Author Topic: SpySheriff...PLEASE HELP!! (Read 1776 times)

jchyatt2 · « **on:** July 08, 2005, 06:02:36 PM »

SpySheriff has taken control of my desktop and won't give it back! Please help if you can. HijackThis log is below: Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 10:02:15 PM, on 7/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\msole32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\ALLTEL DSL Check-up Center\bin\mpbtn.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\DONNA NASH\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\Documents and Settings\DONNA NASH\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicksearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaul...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaul...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicksearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp6C17.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll (file missing)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [mevgfny] c:\windows\system32\mslxdr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe
O4 - Global Startup: ALLTEL DSL Check-up Center.lnk = C:\Program Files\ALLTEL DSL Check-up Center\bin\matcli.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/ALLTEL...aller_2-0-0.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ymmapi_0727.dll
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

guestolo · « **Reply #1 on:** July 10, 2005, 10:55:29 AM »

Sorry for the delay

If you still need a hand with your log
Can you run a fresh scan with hijackthis and post a fresh log please
Let's make sure nothing has changed

jchyatt2 · « **Reply #2 on:** July 10, 2005, 06:12:39 PM »

Hi guestolo, thanks for your reply. I am currently away from the computer that's having the problem. I will say that spysheriff (after many attempts to clean with different spyware/adware software) has finally disappeared. The background is back to normal, and internet seems to be running fine. However, now there is a blinking yellow triangle with an exclamation point in the notification area of the task bar that wont go away unless you double click it...which sends you to a random spyware software's website (RazeSpyware, NoSpyware, etc.). Also, a pop-up comes up saying that the computer is infected with spyware, click "OK" to download software to remove it. (paraphrased) Seems very sketchy to me. Nothing comes up in a norton scan, adaware se scan, or spybot scan. I will post an fresh long tonight. Thanks for your help!

Josh

jchyatt2 · « **Reply #3 on:** July 11, 2005, 09:27:34 PM »

Hey, sorry it took so long. Here's a fresh log. Anything you can help me with would be awesome! Thanks!

Josh

Logfile of HijackThis v1.99.1
Scan saved at 10:19:14 PM, on 7/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msole32.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\ALLTEL DSL Check-up Center\bin\mpbtn.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\DONNAN~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaul...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaul...://my.yahoo.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll (file missing)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [mevgfny] c:\windows\system32\mslxdr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe
O4 - Global Startup: ALLTEL DSL Check-up Center.lnk = C:\Program Files\ALLTEL DSL Check-up Center\bin\matcli.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/ALLTEL...aller_2-0-0.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ymmapi_0727.dll
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

guestolo · « **Reply #4 on:** July 12, 2005, 12:09:19 AM »

I know you had Ewido installed at one time, I would of liked to seen a log from it
Can you do the following please
If you still have Ewido installed Check for updates with it now, but don't run a scan yet

If you don't have it installed please do the following
==Download and then Install
Ewido Security Suite

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

Then I need you to download a couple more tools please

==Please download Nailfix from here:
http://www.thetechguide.com/forum/index.ph...ype=post&id=290
Unzip it to the desktop but please do NOT run it yet

==Download SmitRem.zip
UNZIP the folder within to your desktop.
We'll need this later

Access your Add/Remove programs and remove if you didn't intentionally install
Viewpoint
You may have more than one entry

==Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for a more detailed explanation
Make sure you do the next steps in Safe mode

==Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- System Startup Service

Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaul...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaul...://my.yahoo.com

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll (file missing)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe

O4 - HKLM\..\Run: [mevgfny] c:\windows\system32\mslxdr.exe

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

==Double-click on nailfix.cmd that you unzipped earlier. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal

Open the SmitRem folder>>Make sure you unzipped this, then double click the RunThis.bat file to start the tool. Read and Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
Remain in safe mode if prompted
The tool will create a log named smitfiles.txt>>Located here C:\smitfiles.txt
I'll need to see it later

==Open Ewido trojan scanner
Click on the Scanner button on the left menu
Click on the Settings button on the right
Select "Scan Every File"
OK it and then click on the "Complete System Scan"
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

NOTE: When Ewido is running do NOT open any other Windows
Let it do it's job

Afterwards
Restart back to Normal mode

Ensure your Anti-Virus is updated and run a full system scan

Run another scan with Hijackthis and post a fresh log
Could you also include the Report from Ewidos
Additionally include the text file from RunThis.bat>>C:\smitfiles.txt <-this log

jchyatt2 · « **Reply #5 on:** July 13, 2005, 08:51:39 PM »

I'm sorry for the delay. I'm getting married saturday, and this help is for my fiance's computer...so it's not at my house. Trying to get things wrapped up at work for a weeks vacation (honeymoon) has put me working till 8-9 every night. I'm probably not going to be able to have time/access until after I return...please understand. I'll follow the instructions when i get back, and continue this post then. Thanks for everything! I can't wait to get this thing fixed up.

Be back 7/24,
Josh

guestolo · « **Reply #6 on:** July 13, 2005, 09:01:06 PM »

Congratulations jchyatt2

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />
I'll leave this topic open for you until your return

Go get married and forget about this for a bit, you probably have enough on your mind
But try not to hesitate too long when you return

jchyatt2 · « **Reply #7 on:** August 27, 2005, 08:38:07 PM »

Hi guestsolo! I sincerely apologize for such a delayed reply. Our wedding (and honeymoon!!) went very well, and it's taken me a while to get back in the swing of things. However, i'm back, and would love to get all this resolved. I appreciate all you've done! A couple comments before i post the 3 logs you requested. After following your instructions, the following items did not show up in the hijackthis scan. I was able to "fix" the other 6 items.

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [mevgfny] c:\windows\system32\mslxdr.exe

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Ok here are the logs:

Logfile of HijackThis v1.99.1
Scan saved at 6:53:55 PM, on 8/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\eijbyyr.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\ALLTEL DSL Check-up Center\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\DONNAN~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [vlfpmxb] C:\WINDOWS\system32\eijbyyr.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\WINDOWS\stubinstaller4292.exe"
O4 - Global Startup: ALLTEL DSL Check-up Center.lnk = C:\Program Files\ALLTEL DSL Check-up Center\bin\matcli.exe
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/ALLTEL...aller_2-0-0.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/joysaver.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         5:16:14 PM, 8/27/2005
+ Report-Checksum:      7EE78EBB

+ Scan result:

   HKLM\SOFTWARE\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
   HKLM\SOFTWARE\Avenue Media\Internet Optimizer -> Spyware.InternetOptimizer : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{c900b400-cdfe-11d3-976a-00e02913a9e0} -> Spyware.Webhancer : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{0985C112-2562-46F2-8DA6-92648BA4630F} -> Spyware.ISTBar : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0} -> Spyware.WebHancer : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{CABBB49A-4D7B-415B-8250-15C3B854E9FF} -> Spyware.CoolWebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\IObjSafety.DemoCtl -> Spyware.MediaMotor : Cleaned with backup
   HKLM\SOFTWARE\Classes\IObjSafety.DemoCtl\Clsid -> Spyware.MediaMotor : Cleaned with backup
   HKLM\SOFTWARE\Classes\ToolbarBestToolbarsToolbar.BestToolbarsToolbarObject -> Spyware.FizzleBar : Cleaned with backup
   HKLM\SOFTWARE\Classes\ToolbarBestToolbarsToolbar.BestToolbarsToolbarObject\CLSID -> Spyware.FizzleBar : Cleaned with backup
   HKLM\SOFTWARE\Classes\ToolbarBestToolbarsToolbar.BestToolbarsToolbarObject\CurVer -> Spyware.FizzleBar : Cleaned with backup
   HKLM\SOFTWARE\Classes\TypeLib\{67907B3C-A6EF-4A01-99AD-3FCD5F526429} -> Spyware.ISTBar : Cleaned with backup
   HKLM\SOFTWARE\Classes\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0} -> Spyware.WebHancer : Cleaned with backup
   HKLM\SOFTWARE\Classes\WhIeHelperObj.WhIeHelperObj -> Spyware.Webhancer : Cleaned with backup
   HKLM\SOFTWARE\Classes\WhIeHelperObj.WhIeHelperObj\CurVer -> Spyware.Webhancer : Cleaned with backup
   HKLM\SOFTWARE\Classes\YSBactivex.Installer -> Spyware.YourSiteBar : Cleaned with backup
   HKLM\SOFTWARE\Classes\YSBactivex.Installer\CLSID -> Spyware.YourSiteBar : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c900b400-cdfe-11d3-976a-00e02913a9e0} -> Spyware.Webhancer : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DyFuCA -> Spyware.MoneyTree : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer -> Spyware.InternetOptimizer : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout -> Spyware.InternetOptimizer : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\media-motor -> Spyware.MediaMotor : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent -> Spyware.WebHancer : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\whSurvey -> Spyware.WebHancer : Cleaned with backup
   HKLM\SOFTWARE\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
   HKLM\SOFTWARE\VGroup -> Spyware.SAHA : Cleaned with backup
   HKLM\SOFTWARE\VGroup\SAHPopup -> Spyware.SAHA : Cleaned with backup
   HKLM\SOFTWARE\webHancer -> Spyware.Webhancer : Cleaned with backup
   HKLM\SOFTWARE\webHancer\CC -> Spyware.Webhancer : Cleaned with backup
   HKLM\SOFTWARE\webHancer\ESO -> Spyware.Webhancer : Cleaned with backup
   [520] C:\WINDOWS\webhdll.dll -> Spyware.WebHancer : Cleaned with backup
   [872] C:\WINDOWS\system32\dfnobw.exe -> Trojan.Agent.cp : Cleaned with backup
   C:\Documents and Settings\DONNA NASH\Cookies\donna nash@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
   C:\Documents and Settings\DONNA NASH\Cookies\donna nash@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
   C:\Documents and Settings\DONNA NASH\Cookies\donna [email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   C:\Documents and Settings\DONNA NASH\Cookies\donna nash@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
   C:\Documents and Settings\DONNA NASH\Cookies\donna nash@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
   C:\Documents and Settings\DONNA NASH\Cookies\donna nash@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   C:\Documents and Settings\DONNA NASH\Cookies\donna nash@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
   C:\Documents and Settings\DONNA NASH\Cookies\donna [email protected][1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
   C:\Documents and Settings\DONNA NASH\Cookies\donna nash@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
   C:\Documents and Settings\DONNA NASH\Cookies\donna nash@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
   C:\Documents and Settings\DONNA NASH\Cookies\donna nash@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
   C:\Documents and Settings\DONNA NASH\Cookies\donna [email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
   C:\Documents and Settings\DONNA NASH\Cookies\donna nash@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
   C:\Program Files\Internet Optimizer\optimize.exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
   C:\Program Files\MediaLoads\v1\ML.exe -> Spyware.DownloadWare : Cleaned with backup
   C:\Program Files\webHancer\Programs\whiehlpr.dll -> Spyware.WebHancer : Cleaned with backup
   C:\Program Files\webHancer\Programs\whSurvey.exe -> Spyware.WebHancer : Cleaned with backup
   C:\Program Files\whInstall\Webhdll.dll -> Spyware.WebHancer : Cleaned with backup
   C:\Program Files\whInstall\whiehlpr.dll -> Spyware.WebHancer : Cleaned with backup
   C:\Program Files\whInstall\whInstaller.exe -> Spyware.WebHancer : Cleaned with backup
   C:\Program Files\whInstall\WhSurvey.exe -> Spyware.WebHancer : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP246\A0015158.dll -> Spyware.Searcher : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP246\A0017713.DLL -> Spyware.MyWebSearch : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP246\A0017721.DLL -> Spyware.MyWebSearch : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP246\A0017724.dll -> Spyware.NewDotNet : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP246\A0017738.dll -> Spyware.MyWebSearch : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP246\A0017907.exe -> Spyware.Delfin : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP246\A0017908.DLL -> Spyware.Delfin : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP246\A0017909.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP246\A0017910.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP246\A0017913.exe -> Spyware.NewDotNet : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP246\A0017914.exe -> Spyware.NewDotNet : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP246\A0017915.exe -> Spyware.NewDotNet : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP246\A0017916.exe -> Spyware.NewDotNet : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP246\A0017917.exe -> Spyware.NewDotNet : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP246\A0017918.exe -> Spyware.NewDotNet : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP246\A0017919.exe -> Spyware.NewDotNet : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP246\A0017922.exe -> Adware.BrilliantDigital : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP246\A0017924.exe -> Trojan.TopAntiSpyware : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP246\A0017925.exe -> Trojan.Puper.w : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP246\A0017927.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP246\A0017969.exe -> TrojanDownloader.Zlob.q : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP246\A0017988.dll -> Trojan.Puper.t : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP246\A0017989.exe -> Trojan.Puper.w : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP288\A0023708.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP288\A0023712.exe -> Trojan.Agent.ay : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP288\A0023720.exe -> Trojan.Agent.ay : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP288\A0023739.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP289\A0023745.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP290\A0023771.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP290\A0023795.exe -> Trojan.Agent.ay : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP290\A0023802.exe -> Trojan.Agent.ay : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP290\A0023812.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP291\A0023829.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP292\A0023832.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP292\A0024802.exe -> Trojan.Agent.ay : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP292\A0024819.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP293\A0024839.exe -> Trojan.Agent.ay : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP293\A0024846.exe -> Trojan.Agent.ay : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP293\A0024859.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP293\A0024876.exe -> Trojan.Agent.ay : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP293\A0024877.exe -> Trojan.Agent.ay : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP293\A0024910.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP294\A0024913.exe -> Trojan.Agent.ay : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP294\A0024920.exe -> Trojan.Agent.ay : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP294\A0024929.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP294\A0024941.exe -> Trojan.Agent.ay : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP295\A0024957.exe -> Trojan.Agent.ay : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP295\A0024958.exe -> Trojan.Agent.ay : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP295\A0024964.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP295\A0024973.exe -> Trojan.Agent.ay : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP295\A0024974.exe -> Trojan.Agent.ay : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP295\A0024981.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP295\A0025045.exe -> Trojan.Agent.ay : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP296\A0025055.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP296\A0025079.exe -> Trojan.Agent.ay : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP296\A0025080.exe -> Trojan.Agent.ay : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP296\A0025081.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP296\A0025082.exe -> Trojan.Stervis.d : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP296\A0025083.dll -> Trojan.Agent.db : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP296\A0025084.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\876029.exe -> Adware.SaveNow : Cleaned with backup
   C:\WINDOWS\bundle_mediamotor1004.exe -> Adware.Saha : Cleaned with backup
   C:\WINDOWS\dinst.exe -> TrojanDownloader.Intexp.d : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\m67m.ocx -> Spyware.MediaMotor : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\ysbactivex.dll -> TrojanDownloader.IstBar : Cleaned with backup
   C:\WINDOWS\dsr.dll -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup
   C:\WINDOWS\klgvubgcfxf.exe -> Adware.BetterInternet : Cleaned with backup
   C:\WINDOWS\NDNuninstall4_80.exe -> Spyware.NewDotNet : Cleaned with backup
   C:\WINDOWS\NDNuninstall5_40.exe -> Spyware.NewDotNet : Cleaned with backup
   C:\WINDOWS\optimize.exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
   C:\WINDOWS\seeve.exe -> Spyware.MediaMotor : Cleaned with backup
   C:\WINDOWS\stubinstaller4292.exe -> TrojanDownloader.Small.asf : Cleaned with backup
   C:\WINDOWS\stubinstaller6282.exe -> TrojanDownloader.Small.asf : Cleaned with backup
   C:\WINDOWS\SYSTEM32\dfnobw.exe -> Trojan.Agent.ay : Cleaned with backup
   C:\WINDOWS\webhdll.dll -> Spyware.WebHancer : Cleaned with backup
   C:\WINDOWS\whInstaller.exe -> Spyware.WebHancer : Cleaned with backup

::Report End

smitRem log file
version 2.3

by noahdfear

The current date is: Sat 08/27/2005
The current time is: 15:54:10.79

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

msole32.exe
logfiles

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

screen.html
sites.ini

~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Wininet.dll ~~~

CLEAN!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Thanks again for all your help!
Josh

guestolo · « **Reply #8 on:** August 28, 2005, 09:55:29 AM »

Hi again Josh, still some work to do
Looks like new entries in your log

Can I have you do the following please
Download Hijackthis from my signature below and save it too a folder on your drive
Only run it from the new location

Please do the following
From my signature below Click on Panda's
Click the Scan my PC button
Follow the steps to run the free online scan
Scan "My Computer"
Let this finish, it may take a bit of time
When Panda's is done
If anything is found it will give you an option to save a report
Do so, save it too desktop and then copy and paste back here the results

Could you also do the following
Open Hijackthis>>Open Misc tools section>>Open Uninstall Manager
Click the SAVE LIST button
Save the list to desktop
copy and paste back here the results

Also, can I have you redownload Hijackthis from my signature below and save it too a permanent folder on your drive
We'll only want to run Hijackthis from the new location
Run another scan with Hijackthis and post a fresh log

TheTechGuide Forum

News:

Author Topic: SpySheriff...PLEASE HELP!! (Read 1776 times)

jchyatt2

SpySheriff...PLEASE HELP!!

guestolo

SpySheriff...PLEASE HELP!!

jchyatt2

SpySheriff...PLEASE HELP!!

jchyatt2

SpySheriff...PLEASE HELP!!

guestolo

SpySheriff...PLEASE HELP!!

jchyatt2

SpySheriff...PLEASE HELP!!

guestolo

SpySheriff...PLEASE HELP!!

jchyatt2

SpySheriff...PLEASE HELP!!

guestolo

SpySheriff...PLEASE HELP!!