1
   

SpySheriff problem - serious mess

Forums: Computers
Email this Topic Print this Page
 
 
Aremah
 
Reply Tue 27 Dec, 2005 10:09 am
It's certainly a bit more serious than last time. Although by now (especially after the last - quite recent - time) I recognise some of the things that need removing, I'd rather leave it up to professionals to make sure I get it right on the first try (note that I have all the tools I used here: http://www.able2know.com/forums/viewtopic.php?t=65408, so no need to go into much detail, just lay the exact instructions out in points). Timber, you out there? Wink

Besides what you see below (after following timber's direction in the yuckware sticky), there's another thing - my taskbar (the one next to the start button) is completely collapsed. I can't expand it nor are there any icons there, which is seriously aggravating. Please help ASAP.

AboutBuster found nothing, so no log.

The first EWIDO log was accidentaly overwritten by the second (I didn't notice the filename was the same, and the program gave no overwrite warning). It found about 50 malware files.

Second EWIDO log

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 16:07:07, 2005-12-27
+ Report-Checksum: D807F52F

+ Scan result:

C:\WINDOWS\system32\inounun.dll -> Downloader.Qoologic.az : Cleaned with backup
C:\WINDOWS\system32\jdsbdbd.exe -> Trojan.Pakes : Cleaned with backup
C:\WINDOWS\system32\kwekw.dll -> Downloader.Small : Cleaned with backup


::Report End

HiJackThis log

Logfile of HijackThis v1.99.1
Scan saved at 16:48:12, on 2005-12-27
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\paytime.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\paytime.exe
C:\PROGRA~1\MESSEN~1\Msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15014/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\kwdpl.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Usługa Auto-Protect w programie Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • Topic Stats
  • Top Replies
  • Link to this Topic
Type: Discussion • Score: 1 • Views: 1,137 • Replies: 15
No top replies

 
Don77
 
  1  
Reply Tue 27 Dec, 2005 02:09 pm
Hi there could you provide an uninstall list please


  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • You can click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad into this topic please,

0 Replies
 
Aremah
 
  1  
Reply Tue 27 Dec, 2005 02:57 pm
Here you go. The first thing I did, before going into safe mode and all the scanning, was uninstalling SpySheriff via the regular add/remove programs window.

Ad-Aware SE Personal
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0.5
Adobe Stock Photos 1.0
Aktualizacja dla systemu Windows XP (KB894391)
Aktualizacja dla systemu Windows XP (KB896727)
Aktualizacja dla systemu Windows XP (KB898461)
Aktualizacja dla systemu Windows XP (KB910437)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB890046)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB893066)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB893756)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB896358)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB896422)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB896423)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB896424)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB896428)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB896688)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB899587)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB899588)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB899589)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB899591)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB900725)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB901017)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB901214)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB902400)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB904706)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB905414)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB905749)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB905915)
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Bink and Smacker
BSPlayer
CCleaner (remove only)
DEXXA Webcam
DivX
DivX Codec 3.1alpha release
EAX(tm) Unified (SHELL)
ewido security suite
Fable - The Lost Chapters
FlashFXP v3
Gadu-Gadu 7.0
HijackThis 1.99.1
K-Lite Codec Pack 2.53 Standard
Lavasoft VX2 Cleaner
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Logitech iTouch Software
Logitech MouseWare 9.79.1
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Flash Player 8
MSN Messenger 7.5
Nero 6 Ultra Edition
Neverwinter Nights
Norton SystemWorks 2003
Norton WMI Update
Panda ActiveScan
Pdf995
Poprawka systemu Windows XP - KB873333
Poprawka systemu Windows XP - KB873339
Poprawka systemu Windows XP - KB885250
Poprawka systemu Windows XP - KB885835
Poprawka systemu Windows XP - KB885836
Poprawka systemu Windows XP - KB886185
Poprawka systemu Windows XP - KB887472
Poprawka systemu Windows XP - KB887742
Poprawka systemu Windows XP - KB888113
Poprawka systemu Windows XP - KB888302
Poprawka systemu Windows XP - KB890859
Poprawka systemu Windows XP - KB891781
Poprawka systemu Windows XP - KB893086
Poser 6
PowerDVD
PowerQuest PartitionMagic 8.0
QuickTime
Skaner on-line mks_vir
Sound Blaster Live!
Spelling Dictionaries For Adobe Reader Package
Spybot - Search & Destroy 1.4
SpywareBlaster v3.4
Tlen.pl
Tweak UI
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Messenger 5.1
Windows XP Service Pack 2
WinRAR archiver
XviD MPEG-4 Video Codec
0 Replies
 
Don77
 
  1  
Reply Tue 27 Dec, 2005 03:23 pm
Quote:
Here you go. The first thing I did, before going into safe mode and all the scanning, was uninstalling SpySheriff via the regular add/remove programs window.

Thats fine I was actually looking for something else, did you happen to see a program named DH in there ?
I don't see it now but am curious seems to be related to the newest varient of side surf but I don't see that there either so hopefully this will go away quietly Very Happy

Lets get started here then.

Probably a good idea to print out or save these instructions to note pad some place you will have access to them like your desk top as we will need to do a good protion of this in safe mode

Download and install CleanUp!
Don't run it yet we will use it in a bit,

Open Ad-aware, Check it for updates if any found please download them, Close out the program we will scan with it later on

Next

Check Nortons for updates as well
Again don't run it now we will use it in a bit

Please restart HJT put a check next to the following, close all open windows and click "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\kwdpl.dll (file missing)


Now close out HJT please

Next

Reboot into SAFE MODE
Search for and delete the Folders highlighted in Blue Files highlighted in BOLD

c:\secure32.html
C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\system32\kwdpl.dll
C:\Program Files\Common Files\VCClient\ <--Delete the folder

Next
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click No.

Next

Open up Ad-aware and run a scan, Have it fix all it finds,

Next
Open Nortons and run a full system scan with it delete or have it fix anything it finds please


Next
Reboot to normal mode and post back a fresh HJT log for me please,
Let me know how your computer is running as well
0 Replies
 
Aremah
 
  1  
Reply Tue 27 Dec, 2005 05:23 pm
I'll get to it tomorrow morning, as I don't have the time right now. One question before I do, though.

Shouldn't I be using CCleaner on XP (which I did and do), rather than CleanUp (WinME and older, according to this: http://www.able2know.com/forums/viewtopic.php?t=54757 )?
0 Replies
 
Don77
 
  1  
Reply Tue 27 Dec, 2005 06:21 pm
You can use CCleaner if you already have it installed
I use Cleanup! on XP and it does a great job,
I perfer Cleanup! but thats me use which you like
0 Replies
 
Aremah
 
  1  
Reply Wed 28 Dec, 2005 03:58 am
I used CCleaner. AdAware and NAV found nothing of interest.

Current HJT log

Logfile of HijackThis v1.99.1
Scan saved at 10:53:53, on 2005-12-28
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MESSEN~1\Msmsgs.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15014/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Usługa Auto-Protect w programie Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Comments

I took the liberty of also removing the entries:

- O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
- O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

as per timber's suggestion in the other thread (didn't get to it earlier before SpySheriff appeared).

In any case, the computer seems fine. I restored my taskbar (turns out the malware had just unchecked the 'Show taskbar' option). Nothing pops up (since VCClient and VCMain are gone), and my default start page is restored in IE.

I still have the siren wail issue, which I mentioned in my other thread, but I think that's for another thread entirely.

Thanks a lot for the quick help. If there's anything else you see, lemme know, and keep up the good work. Smile
0 Replies
 
Don77
 
  1  
Reply Wed 28 Dec, 2005 06:07 am
Looks good Very Happy

Nice job your log is clean !
How is it running ?
Please use the following suggestion to help prevent reinfection


Download the following program, For keeping crap off your system to begin with
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests. Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restrict the actions of potentially dangerous sites in Internet Explorer.
Download Spyware Blaster

Keep AD-Aware. and Spybot 1.4 handy, Check them for updates prior to running and run them weekly
Same with your Anti Virus,

For an added check run an online virus scan, you can use one of the 2 below,
TrendMicro's HouseCall
ActiveScan

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
Click Start | Run | type in cleanmgr | OK

Let it scan your system for files to remove.

Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.

Press OK to remove them.

Or you can use CCleaner seeing you have it set up


Remeber to Check Windows for updates

Probably a good time to create a new restore point See Here for XP

See Here for ME Name it clean or something like that,
0 Replies
 
Aremah
 
  1  
Reply Wed 28 Dec, 2005 10:38 am
I already do what you advise, but it's good advice of course. Strangely enough, it didn't stop me from catching SpySheriff (I had Spyware Blaster installed and 'protecting', after my previous SpyAxe case, when I caught it). Methinks it's Firefox time (I'm sentimental about IE for some reason).

Thanks again. Smile
0 Replies
 
Don77
 
  1  
Reply Wed 28 Dec, 2005 11:18 am
Firefox is a good option as well as Opera,
You will want to keep IE as you will need it for Windows updates and online scans usually require them,

Pay close attention to what sites your visiting and what your clicking on,

Might be well advised to get yourself a firewall
Zonealarm is a great product and will help keep you protected,

I really need to update my prevtion speech, been meaning to add that for a while

Best of luck to you.

BTW I use zonealarm it does a great job Very Happy



Don Very Happy
0 Replies
 
Aremah
 
  1  
Reply Wed 28 Dec, 2005 01:07 pm
I tried it once, about a year ago, but somehow it gave me more problems than it was worth. Could be that I didn't take the time to configure it correctly, can't remember. I've been using the Windows Firewall since SP2 came out, but... it's Windows. So yeah, I think I'll give Zonealarm another shot.
0 Replies
 
Don77
 
  1  
Reply Wed 28 Dec, 2005 03:48 pm
I highly recommend you do Very Happy
0 Replies
 
timberlandko
 
  1  
Reply Wed 28 Dec, 2005 09:55 pm
Just chiming in here with my own endorsement of Zone Alarm; the free version is pretty good, and the full subscription version is extremely versatile and flexible, with lotsa options and configurability, though getting it set up optimally - and putting up with/working around its idiosynchrocies - is something most folks won't be inclined to tackle.
0 Replies
 
Aremah
 
  1  
Reply Thu 29 Dec, 2005 07:04 pm
Free version for me, I'm afraid. The thing is that the word 'optimally' in 'getting it set up optimally' is usually a major clog. Don't get me wrong, I'm not some idiot who just uses the computer to play games; I've had a PC since 1989, so I know what I'm doing to some extent. I'm no expert, of course, but I like everything configured to just how I like it, and nothing stops me from doing just that. Still, some programs elude me, as in they are nearly impossible to set up how I want them. There are just too many of the mentioned idiosyncracies involved - and the free version of Zone Alarm was included into that classification at a certain time in the past.

What do you guys think of Norton Internet Security? If I'm not mistaken, it comes with a firewall, and I have an opportunity to get it at a discount (I'm currently on Norton SystemWorks 2003, as I couldn't afford 2004 when it came out).
0 Replies
 
Don77
 
  1  
Reply Thu 29 Dec, 2005 09:11 pm
Refraining from comment on Nortons Laughing
I have AVG and zone alarm, Spyware gaurd and spyware blaster,
Thats what does it for me, But thats me,
Had system works by Nortons on a pc my inlaws gave to my son it lasted 2 days.

I will let Timber share his view,
0 Replies
 
timberlandko
 
  1  
Reply Thu 29 Dec, 2005 09:38 pm
Norton is effective, but its a resource hog; any of the "Security Suites" are. The "System Tools" apps mostly are headaches-in-a-can, too, as far as I'm concerned. I do like Symantec/Norton antivirus, but again, if you're gonna use it, a fast processor and lotsa RAM are pretty much gonna hafta be there first. GriSoft's AVG is a fine product, as are several of the other free standalone Antivirus apps. Right now, in the pay-for field, I think (in no particular order) the tops are Panda, Kaspersky, Sophos, F-Secure, BitDefender, and AVK (which actually is Kaspersky and BitDefender combined). Norton, McAfee, and Trend all are good, but even as seperate standalones apart from the suites in which they also are available, they're resource hogs.
0 Replies
 
 

Related Topics

Super cool computer tricks, for dopes like me. - Discussion by OCCOM BILL
Clone of Micosoft Office - Question by Advocate
Do You Turn Off Your Computer at Night? - Discussion by Phoenix32890
The "Death" of the Computer Mouse - Discussion by Phoenix32890
Windows 10... - Discussion by Region Philbis
Surface Pro 3: What do you think? - Question by neologist
Windows 8 tips thread - Discussion by Wilso
Mac help/can't install new printer, don't remember passwd - Discussion by ossobuco
GOOGLE CHROME - Question by Setanta
.Net and Firefox... - Discussion by gungasnake
Hacking a computer and remote access - Discussion by trying2learn
 
  1. Forums
  2. » SpySheriff problem - serious mess
Copyright © 2025 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.05 seconds on 12/28/2025 at 07:35:22