1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Hijack This Log, Ewido Scan Report, need to rid spysheriff

Discussion in 'Virus & Other Malware Removal' started by cbaluyot, Jun 20, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. cbaluyot

    cbaluyot Thread Starter

    Joined:
    Sep 1, 2003
    Messages:
    21
    I've been infected with spysheriff as well. here are my HJT and Ewido scan logs:

    Logfile of HijackThis v1.99.1
    Scan saved at 1:09:32 AM, on 6/20/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\Explorer.EXE
    C:\unzipped\hijackthis\HijackThis.exe

    F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\info32.exe
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: DigiChat Applet - http://host2.digichat.com/DigiChat/DigiClasses/Client_IE.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon/asp/cx_tgctlcm.jsp
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe


    ---------------------------------------------------------
    ewido security suite - Scan report
    ---------------------------------------------------------

    + Created on: 3:25:33 PM, 6/18/2005
    + Report-Checksum: 410D67A3

    + Date of database: 6/18/2005
    + Version of scan engine: v3.0

    + Duration: 82 min
    + Scanned Files: 121906
    + Speed: 24.54 Files/Second
    + Infected files: 25
    + Removed files: 25
    + Files put in quarantine: 25
    + Files that could not be opened: 0
    + Files that could not be cleaned: 0

    + Binder: Yes
    + Crypter: Yes
    + Archives: Yes

    + Scanned items:
    C:\

    + Scan result:
    C:\Documents and Settings\Christer Allen.CHRISTER\Local Settings\Temp\Temporary Internet Files\Content.IE5\3AOVF189\loaderadv74[1].jar/Counter.class -> Trojan.ClassLoader.h -> Cleaned with backup
    C:\Documents and Settings\Christer Allen.CHRISTER\Local Settings\Temp\Temporary Internet Files\Content.IE5\3AOVF189\loaderadv74[1].jar/Parser.class -> Trojan.Java.ClassLoader.Dummy.a -> Cleaned with backup
    C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug.a -> Cleaned with backup
    C:\Program Files\DivX\DivX Pro Codec\Gain_Trickler.exe -> Spyware.Gator.3102 -> Cleaned with backup
    C:\Program Files\Kazaa Lite K++\supertrick.txt -> Trojan.Qhost.av -> Cleaned with backup
    C:\Program Files\Oanmizp\Xbaf.exe -> Trojan.Small.cy -> Cleaned with backup
    C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP442\A0071813.vxd/C:/WINDOWS/system32/exdl.exe -> Spyware.BargainBuddy.n -> Cleaned with backup
    C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP442\A0071813.vxd/C:/WINDOWS/system32/mqexdlm.srg -> Spyware.BargainBuddy.n -> Cleaned with backup
    C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP442\A0071813.vxd/C:/WINDOWS/system32/exul.exe -> Spyware.BargainBuddy -> Cleaned with backup
    C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP442\A0071813.vxd/C:/WINDOWS/system32/javexulm.vxd -> Spyware.BargainBuddy -> Cleaned with backup
    C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP442\A0071813.vxd/C:/WINDOWS/system32/bbchk.exe -> Spyware.Bargainbuddy -> Cleaned with backup
    C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP442\A0071813.vxd/C:/WINDOWS/system32/msexreg.exe -> Spyware.Bargainbuddy -> Cleaned with backup
    C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP442\A0071813.vxd/C:/WINDOWS/system32/instsrv.exe -> Spyware.BargainBuddy -> Cleaned with backup
    C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP479\A0075506.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
    C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP479\A0075546.exe -> TrojanDownloader.Small.adv -> Cleaned with backup
    C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP479\A0075554.exe -> Spyware.NewDotNet -> Cleaned with backup
    C:\unzipped\CRACK[1].CD-Ahead_Nero_Burning_ROM_Ultra_Edition_v6.6.0.0\tmo.exe -> TrojanDownloader.NoName.b -> Cleaned with backup
    C:\unzipped\hijackthis\backup-20031226-221500-882.dll -> Dialer.Generic -> Cleaned with backup
    C:\WINDOWS\SYSTEM\smss32.exe -> Worm.Momma -> Cleaned with backup
    C:\WINDOWS\SYSTEM32\atiupdate5.exe -> Spyware.Adtomi.e -> Cleaned with backup
    C:\WINDOWS\SYSTEM32\BO2802040113.dll -> Spyware.VirtualBouncer.d -> Cleaned with backup
    C:\WINDOWS\SYSTEM32\calsdr.dll -> TrojanDownloader.Rameh.b -> Cleaned with backup
    C:\WINDOWS\SYSTEM32\calsdr.exe -> TrojanDropper.Small.ff -> Cleaned with backup
    C:\WINDOWS\SYSTEM32\unimt.exe -> Spyware.Purityscan.B -> Cleaned with backup
    C:\winstall.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup


    ::Report End
     
  2. Sponsor

  3. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    You never posted the active scan log!


    go to add/remove and uninstall p2p networking and it's folder form C\:program files.


    you have far too many start up items, use the link below to trim them down.

    http://www.pacs-portal.co.uk/startup_index.htm

    go to this site and download these tools and once you get both
    adaware and spybot, update both of them.

    Set adaware to do a full system scan and deselect, "search for neglible risk entries".
    Click next to start the scan.Delete everything adaware finds.

    reboot and now run spybot

    Spybot: Search and destroy.

    Delete what spybot finds marked in red. After updating spybot hit the
    immunize button.

    reboot again


    With CWshredder close all browsers and programmes and select the FIX button.

    unzip aboutbuster, update it and run it after you run CWshredder.


    Go here and download Microsoft Antispyware Beta. First in the top menu click
    File then Check for updates to download the definitons updates.

    After updating look in the right side of the main window under "Run Quick
    Scan Now" and click Spyware scan options. In that window put a tick by Run a
    full system scan and then put a check by all three options below that then
    click Run Scan now.

    When the scan is finished, let it fix anything that it finds (have it
    quarantine the items that have that option rather than delete just in case.
    It is a beta program and there may be false positives)

    Restart your computer.


    All tools can be downloaded at the link below!

    . Microsoft® Windows AntiSpyware
    . About buster
    . cwshredder
    . AdAware SE


    http://www.majorgeeks.com/downloads31.html




    have hijack this fix these entries. close all browsers and programmes before
    clicking FIX.


    F1 - win.ini:run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\info32.exe
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto




    Now reboot to safe mode find and delete these files and folders if there?



    How to boot to safe mode

    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam


    Because XP will not always show you hidden files and folders by default,
    Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden
    files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View
    tab and make sure that "Show hidden files and folders" is checked. Also
    uncheck "Hide protected operating system files" and "Hide extensions for
    known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"


    C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\info32.exe


    Run ActiveScan online virus scan here

    http://www.pandasoftware.com/activescan/

    When the scan is finished, anything that it cannot clean have it delete it.
    Make a note of the file location of anything that cannot be deleted so you
    can delete it yourself.
    - Save the results from the scan!



    download ccleaner and run it.

    http://www.ccleaner.com/

    post a new log and active scan's log
     
  4. cbaluyot

    cbaluyot Thread Starter

    Joined:
    Sep 1, 2003
    Messages:
    21
    I am having trouble running the active scan. There's always an error on downloading the ActivePanda Scan. The ActiveX installation window does not pop up as well.
     
  5. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    ty one of these.


    Run an online antivirus check from at least one and preferably 2 of the following sites....
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/
    http://www.ravantivirus.com/scan/
    http://support.f-secure.com/enu/home/ols.shtml

    make sure autoclean is enabled on the scans

    If it says any files can't be cleaned, delete them
    If it says any files can't be deleted, make a note of them and boot
    into safe mode to delete them.


    Note: this is a stand alone, it doesn't install to start/programmes.

    Download Mwav, double click on it and it will extract to C:\kaspersky. Click
    on the kaspersky folder and click on Kavupd, a black dos window will open
    and it will update the programme for you, be patient it will take 5-10
    minutes to download the new definitions. Once it's updated, click on mwavscan
    to launch the programme.

    Use the defaults of:

    Memory
    startup folders
    Registry
    system folders
    services

    Choose drive , all drives and, click scan all files
    and then click scan/clean. After it finishes scanning and cleaning post
    the log here with a new hijack this log.

    Note: this is a very thorough scanner, it might take anything up to an hour
    or more, depending on how many drives you have and how badly infected your
    pc is.

    http://www.spywareinfo.dk/download/mwav.exe
     
  6. cbaluyot

    cbaluyot Thread Starter

    Joined:
    Sep 1, 2003
    Messages:
    21
    None of the online virus checks worked for me because something went wrong with the installation. I ran mwav.exe, but the log for that is very lengthy. Do I have any other options? I even tried system restore, but the blue desktop background with the "SYSTEM STOPPED" message still appears.
     
  7. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/373385