Right I have read all the SpySheriff threads and done all what was listed as if it were a Gordon Ramsay recipe. In safe mode I am clear
However on normal reboot I still get a icon(red circle with a white cross) in the Notification area that flags up a message "your Computer is infected!". If i click it all hell breaks loose on my desktop.
So this is what I did
downloaded all the programs + fixes
SAFE MODE
---->
Cleanup---->
Ewido with all the updates etc
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 10:53:55, 19/07/2005
+ Report-Checksum: 3D68C546
+ Scan result:
C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> TrojanDownloader.Small.avt : Cleaned with backup
C:\WINDOWS\installer2.exe -> TrojanSpy.Agent.dq : Cleaned with backup
::Report End----->Go to Start > Control Panel > Add or Remove Programs and remove the following:
SpySheriff
Exit Add or Remove Programs.
Deleted the following...
C:\Program Files\SpySheriff <-whole folder
C:\Windows\Desktop.html
C:\winstall.exe
-----> tried all and combination of
smitfraud.reg
Nailfix
SmitRem
==Go to START>>>RUN>>>type in services.msc
In the next window, look on the right hand side for this service
name---- System Startup Service
Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled (DONE)Hijack this last scan.......
Logfile of HijackThis v1.99.1
Scan saved at 10:14:02, on 19/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {78364D99-A640-4ddf-B91A-67EFF8373045} - C:\WINDOWS\system32\appwiz.dll
O2 - BHO: (no name) - {C10D945F-2C99-5232-9AF2-5950A68F76CC} - C:\WINDOWS\System32\jviprtou.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{791735C2-FCCE-4E54-8E4E-D75B000716A0}: NameServer = 192.168.2.1
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
Then I tried Killbox (deleted on reboot the C:\winstall.exe file)
On reboot everytime I get the little icon (red circle and white cross) stating my computer is infected and Spysheriff files are back again.
http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'
\' />
Any ideas would be greatly appreciated.
