.exe
C:\Program Files\apsi\wtta.exe
C:\WINDOWS\System32\paytime.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe
C:\WINDOWS\System32\divxenc.exe
C:\WINDOWS\SYSTEM32\tcpG4T.dll
C:\WINDOWS\System32\ijddnldl.dll
C:\WINDOWS\System32\Mqhage32.dll
C:\WINDOWS\System32\cmdtel.exe

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Then run HijackThis, click Scan, and place a checkmark by the following item:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [Service] C:\WINDOWS\System32\service.exe

O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 - HKLM\..\Run: [msresearch] C:\WINDOWS\tool3.exe

O4 - HKLM\..\Run: [AVShell] C:\WINDOWS\System32\load.exe

O4 - HKLM\..\Run: [winsock32] msupdate32.exe

O4 - HKLM\..\Run: [Service Process] C:\WINDOWS\system32\config\service.exe

O4 - HKLM\..\Run: [Instance 001] c:\sys1367017508.exe

O4 - HKLM\..\Run: [CPU Watcher] rundll32.exe C:\WINDOWS\cpu.dll,load

O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe

O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\symcsvc.exe

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\tool2.exe

O4 - HKCU\..\Run: [Notn] C:\Program Files\apsi\wtta.exe

O4 - HKCU\..\Run: [Lcuhpkki] C:\WINDOWS\System32\?ti2evxx.exe

O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe

O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"

O4 - HKCU\..\Run: [divx] "C:\WINDOWS\System32\divxenc.exe"

O20 - Winlogon Notify: tcpG4T - C:\WINDOWS\SYSTEM32\tcpG4T.dll

O21 - SSODL: SysTray.Exsh - {1768ECFC-4F5C-4f5b-B134-D67294FC78E9} - C:\WINDOWS\System32\ijddnldl.dll (file missing)

O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Mqhage32.dll (file missing)

O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe (file missing)

Close all open windows except for HijackThis and click Fix Checked.

***

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
Post me the contents of the smitfiles.txt log as you post back.

***

Open Ad-aware and do a full scan. Remove all it finds.

***

Next, run Ewido again.
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  • If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
***

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

***

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan.
Save the report and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
  • 0

#7
tunidawn

tunidawn

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I did everything you told me to up to the Killbox step. I deleted the files you told me to (some of them were already gone) and rebooted. When I loaded into safe mode I couldn't run anything except internet explorer. I can't run HJT or ewido or other programs. So what to do now? I'm thinking at this point perhaps I should just call it quits and reformat? :tazz:
  • 0

#8
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
If you choose to do a reformat, do a clean install (remove everything, make new partitions, format, the works).

Run HijackThis, Ewido and Smitrem in normal mode. Let's see what we can do.
  • 0

#9
tunidawn

tunidawn

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Yea I couldn't run anything in even normal mode so I'm just gonna wipe everything and start with a clean slate. Thanks anyways for the help but I have a feeling that no matter what we did, there'd always be SOMETHING hiding in my computer. Better to just reformat and be safe than sorry.
  • 0

#10
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Be sure to do a really clean install then (ask for help on the Windows XP forum if you need it).

You did inform the financial compagnies and the police?

I'm sorry this happend. I'll post you some tips to secure the computer once you formatted.

Please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and re-enable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Re-enable system restore with the instructions from the tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer always has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with this program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware – Download and install Ad-Aware. You should also scan your computer with this program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from your Computer

  • Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.


Good luck!
  • 0

#11
tunidawn

tunidawn

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Will do, thanks again for all of your help!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP