« previous next »
Pages: [1]

Author Topic: Desktop Jacked  (Read 4223 times)

Offline Majic Mushroom

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Desktop Jacked
« on: May 28, 2005, 07:22:10 PM »
Well I finally got a program to clean my cpu up and everything. Yet just today I was searching online and My internet shutdown and my desktop changed to this ugly Bright Blue backround with a message in the middle that says:
"System Stopped
System has been stopped due to a serious malfunction.
Spyware activity has been detected.
It is recommended to use spyware removal tool to prevent data loss.
Do not use the computer before all spyware removed."

Also whenever I turn on my CPU this annoying Program called SPY Sheriff Loads and starts to scan my CPU despite the fact that I've already uninstalled and deleted it.

Heres a Hijack this Log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\mwavscan.com
C:\DOCUME~1\Owner\LOCALS~1\Temp\kavss.exe
C:\Documents and Settings\Owner\Desktop\Gaming\HijackThis.exe

R3 - Default URLSearchHook is missing
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\GhostSurf 2005\SCActiveBlock.dll
O2 - BHO: (no name) - {2509336E-A90F-3345-5E04-5BEEC7962994} - (no file)
O2 - BHO: (no name) - {E32BF672-6423-A618-5F46-6534984AD748} - (no file)
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [GhostSurf Reminder] "C:\Program Files\GhostSurf 2005\Privacy Control Center.exe" reminder
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [aw5nRfGEU] ir4cm32.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O20 - AppInit_DLLs: j7ow4kwxkfceg1l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.
dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.
d
ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
O21 - SSODL: System - {B4E841EB-24E6-404C-AF0E-B544B655B9A8} - vr_sys.dll (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Tenebril antispyware satellite - Tenebril Inc. - C:\Program Files\GhostSurf 2005\DeleteSvc.exe


And heres a MicroWorld AntiVirus Log:

File C:\WINDOWS\System32\j7ow4kwxkfceg1l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
.
dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.
d
ll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\System\svchost.dll infected by "Trojan-Proxy.Win32.Agent.ex" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\j7ow4kwxkfceg1l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
.
dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.
d
ll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\System32\drivers\hgnykfzy.sys infected by "Trojan.Win32.Agent.aw" Virus! Action Taken: No Action Taken.
Object "BroadcastPC Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Alexa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "CoolWebSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "DyFuCA Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Quicken Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xhrmy Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "eZula Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "eZula Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "eZula Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "eZula Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "c:\Program Files\HP\Digital Imaging\hpis\temp\Install.wse.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "c:\Program Files\HP\Digital Imaging\hpis\temp\config.ini". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "c:\Program Files\HP\Digital Imaging\hpis\temp\templates.zip". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\msxml3a.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\RedHawke\ORD Mandell\RH-ORDMandellReadme.txt". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ipreg32.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\RdxIE.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Real\GToolbar\BarControl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0514B040-84EA-11D0-A8BF-00A0C9008A48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0B6DC6EE-C4FD-11d1-819A-00C04FB69B4D}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}" refers to invalid object "fde.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B0693766-5278-4ec6-B9E1-3CE40560EF5A}" refers to invalid object "CaPlgin.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B56A7D7D-6927-48C8-A975-17DF180C71AC}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BFFFD262-7705-11D0-B5DC-444553540000}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA5665-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA566B-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA5671-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA5677-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA567D-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA5683-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA5689-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA568F-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA5695-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA569B-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA56A1-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA56A7-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA56AD-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA56B3-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA56B9-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA56BF-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA56C5-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA56CB-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA56D1-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA56D7-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA56DD-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA56E3-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA56E9-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA56EF-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA56F5-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA56FB-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA5701-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA5707-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA570D-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA5713-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA571F-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA572B-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA5731-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA5737-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA573D-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA5749-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA574F-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA5755-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA575B-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA5767-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA5791-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA57E5-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3CA57EB-C5DA-11CF-8F28-00AA0060FD48}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\BackWeb.ClientExt.1" refers to invalid object "{02EB961B-BB6D-44b6-B5F6-BC6D1506EF2F}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost.2" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\DAIE.DownloadAcceleratorIE" refers to invalid object "{5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E}". Action Taken: No Action Taken.
Entry "HKCR\DAIE.DownloadAcceleratorIE.1" refers to invalid object "{5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E}". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSP" refers to invalid object "{9C123EA9-AEC9-4f75-BBC0-7565FA1398966}". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSPDMOProp_Chorus.1" refers to invalid object "{6F63B172-5543-4593-91CE-EDBA65B9FACDB}". Action Taken: No Action Taken.
Entry "HKCR\ImageReady.Application.1" refers to invalid object "{52F2F130-2BC5-11D2-8FB7-000000000000}". Action Taken: No Action Taken.
Entry "HKCR\JavaPlugin" refers to invalid object "{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}". Action Taken: No Action Taken.
Entry "HKCR\JavaPlugin.142" refers to invalid object "{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}". Action Taken: No Action Taken.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\Popup.Pop" refers to invalid object "{A9AEE0DD-89E1-40EE-8749-A18650CC2175}". Action Taken: No Action Taken.
Entry "HKCR\Popup.Pop.1" refers to invalid object "{A9AEE0DD-89E1-40EE-8749-A18650CC2175}". Action Taken: No Action Taken.
Entry "HKCR\RealDownloadExpress.IE" refers to invalid object "{56336BCB-3D8A-11d6-A00B-0050DA18DE71}". Action Taken: No Action Taken.
Entry "HKCR\RealDownloadExpress.IE.1" refers to invalid object "{56336BCB-3D8A-11d6-A00B-0050DA18DE71}". Action Taken: No Action Taken.
Entry "HKCR\SpyDoctor.EBankProblem" refers to invalid object "{AE612304-E8F9-45D9-A444-32409D33E954}". Action Taken: No Action Taken.
Entry "HKCR\SpyDoctor.QuarantinedItemProxy" refers to invalid object "{C2CE6266-0404-4C54-96B4-8829852E3537}". Action Taken: No Action Taken.
Entry "HKCR\SpyDoctor.ScripterProxy" refers to invalid object "{9FEF02F5-B3B8-4D7B-8939-72A1C989D1B9}". Action Taken: No Action Taken.
Entry "HKCR\SWCtl.SWCtl" refers to invalid object "{166B1BCA-3F9C-11CF-8075-444553540000}". Action Taken: No Action Taken.
Entry "HKCR\SWCtl.SWCtl.1" refers to invalid object "{166B1BCA-3F9C-11CF-8075-444553540000}". Action Taken: No Action Taken.
Entry "HKCR\SWCtl.SWCtl.7" refers to invalid object "{166B1BCA-3F9C-11CF-8075-444553540000}". Action Taken: No Action Taken.
Entry "HKCR\SWCtl.SWCtl.8" refers to invalid object "{166B1BCA-3F9C-11CF-8075-444553540000}". Action Taken: No Action Taken.
Entry "HKCR\SWCtl.SWCtl.8.5" refers to invalid object "{166B1BCA-3F9C-11CF-8075-444553540000}". Action Taken: No Action Taken.
Entry "HKCR\SWCtl.SWCtl.8.5.1" refers to invalid object "{166B1BCA-3F9C-11CF-8075-444553540000}". Action Taken: No Action Taken.
Entry "HKCR\SymWriter.pdb" refers to invalid object "{520DC67A-752E-11D3-8D56-00C04F680B2B}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
File C:\WINDOWS\HLInstaller3.exe tagged as "not-a-virus:AdWare.MDH.a". Action Taken: No Action Taken.
File C:\WINDOWS\zona02.exe infected by "Trojan.Win32.Regger.j" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\System32\3vsgf6i3jfv9.dll infected by "Trojan-Downloader.Win32.Small.rr" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\System32\abc.exe infected by "Trojan-PSW.Win32.LdPinch.os" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\System32\cp.exe infected by "Trojan-Downloader.Win32.Agent.ic" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\System32\sysdebug32.exe infected by "Trojan-Clicker.Win32.VB.dn" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\System32\tcposmod.exe infected by "Backdoor.Win32.DSSdoor.b" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\System32\vxgamet1.exe infected by "Trojan-Downloader.Win32.Small.aqt" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\6QJJ947V\AproposClientInstaller[1].exe infected by "Trojan.Win32.Pakes" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\6QJJ947V\package_adp_SIAC[1].exe tagged as "not-a-virus:AdWare.BargainBuddy.n". Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\6QJJ947V\page1[1].htm infected by "Trojan-Downloader.JS.Psyme.an" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\6QJJ947V\prompt[1].htm infected by "Trojan-Downloader.JS.IstBar.k" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\6QJJ947V\prompt[2].php infected by "Trojan-Downloader.JS.IstBar.j" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\6QJJ947V\vxxv[2].php infected by "Trojan-Clicker.JS.Linker.j" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\87YVQW46\optimize313[1].exe infected by "Trojan-Downloader.Win32.Dyfuca.dx" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\87YVQW46\web[4].htm infected by "Trojan-Downloader.VBS.Psyme.ap" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\87YVQW46\win32[1].exe infected by "Trojan-Downloader.Win32.Small.agq" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\JRYOMRMP\prompt[1].htm infected by "Trojan-Downloader.JS.IstBar.j" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\JRYOMRMP\web[1].htm infected by "Trojan-Downloader.VBS.Small.p" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\JRYOMRMP\web[2].htm infected by "Exploit.HTML.CodeBaseExec" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\PHW6JAFY\abc[1].exe infected by "Trojan-PSW.Win32.LdPinch.os" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\PHW6JAFY\counter[1].htm infected by "Exploit.HTML.Mht" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\PHW6JAFY\index[18].htm infected by "Exploit.VBS.Phel.a" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\PHW6JAFY\tct101[1].dll infected by "Trojan-Downloader.Win32.Dyfuca.eg" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\PHW6JAFY\ysb_prompt[1].htm infected by "Trojan-Downloader.JS.IstBar.j" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\PHW6JAFY\z[1].exe infected by "Trojan.Win32.WebSearch.j" Virus! Action Taken: No Action Taken.

Please help thanks
Logged

Offline Cretemonster

  • Jr. Member
  • **
  • Posts: 88
  • Karma: +0/-0
    • View Profile
Desktop Jacked
« Reply #1 on: May 30, 2005, 08:26:05 AM »
Is that the entire log from MWAV??

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>OK>>Follow the Prompts to Restart!!

Post a fresh HijackThis log and I should have a response fixed up by that time!
Logged

Offline Majic Mushroom

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Desktop Jacked
« Reply #2 on: May 31, 2005, 12:48:18 AM »
Well thank you Cretemonster. After doing what you've said It appears that i have momentarly recovered my real desktop. However the Stupid Spy Sheriff Program, the cause of this desktop.Html hijack,always installs itself on my cpu no matter how many times I uninstall it.
heres the HJT log:

Logfile of HijackThis v1.99.0
Scan saved at 10:44:27 PM, on 5/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Windows\Creator\Remind_XP.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Atmmqdk\Whcpqki.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\GhostSurf 2005\DeleteSvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\Gaming\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\GhostSurf 2005\SCActiveBlock.dll
O2 - BHO: (no name) - {2509336E-A90F-3345-5E04-5BEEC7962994} - (no file)
O2 - BHO: (no name) - {E32BF672-6423-A618-5F46-6534984AD748} - (no file)
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [GhostSurf Reminder] "C:\Program Files\GhostSurf 2005\Privacy Control Center.exe" reminder
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [xhrmy] C:\WINDOWS\Xhrmy.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [sljmabyv] C:\WINDOWS\System32\sljmabyv.exe
O4 - HKLM\..\Run: [Shellapi32] svcnet.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Kzewlrf] C:\Program Files\Atmmqdk\Whcpqki.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [I/O Controllers] svcnet.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DllCacher] C:\WINDOWS\System32\dllcache.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: AutoTBar.exe
O4 - Startup: Organize.lnk = ?
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\interMute\PopSubtract\PopSub.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O4 - Global Startup: winlogin.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - AppInit_DLLs: j7ow4kwxkfceg1l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.
dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.
d
ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Tenebril antispyware satellite - Tenebril Inc. - C:\Program Files\GhostSurf 2005\DeleteSvc.exe
O23 - Service: gyotoegnnkkl - Unknown - C:\WINDOWS\System32\dtxptyex5.exe
Logged

Offline Cretemonster

  • Jr. Member
  • **
  • Posts: 88
  • Karma: +0/-0
    • View Profile
Desktop Jacked
« Reply #3 on: May 31, 2005, 03:14:31 AM »
Would you run the Microworlds Scan once more and post those results!

I want to make sure I am getting everyting!

List all entrys that return like this

infected by "<Infection Name>" Virus! Action Taken: No Action Taken.

Also...Update HijackThis to 1.99.1 to do this

Open HijackThis>>Click Config>>Misc Tools>>Scroll the list there and locate Check for Update Online!!
« Last Edit: May 31, 2005, 03:20:47 AM by Cretemonster »
Logged

Guest

  • Guest
Desktop Jacked
« Reply #4 on: June 03, 2005, 04:34:07 PM »
As from today it is very straight forward to get rid of "SPYWARENO!"/"SpySherriff" and all viruses (TROJAN/BACKDOOR/.....) related to this.

You get this when you hit a warez website (commonly crackspider.com). It hijacks your desktop, Task Manager and makes your system run sluggishly slow. It also runs SpySheriff as a program and you cannot uninstall it correctly, Windows Explorer keeps closing down due to errors.

I tried everything to get rid of these manually, by renaming and trying to delete the files to even editing the MSCONFIG and running REGEDIT. Even this dosen't work (I have a degree in computer technics or as it is called today)

To get rid of this you need the new AdAware 1.06SE Personal with the new definition files updated. Now scan your computer and after the scan it will prompt you to quaranteen the recognized registry values found that can harm your computer. Follow the on-screen instructions and the virus and SpySheriff/SpywareNO! will be deleted. This is not complicated as my mother at 78 years old can do!

Hope this info. is helpful to you having trouble.
I am trying to contact Jessica Simmons (the gaffer of this SpySheriff who has her head up her arse) but there is no reply (GUILTY CONCIENCE, i think).

Chris Rogers
[email protected]
Logged

Offline alexu

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Desktop Jacked
« Reply #5 on: June 13, 2005, 05:05:28 AM »
hahaha
cretemonster, you always asking something because you dont know how to help?  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

lavasoft adaware se 106 is not working
in safe mode i cleaned everything with lavasoft, but in normal mode the program freezes when "scanning memory"

so, anyone else could help?
Logged

Guest_guest_*

  • Guest
Desktop Jacked
« Reply #6 on: June 18, 2005, 06:02:36 PM »
Yess adaware method works for me.  Now i dont see that ugly annoying backround and it got rid of that program http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Logged
Pages: [1]
« previous next »