Author Topic: spysheriff removal plz? Log is there. (Read 2549 times)

karnage · « **on:** June 19, 2005, 12:58:44 AM »

i followed the instructions by Cretemonster. BUT DIDN'T realize that the instructions were specific to another infected user.
I have the desktop back to normal.... i am just looking for confirmation that the SpySheriff is gone?? THanks

Here is a HiJack log: and Below that is the Active scan by Panda software:

Logfile of HijackThis v1.99.1
Scan saved at 3:54:14 PM, on 19/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\Navnt\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Navnt\vptray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Parallel Tasking\ptask.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.1043fm.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ozemail.com.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.1.1;192.168.1.2;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: (no name) - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - (no file)
O4 - HKLM\..\Run: [vptray] C:\Program Files\Navnt\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Parallel Tasking] C:\Program Files\Parallel Tasking\ptask.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EkMV÷h$vùõš/‚²‘ÆßfC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\lgpqslwi.exe
O4 - HKLM\..\Run: [Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\lgpqslwi.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C524245-1E41-4470-BE3B-ED5273702536}: NameServer = 203.9.148.7
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Navnt\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\PROGRA~1\Navnt\rtvscan.exe

ACTIVE scan is nopt looking good ( i think):

Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/MyWay No disinfected C:\Program Files\MyWay
Adware:Adware/nCase No disinfected C:\WINDOWS\Downloaded Program Files\ClientAX.inf
Adware:Adware/FlashTrack No disinfected C:\PROGRA~1\FlashGet\jccatch.dll
Spyware:Spyware/Dyfuca No disinfected Windows Registry
Adware:Adware/KeenValue No disinfected C:\WINDOWS\browserxtras\pn\remove.exe
Adware:Adware/PowerScan No disinfected Windows Registry
Adware:Adware/CWS No disinfected C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Fun & Games\Betting.lnk
Adware:Adware/FunWeb No disinfected C:\Program Files\FunWebProducts
Adware:Adware/SideFind No disinfected Windows Registry
Adware:Adware/WhenUSearch No disinfected C:\Program Files\Common Files\Whenu
Adware:Adware/MyWebSearch No disinfected C:\Program Files\MyWebSearch
Adware:Adware/AzeSearch No disinfected Windows Registry
Virus:Trj/Dowcen.A Disinfected Operating system
Adware:Adware/SpywareNo No disinfected Windows Registry
Adware:Adware/CWS No disinfected C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Fun & Games\Betting.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Fun & Games\Casino Palace.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Fun & Games\Casino.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Fun & Games\Games.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Fun & Games\Horoscope.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Going Places\Air Tickets.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Going Places\Car Rentals.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Going Places\Hotel Deals.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Going Places\Luggage.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Going Places\Travel.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Living\Dating.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Living\Find a Degree.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Living\Find a job.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Living\Home.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Living\Insurance.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Shop\Auctions.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Shop\Books.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Shop\Computers.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Shop\Discount.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Shop\Flowers.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Shop\Golf.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Shop\Jewelry.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Shop\Movies.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Shop\Music.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Shop\Online Store.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Shop\Perfume.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Shop\Sleepwear.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Technology\Adware Remover.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Technology\Anti-Virus.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Technology\PC Cleaner.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Technology\Tech & gadgets.lnk
Possible Virus. No disinfected C:\Downloads\hjsplit.zip[hjsplit.exe]
Adware:Adware/WhenUSearch No disinfected C:\Program Files\Common Files\WhenU\EmbedSE.dll
Adware:Adware/nCase No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\42C3BD9C-F333-4EDF-94D2-C90591\4A176CB4-B7EA-4A61-8811-E3379C
Adware:Adware/AzeSearch No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\88182ED5-49BB-4C20-905D-AADF29\3B7D7DF3-A849-49A7-928F-771F57
Adware:Adware/AzeSearch No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\88182ED5-49BB-4C20-905D-AADF29\D4507A81-0926-4D34-A5E2-02F34B
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\B103A443-8625-4EC9-B06D-45A7BA\509C5C57-2974-42F1-B49A-CAFE65
Possible Virus. No disinfected C:\Program Files\Multimedia\HJ-Split\hjsplit.exe
Adware:Adware/KeenValue No disinfected C:\WINDOWS\browserxtras\pn\remove.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\Downloaded Program Files\ClientAX.inf
Adware:Adware/FunWeb No disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.8-2.inf ANY help would be greatly appreciated:) thanks

karnage · « **Reply #1 on:** June 20, 2005, 01:17:12 AM »

guestolo · « **Reply #2 on:** June 20, 2005, 01:21:51 AM »

Thanks for the bump and patience
I won't have time to look at your log right now, but I'll make sure I look at it first thing when I get off work tomorrow
Hope you can wait

We do have some cleanup left to do

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' /> >>>

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' />

karnage · « **Reply #3 on:** June 20, 2005, 03:28:42 AM »

thanks for your help.. i'll be eagerly waiting... thanks Guestolo
here is more info:

Ewido Full PC Scan:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         7:39:04 PM, 20/06/2005
+ Report-Checksum:      9F53940

+ Date of database:      19/06/2005
+ Version of scan engine:   v3.0

+ Duration:            40 min
+ Scanned Files:         75045
+ Speed:            30.56 Files/Second
+ Infected files:         9
+ Removed files:         9
+ Files put in quarantine:      9
+ Files that could not be opened:   0
+ Files that could not be cleaned:   0

+ Binder:      Yes
+ Crypter:      Yes
+ Archives:      Yes

+ Scanned items:
   C:\
   G:\

+ Scan result:
   C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Cookies\vas@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Cookies\vas@cgi-bin[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Cookies\vas@com[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Cookies\vas@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Cookies\vas@S002-00-7-6-156149-16089[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\WINDOWS\Temp\APQ23.tmp -> TrojanDownloader.IstBar.is -> Cleaned with backup
   C:\WINDOWS\Temp\APQ24.tmp -> Trojan.Patcher.a -> Cleaned with backup

::Report End

AND: Uninstal list from HiJack THis:

Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Photoshop 7.0
Adobe Reader 7.0
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVI Joiner version 1.0
Basketball Playbook 008
CleanUp!
CloneCD
ClonyXXL
Codec Pack - All In 1 6.0.2.3
Command & Conquer Generals
Command and ConquerTM Generals Zero Hour
DivX Player
DivxToDVD 0.5.2b
DVD Decrypter (Remove Only)
DVD Shrink 3.2
Dynalink RTA100+ USB
EA Network Play System
EA SPORTS online 2005
EasyCleaner
ES C41 Problem Solver
ESPNMotion
ewido security suite
Express Setup
FlashGet(JetCar)
HijackThis 1.99.1
HJ-Split 2.2
hp deskjet 3500
hp deskjet 3500 series
HP Photo and Imaging 2.0 - Deskjet Series
hp print screen utility
HP Software Update
ICQ 4.1
InCD (Ahead Software)
Java 2 Runtime Environment Standard Edition v1.3.0_01
LimeWire
LiveUpdate
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft AntiSpyware
Microsoft Data Access Components KB870669
Microsoft Office XP Professional with FrontPage
MSN Messenger 7.0
Musicmatch® Jukebox
Mustek 1200 UB Plus v1.3
Nero 6 Ultra Edition
NeroVision Express 3
Norton AntiVirus Corporate Edition 7.0 for Windows NT
NVIDIA Drivers
NVIDIA Windows 2000/XP nForce Drivers
PowerDVD
QuickTime
ReNamer 1.80
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896428)
Texas Hold 'Em
VSO CopyToDVD 3
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 9 Series TweakMP PowerToy
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
Zero Hour : Reloaded

karnage · « **Reply #4 on:** June 20, 2005, 07:02:17 AM »

ANd another Ewido STARTUP SCAN: thanks for taking the time to look

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

---------------------------------------------------------
ewido security suite - Startup report
---------------------------------------------------------

+ Created on: 6:50:23 PM, 20/06/2005
+ Report-Checksum: 8CA1C82

Reg\HKLM\Run vptray C:\Program Files\Navnt\vptray.exe
Reg\HKLM\Run HPDJ Taskbar Utility C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
Reg\HKLM\Run DIGStream C:\Program Files\DIGStream\digstream.exe
Reg\HKLM\Run gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
Reg\HKLM\Run Parallel Tasking C:\Program Files\Parallel Tasking\ptask.exe
Reg\HKLM\Run QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
Reg\HKLM\Run ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Reg\HKLM\Run EkMV÷h$vùõš/‚²‘ÆßfC:\Program Files\ISTsvc\istsvc.exe C:\WINDOWS\lgpqslwi.exe
Reg\HKLM\Run Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe C:\WINDOWS\lgpqslwi.exe
Reg\HKLM\Run mmtask "C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
Reg\HKLM\Run NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
Shell\CommonStartup Adobe Reader Speed Launch.lnk C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
Shell\CommonStartup Microsoft Office.lnk C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk

guestolo · « **Reply #5 on:** June 20, 2005, 07:32:01 PM »

Let's try some additional cleanup on this machine

I'm not sure if you download Killbox
So here's the link again
==Download the Killbox by Option^Explicit. [color=\"red\"]*In the event you already have Killbox, this is a new version that I need you to download[/color].
* Save it to your desktop or a folder

Also, could you download FxIstbar.exe from the link and save to desktop
http://securityresponse.symantec.com/avcenter/FxIstbar.exe

Please Print these next set of Instructions or Save them too a Notepad file on the Desktop for reference

* Please double-click Killbox.exe to run it.
* Select "Delete on Reboot".

*Copy the file paths below to the clipboard by highlighting ALL of them and pressing
CTRL + C

[color=\"purple\"]Killbox file paths to copy to clipboard between dotted lines[/color]
===========================================
C:\WINDOWS\Downloaded Program Files\ClientAX.inf
C:\WINDOWS\browserxtras\pn\remove.exe
C:\Program Files\Common Files\WhenU\EmbedSE.dll
C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.8-2.inf
C:\WINDOWS\lgpqslwi.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Parallel Tasking\ptask.exe
C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Fun & Games
C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Going Places
C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Living
C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Shop
C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Technology

===================================================
* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
Don't worry about any file not found messages

If your computer does not restart automatically, please restart it manually.

[color=\"red\"]While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.[/color]

*Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

In SAFE MODE

Using Windows Explorer, Manually navigate and delete folders if found
Don't do a search for them, manually look for them

C:\Program Files\Common Files\WhenU
C:\Program Files\ISTsvc
C:\Program Files\Parallel Tasking
C:\Program Files\MyWay
C:\Program Files\FunWebProducts
C:\Program Files\MyWebSearch
If you didn't remove the SpySheriff folder, delete it too if found

The next ones should be gone, but take a look anyways to ensure they've been removed
C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Fun & Games
C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Going Places
C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Living
C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Shop
C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Favorites\Technology

Remain in safe mode
==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Decline to Log off

Do another scan with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)

O3 - Toolbar: (no name) - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - (no file)

O4 - HKLM\..\Run: [Parallel Tasking] C:\Program Files\Parallel Tasking\ptask.exe

O4 - HKLM\..\Run: [EkMV÷h$vùõš/‚²‘ÆßfC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\lgpqslwi.exe
O4 - HKLM\..\Run: [Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\lgpqslwi.exe

O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Can you now try running the FxIstbar from Symantec's, let it scan your drive
When it's done if it finds anything and you have the oppurtunity to save a log
Could you please

Restart back to Normal mode

Back in Windows
If prompted at anytime about a change with Microsoft Anti-Spyware
Please ALLOW the changes so it won't interfere with any fixes we are trying to do

You've chose to run two good Spyware software programs
Ad-Aware and MAS
And of Course Ewido, which is another great tool
You should also take this oppurtunity to also run this tool
SPYBOT 1.4
Download and Install Spybot S&D 1.4
From the above link or HERE
Don't activate the Tea Timer when installing, it's a feature similiar to MAS's Realtime protection. It may get in the way of any fixes we still might have to do
After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and download all updates
Click the Search & Destroy button on the left
Check for Problems---When the Scan is complete
FIX all selected promblems in RED

RESTART the computer to finish the cleaning process

Back in Windows
Could you run another scan with Hijackthis and post a fresh log
If FxIstbar.exe found anything and you saved a log, could you post it too, thanks

karnage · « **Reply #6 on:** June 21, 2005, 02:10:18 AM »

thanks for your help

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />
Ewido was also giving me a msg about finding a trojan. I used the block and clean feature.. i hope your instructions got rid of this too.

I followed your guide and everything came up clean. i was able to delete everything u checked in CleanUp! Fxitbar.exe was CLEAN. and Spybot 1.4 was CLEAN. I have posted a fresh, HiJackThis log. so u can check. And then i did another Ewido scan , WHich is also posted. ALSO, can u suggest anything to give me the best chance of been virus and Malware free. THANKS A LOT
------------
Logfile of HijackThis v1.99.1
Scan saved at 4:59:27 PM, on 21/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\Navnt\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Navnt\vptray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.1043fm.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ozemail.com.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.1.1;192.168.1.2;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\Navnt\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C524245-1E41-4470-BE3B-ED5273702536}: NameServer = 203.9.148.7
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Navnt\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\PROGRA~1\Navnt\rtvscan.exe

AND: Ewido Scan

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         6:58:06 PM, 21/06/2005
+ Report-Checksum:      AAC693BF

+ Date of database:      20/06/2005
+ Version of scan engine:   v3.0

+ Duration:            40 min
+ Scanned Files:         73234
+ Speed:            30.17 Files/Second
+ Infected files:         3
+ Removed files:         3
+ Files put in quarantine:      3
+ Files that could not be opened:   0
+ Files that could not be cleaned:   0

+ Binder:      Yes
+ Crypter:      Yes
+ Archives:      Yes

+ Scanned items:
   C:\
   G:\

+ Scan result:
   C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Cookies\vas@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Cookies\vas@com[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\vas.VAS-YTESNNF1SB8\Cookies\vas@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

::Report End

karnage · « **Reply #7 on:** June 22, 2005, 12:39:06 AM »

guestolo · « **Reply #8 on:** June 22, 2005, 12:46:21 AM »

Sorry for the delay Karnage
Latest log looks good
If everything is running better
Go back and hide Hidden Files and folders

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply click the "enable all protection"
IE-Spyad is compatible with SP2 as well

karnage · « **Reply #9 on:** June 22, 2005, 01:11:00 AM »

a BIG THANKS for your help, Guestolo. i appreciate all the help... time and effort!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' /> THANKS

guestolo · « **Reply #10 on:** June 22, 2005, 11:12:37 PM »

karnage, I'll lock this topic as your problems appear resolved
If you need it reopened please PM a mod or the site Admin and supply a link to this thread

take care

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

TheTechGuide Forum

News:

Author Topic: spysheriff removal plz? Log is there. (Read 2549 times)

karnage

spysheriff removal plz? Log is there.

karnage

spysheriff removal plz? Log is there.

guestolo

spysheriff removal plz? Log is there.

karnage

spysheriff removal plz? Log is there.

karnage

spysheriff removal plz? Log is there.

guestolo

spysheriff removal plz? Log is there.

karnage

spysheriff removal plz? Log is there.

karnage

spysheriff removal plz? Log is there.

guestolo

spysheriff removal plz? Log is there.

karnage

spysheriff removal plz? Log is there.

guestolo

spysheriff removal plz? Log is there.