spy sherriff cont'd

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

mbdooley

Thread Starter
Joined
Dec 27, 2005
Messages
2
Howdy,

I tried the instructions above but I still have the notice displaying on my desktop and the 2 error messages when I boot up.

Thanks.

Marty

********
12:48 p.m.: | Start of Session, Lunes, 26 de Diciembre de 2005 |
12:48 p.m.: Spy Sweeper started
12:48 p.m.: Sweep initiated using definitions version 589
12:48 p.m.: Found Adware: wefed
12:48 p.m.: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\ssldr\ || dllname (ID = 1062236)
12:48 p.m.: ssldr32.dll (ID = 1062236)
12:48 p.m.: Starting Memory Sweep
12:50 p.m.: Detected running threat: C:\WINDOWS\system32\ssldr32.dll (ID = 200756)
12:52 p.m.: Found Adware: clkoptimizer
12:52 p.m.: Detected running threat: C:\WINDOWS\system32\ippuiiu.dll (ID = 188959)
12:53 p.m.: Detected running threat: C:\WINDOWS\system32\prropp.exe (ID = 188701)
12:53 p.m.: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || winsync (ID = 0)
12:53 p.m.: Found Adware: zquest
12:53 p.m.: Detected running threat: C:\WINDOWS\z00096.exe (ID = 208993)
12:53 p.m.: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || Contextual Tool (ID = 0)
12:53 p.m.: Memory Sweep Complete, Elapsed Time: 00:05:16
12:53 p.m.: Starting Registry Sweep
12:55 p.m.: Found Adware: surfsidekick
12:55 p.m.: HKLM\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143400)
12:55 p.m.: HKLM\software\surfsidekick3\ (2 subtraces) (ID = 143413)
12:55 p.m.: HKLM\software\microsoft\windows\currentversion\run\ || winsync (ID = 601545)
12:55 p.m.: HKLM\software\qstat\ (5 subtraces) (ID = 769771)
12:55 p.m.: HKLM\software\qstat\ || brr (ID = 877670)
12:55 p.m.: HKLM\software\microsoft\windows\currentversion\run\ || contextual tool (ID = 957773)
12:55 p.m.: HKLM\software\microsoft\windows\currentversion\uninstall\webnexus\ (2 subtraces) (ID = 1006191)
12:55 p.m.: Found Adware: command
12:55 p.m.: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
12:55 p.m.: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
12:55 p.m.: Found Trojan Horse: trojan-downloader-hochladen
12:55 p.m.: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\msctl32.dll\ (4 subtraces) (ID = 1021403)
12:55 p.m.: HKLM\system\currentcontrolset\services\i386p\ (11 subtraces) (ID = 1021419)
12:55 p.m.: Found Trojan Horse: trojan-downloader-dh
12:55 p.m.: HKCR\clsid\{c5af2622-8c75-4dfb-9693-23ab7686a456}\ (4 subtraces) (ID = 1057025)
12:55 p.m.: HKLM\software\classes\clsid\{c5af2622-8c75-4dfb-9693-23ab7686a456}\ (4 subtraces) (ID = 1057030)
12:55 p.m.: HKLM\software\microsoft\windows\currentversion\uninstall\dh\ (2 subtraces) (ID = 1057035)
12:55 p.m.: Found Adware: spysheriff
12:55 p.m.: HKU\S-1-5-21-329068152-1202660629-854245398-1004\software\microsoft\windows\currentversion\run\ || windows installer (ID = 142127)
12:55 p.m.: HKU\S-1-5-21-329068152-1202660629-854245398-1004\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143397)
12:55 p.m.: HKU\S-1-5-21-329068152-1202660629-854245398-1004\software\surfsidekick3\ (3 subtraces) (ID = 143412)
12:55 p.m.: Found Trojan Horse: trojan-backdoor-securemulti
12:55 p.m.: HKU\S-1-5-21-329068152-1202660629-854245398-1004\software\microsoft\windows\currentversion\run\ || windows installer (ID = 484139)
12:55 p.m.: Found Adware: findthewebsiteyouneed hijacker
12:55 p.m.: HKU\S-1-5-21-329068152-1202660629-854245398-1004\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
12:56 p.m.: Found Trojan Horse: trojan-backdoor-us15info
12:56 p.m.: HKU\S-1-5-21-329068152-1202660629-854245398-1004\software\microsoft\windows\currentversion\run\ || shell (ID = 650813)
12:56 p.m.: Registry Sweep Complete, Elapsed Time:00:02:09
12:56 p.m.: Starting Cookie Sweep
12:56 p.m.: Found Spy Cookie: 2o7.net cookie
12:56 p.m.: [email protected][1].txt (ID = 1958)
12:56 p.m.: Found Spy Cookie: belnk cookie
12:56 p.m.: [email protected][1].txt (ID = 2292)
12:56 p.m.: [email protected][2].txt (ID = 2293)
12:56 p.m.: Found Spy Cookie: statcounter cookie
12:56 p.m.: [email protected][1].txt (ID = 3447)
12:56 p.m.: Found Spy Cookie: trb.com cookie
12:56 p.m.: [email protected][1].txt (ID = 3587)
12:56 p.m.: Cookie Sweep Complete, Elapsed Time: 00:00:01
12:56 p.m.: Starting File Sweep
12:56 p.m.: sskknwrd.dll (ID = 77733)
12:56 p.m.: z00096.exe (ID = 208993)
12:56 p.m.: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || Contextual Tool (ID = 0)
12:56 p.m.: a0031565.dll (ID = 188959)
12:56 p.m.: Found Adware: targetsaver
12:56 p.m.: a0030458.exe (ID = 193995)
12:56 p.m.: ippuiiu.dll (ID = 188959)
12:57 p.m.: a0030456.exe (ID = 185985)
12:57 p.m.: vgactl.cpl (ID = 189954)
12:58 p.m.: a0031566.dll (ID = 188960)
12:58 p.m.: a0030563.dll (ID = 188960)
12:58 p.m.: krrkk.dll (ID = 188960)
12:59 p.m.: a0031564.exe (ID = 188961)
12:59 p.m.: Found Adware: dollarrevenue
12:59 p.m.: a0030450.exe (ID = 194150)
12:59 p.m.: jddbjjb.exe (ID = 188961)
12:59 p.m.: tool4.exe (ID = 183857)
12:59 p.m.: tool5.exe (ID = 183857)
12:59 p.m.: a0030546.dll (ID = 188959)
12:59 p.m.: ssldr32.dll (ID = 200756)
12:59 p.m.: a0029434.exe (ID = 208542)
01:00 p.m.: wuauclt.dll (ID = 188706)
01:00 p.m.: dh9013.exe (ID = 208497)
01:00 p.m.: dh.dll (ID = 208494)
01:00 p.m.: a0030469.exe (ID = 193995)
01:01 p.m.: oggq.exe (ID = 188701)
01:01 p.m.: a0030452.exe (ID = 193501)
01:01 p.m.: a0030448.exe (ID = 195131)
01:01 p.m.: zokul.exe (ID = 195130)
01:01 p.m.: zokup.exe (ID = 195132)
01:01 p.m.: a0029449.dll (ID = 189)
01:01 p.m.: a0030449.exe (ID = 195128)
01:01 p.m.: a0030562.dll (ID = 188959)
01:02 p.m.: wbbyw.dat (ID = 188701)
01:02 p.m.: prropp.exe (ID = 188701)
01:02 p.m.: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || winsync (ID = 0)
01:02 p.m.: a0030453.exe (ID = 208539)
01:03 p.m.: class-barrel (ID = 78229)
01:03 p.m.: zokuc.dll (ID = 195129)
01:03 p.m.: vocabulary (ID = 78283)
01:09 p.m.: Found Adware: apropos
01:09 p.m.: a0030451.dll (ID = 166754)
01:11 p.m.: a0030545.exe (ID = 188961)
01:11 p.m.: a0030561.exe (ID = 188961)
01:11 p.m.: secure32.html (ID = 184319)
01:11 p.m.: country.exe (ID = 183857)
01:12 p.m.: a0030547.dll (ID = 188960)
01:14 p.m.: a0030544.exe (ID = 188701)
01:14 p.m.: z00096[1].ini (ID = 209432)
01:17 p.m.: a0030447.exe (ID = 144946)
01:17 p.m.: a0030536.dll (ID = 144945)
01:17 p.m.: a0030467.exe (ID = 185985)
01:17 p.m.: a0030471.exe (ID = 208539)
01:18 p.m.: a0031563.exe (ID = 188701)
01:20 p.m.: toolbar.exe (ID = 208556)
01:20 p.m.: wa54trg.vbs (ID = 185675)
01:20 p.m.: Found System Monitor: potentially rootkit-masked files
01:20 p.m.: msctl32.dll (ID = 0)
01:20 p.m.: i386p.sys (ID = 0)
01:21 p.m.: Warning: Invalid Stream
01:23 p.m.: File Sweep Complete, Elapsed Time: 00:26:54
01:23 p.m.: Full Sweep has completed. Elapsed time 00:34:32
01:23 p.m.: Traces Found: 139
01:46 p.m.: Removal process initiated
01:46 p.m.: Quarantining All Traces: clkoptimizer
01:47 p.m.: clkoptimizer is in use. It will be removed on reboot.
01:47 p.m.: ippuiiu.dll is in use. It will be removed on reboot.
01:47 p.m.: prropp.exe is in use. It will be removed on reboot.
01:47 p.m.: C:\WINDOWS\system32\ippuiiu.dll is in use. It will be removed on reboot.
01:47 p.m.: C:\WINDOWS\system32\prropp.exe is in use. It will be removed on reboot.
01:47 p.m.: Quarantining All Traces: potentially rootkit-masked files
01:47 p.m.: potentially rootkit-masked files is in use. It will be removed on reboot.
01:47 p.m.: msctl32.dll is in use. It will be removed on reboot.
01:47 p.m.: Quarantining All Traces: spysheriff
01:47 p.m.: Quarantining All Traces: trojan-backdoor-securemulti
01:47 p.m.: Quarantining All Traces: trojan-backdoor-us15info
01:47 p.m.: Quarantining All Traces: apropos
01:47 p.m.: Quarantining All Traces: surfsidekick
01:47 p.m.: Quarantining All Traces: trojan-downloader-dh
01:47 p.m.: Quarantining All Traces: trojan-downloader-hochladen
01:47 p.m.: Quarantining All Traces: wefed
01:47 p.m.: wefed is in use. It will be removed on reboot.
01:47 p.m.: ssldr32.dll is in use. It will be removed on reboot.
01:47 p.m.: C:\WINDOWS\system32\ssldr32.dll is in use. It will be removed on reboot.
01:47 p.m.: Quarantining All Traces: zquest
01:47 p.m.: zquest is in use. It will be removed on reboot.
01:47 p.m.: z00096.exe is in use. It will be removed on reboot.
01:47 p.m.: Quarantining All Traces: command
01:47 p.m.: Quarantining All Traces: dollarrevenue
01:47 p.m.: Quarantining All Traces: findthewebsiteyouneed hijacker
01:47 p.m.: Quarantining All Traces: targetsaver
01:47 p.m.: Quarantining All Traces: 2o7.net cookie
01:47 p.m.: Quarantining All Traces: belnk cookie
01:47 p.m.: Quarantining All Traces: statcounter cookie
01:47 p.m.: Quarantining All Traces: trb.com cookie
01:47 p.m.: Warning: Timed out waiting for explorer.exe
01:47 p.m.: Warning: Launched explorer.exe
01:47 p.m.: Warning: Quarantine process could not restart Explorer.
01:48 p.m.: Preparing to restart your computer. Please wait...
01:48 p.m.: Removal process completed. Elapsed time 00:01:27
02:04 p.m.: Processing Internet Explorer Favorites Alerts
02:04 p.m.: Allowed IE Favorite: Tech Support Guy
02:19 p.m.: Processing Internet Explorer Favorites Alerts
02:19 p.m.: Allowed IE Favorite: General Security Information, How to tighten Security Settings and Warnings - Tech Support Guy Forums
02:35 p.m.: IE Security Shield: found: C:\WINDOWS\REGEDIT.EXE -- IE Security modification allowed at user request
04:14 p.m.: Hosts file is too large.
10:25 a.m.: Hosts file is too large.
01:44 p.m.: Your spyware definitions have been updated.
09:13 a.m.: Hosts file is too large.
08:22 p.m.: Your spyware definitions have been updated.
09:02 a.m.: Hosts file is too large.
********
12:42 p.m.: | Start of Session, Lunes, 26 de Diciembre de 2005 |
12:42 p.m.: Spy Sweeper started
12:45 p.m.: Updating spyware definitions
12:45 p.m.: Your spyware definitions have been updated.
12:48 p.m.: Memory Shield: Found: Memory-resident threat wefed, version 1.0.0.0
12:48 p.m.: Detected running threat: wefed
12:48 p.m.: | End of Session, Lunes, 26 de Diciembre de 2005 |

Logfile of HijackThis v1.99.1
Scan saved at 07:31:01 p.m., on 29/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://clusty.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Búsqueda en Google - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Traducir palabra inglesa - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Instantánea de caché de la página - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Páginas similares - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Páginas vinculadas - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119495922312
O16 - DPF: {97AFC0D9-660E-4ACE-B025-46FD64AE335A} (EmailImport.EmailImportControl) - http://www.friendster.com/emailimport/ms/emailimport.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: ssldr - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top