(followed the spysherrif sticky, but...)

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

cutaia

Thread Starter
Joined
Jun 13, 2004
Messages
67
I still seem to be quite infected with some things...Including SpySherrif. Any ideas?

HighjackThis:

Logfile of HijackThis v1.99.0
Scan saved at 9:08:41 PM, on 7/19/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jucheck.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Microsoft AntiSpyware\gcasServ.exe
C:\AIM\aim.exe
C:\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Highjack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;*.r4.attbi.com;localhost
F2 - REG:system.ini: Shell=Explorer.exe init32m.exe
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\pure zero\Application Data\Mozilla\Profiles\default\qvpc3qop.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [webcamXP] "C:\cam\webcamXP\webcamXP.exe"
O4 - HKCU\..\Run: [AIM] C:\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/01779de24184bdcb3018/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121751609549
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: ewido security suite control - ewido networks - C:\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

Activescan:

Incident Status Location

Adware:adware/adsmart No disinfected C:\WINDOWS\SYSTEM32\vx.tll
Adware:adware/spysheriff No disinfected C:\winstall.exe
Adware:adware/gator No disinfected HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPUBLISHER\CTLS
Adware:adware/cws.searchmeup No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES\SYSTEMTOOLS
Adware:adware/brilliantdigitalNo disinfected HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}
Virus:VBS/Inor.AF Disinfected C:\Documents and Settings\All Users\Desktop\Read It NOW!!!.RB0
Virus:VBS/Inor.AF Disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Windows.RB0
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YB6ZA12N\loadppc[1].exe
Virus:Trj/Downloader.DJV Disinfected C:\Microsoft AntiSpyware\DeactivatedItems\12E67770-028F-4AF3-8DBF-D0870C.asq
Virus:Trj/Downloader.DJV Disinfected C:\Microsoft AntiSpyware\DeactivatedItems\20B98524-5047-4D58-86D6-CBF83B.asq
Virus:Trj/Downloader.DJV Disinfected C:\Microsoft AntiSpyware\DeactivatedItems\3AE7EDBB-1427-47EA-A029-7FA93D.asq
Virus:Trj/Downloader.DJV Disinfected C:\Microsoft AntiSpyware\DeactivatedItems\40627A04-784D-435B-ABC9-A957C2.asq
Virus:Trj/Downloader.DJV Disinfected C:\Microsoft AntiSpyware\DeactivatedItems\643DFE65-65AA-4109-B01F-97992F.asq
Virus:Trj/Downloader.DJV Disinfected C:\Microsoft AntiSpyware\DeactivatedItems\6A77BD7A-36BA-4379-80F4-A83862.asq
Virus:Trj/Downloader.DJV Disinfected C:\Microsoft AntiSpyware\DeactivatedItems\7143F37D-E2E6-46E4-B119-FD29C1.asq
Virus:Trj/Downloader.DJV Disinfected C:\Microsoft AntiSpyware\DeactivatedItems\77C26548-6098-4A3B-BFB4-4C2A4C.asq
Virus:Trj/Downloader.DJV Disinfected C:\Microsoft AntiSpyware\DeactivatedItems\ADAA4143-54D8-4760-A84D-724906.asq
Virus:Trj/Downloader.DJV Disinfected C:\Microsoft AntiSpyware\DeactivatedItems\B10610B6-1538-4F46-84A8-6D4004.asq
Virus:Trj/Downloader.DJV Disinfected C:\Microsoft AntiSpyware\DeactivatedItems\CE51D90E-8C10-4A6A-97CF-7CA86A.asq
Virus:Trj/Downloader.DJV Disinfected C:\Microsoft AntiSpyware\DeactivatedItems\CEEE16D3-857E-4E8D-BD30-555B5F.asq
Virus:Trj/Downloader.DJV Disinfected C:\Microsoft AntiSpyware\DeactivatedItems\F1B42FB1-0C45-4FA6-A4F2-D0AFE7.asq
Virus:VBS/Inor.AF Disinfected C:\ntdetect.RB0
Adware:Adware/SpywareNo No disinfected C:\Program Files\SpySheriff\IESecurity.dll
Adware:Adware/SpywareNo No disinfected C:\Program Files\SpySheriff\ProcMon.dll
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\system32\430477443.exe
Adware:Adware/Adsmart No disinfected C:\WINDOWS\system32\vxgame6.exe

Ewido:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:04:06 PM, 7/19/2005
+ Report-Checksum: C8153A34

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7F6828CA-9E42-462C-BC60-418C8144012C} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{09CA52B3-703C-4B17-9690-C13F736E3DCD} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F6828CA-9E42-462C-BC60-418C8144012C} -> Dialer.Generic : Cleaned with backup
C:\Microsoft AntiSpyware\Quarantine\4B979D10-5D66-4FFA-9CAE-DFEA6B\110B7269-0680-43FF-BD31-F50405 -> TrojanProxy.Small.cn : Cleaned with backup
C:\Microsoft AntiSpyware\Quarantine\9D3A3497-24C0-49BB-9B79-3A0338\406AC85E-E55C-44EB-861D-B2B8DB -> TrojanProxy.Small.cn : Cleaned with backup
C:\WINDOWS\system\BHOmod.dll -> TrojanDownloader.Agent.li : Cleaned with backup
C:\WINDOWS\system\svchost.dll -> Backdoor.Agent.iw : Cleaned with backup
C:\WINDOWS\system\svchost.exe -> Backdoor.Agent.iw : Cleaned with backup
C:\WINDOWS\system\svchosthook.dll -> Backdoor.Agent.iw : Cleaned with backup
C:\WINDOWS\system32\abc.exe -> TrojanSpy.LdPinch.os : Cleaned with backup
C:\WINDOWS\system32\cssrs.exe -> TrojanSpy.PdPinch : Cleaned with backup
C:\WINDOWS\system32\kernels32.exe -> TrojanDownloader.Small.agq : Cleaned with backup
C:\WINDOWS\system32\latest.exe -> Trojan.Crypt.c : Cleaned with backup
C:\WINDOWS\system32\maxd1.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\symcsvc.exe -> Trojan.Crypt.c : Cleaned with backup
C:\WINDOWS\system32\vxgame1.exe -> TrojanDropper.Small.acg : Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq1.exe -> TrojanDownloader.Agent.qx : Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq8.exe -> TrojanDownloader.Agent.qx : Cleaned with backup
C:\WINDOWS\system32\web.exe -> TrojanDownloader.Small.agq : Cleaned with backup
C:\WINDOWS\system32\~update.exe -> Trojan.Crypt.c : Cleaned with backup
C:\WINDOWS\vr_sys.dll -> TrojanSpy.LdPinch.os : Cleaned with backup


::Report End

Whoo...that was a mouthful. :)
 
Joined
May 13, 2005
Messages
4,699
Before fixing anything please run in safe mode.

Safe Mode
*Here is the information on how to start in safe mode if you don’t know already:
http://service1.symantec.com/SUPPOR...src=sec_doc_nam


You need to put a tick next to the following entries on a new HJT scan, then click fix :


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;*.r4.attbi.com;localhost
F2 - REG:system.ini: Shell=Explorer.exe init32m.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)

I'm just looking in to if you are infected with spysherrif.
From where im sitting all should now look clean!

This will help generally to speed up your computer:

CCleaner

*Download CCleaner from http://www.filehippo.com/download_ccleaner.html
*Run the program and make sure you are on the windows tab in the top left corner.
*Click run cleaner
*This gets rid of all history, cookies, junk and temporary files
Startup Manager
* Download the program from http://www.mlin.net/files/StartupCPL_EXE.zip
* Run the program
* Click on each of the following tabs in succession and decide whether or not you want the things that appear there to start when your computer starts. All programs can be started in a different way, usually start/all programs etc….:

Startup (user)
Startup (common)
HKLM / Run
HKCU / Run
Services
Run Once

The more programs you move when start up, the faster your computer will run.


I'll post back in a minute
David
 

cutaia

Thread Starter
Joined
Jun 13, 2004
Messages
67
Alright, I'll try this as soon as I get home from work tonight. I'll let you know how it goes.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top