Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spy Sheriff...browser Hijack?


  • Please log in to reply
5 replies to this topic

#1 Bannock123Love

Bannock123Love

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 25 November 2005 - 04:51 PM

Hello! I was searching the net and clicked on some link, to make a long story short Spy Sheriff infected my computer. I followed almost all instructions I could find and Removed most of it (the desktop stopped blinking, horrible desktop image gone, etc) but it failed to remove whatever is happening to the browser. Pop-ups...Even when IE isnt open. I Have Tried, Ad-aware, Hijackthis, Cleanup!, Ewido, Norton Antivirus,and I am still getting pop-ups. PLEASE HELP!!

I would also like to add that I have tried what was suggested here http://www.bleepingcomputer.com/forums/ind...&hl=spy+sheriff
And those files ( C:\WINDOWS\system32\qtap.dll...ETC....) could not be found on my computer. I would appreciate some help....

Logfile of HijackThis v1.99.1
Scan saved at 2:48:51 PM, on 11/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\BACKUP\System32\smss.exe
C:\WINDOWS\BACKUP\system32\winlogon.exe
C:\WINDOWS\BACKUP\system32\services.exe
C:\WINDOWS\BACKUP\system32\lsass.exe
C:\WINDOWS\BACKUP\system32\svchost.exe
C:\WINDOWS\BACKUP\System32\svchost.exe
C:\WINDOWS\BACKUP\system32\spoolsv.exe
C:\WINDOWS\BACKUP\System32\MsPMSPSv.exe
C:\WINDOWS\BACKUP\system32\rundll32.exe
C:\WINDOWS\BACKUP\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\BACKUP\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1132896664687
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\BACKUP\system32\m228lcfu1f28.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\BACKUP\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edited by Bannock123Love, 25 November 2005 - 05:18 PM.


BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:07 PM

Posted 25 November 2005 - 05:29 PM

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Then reboot your computer - IMPORTANT
Then post a new HJT log

David

#3 Bannock123Love

Bannock123Love
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 25 November 2005 - 05:55 PM

********
3:34 PM: | Start of Session, Friday, November 25, 2005 |
3:34 PM: Spy Sweeper started
3:34 PM: Sweep initiated using definitions version 575
3:34 PM: Starting Memory Sweep
3:34 PM: Found Adware: icannnews
3:34 PM: Detected running threat: C:\WINDOWS\BACKUP\system32\m228lcfu1f28.dll (ID = 83)
3:35 PM: Detected running threat: C:\WINDOWS\BACKUP\system32\CYDC0001.DLL (ID = 83)
3:35 PM: Memory Sweep Complete, Elapsed Time: 00:01:41
3:35 PM: Starting Registry Sweep
3:40 PM: Found Adware: targetsaver
3:40 PM: HKLM\software\microsoft\windows\currentversion\uninstall\tsa\ (2 subtraces) (ID = 143607)
3:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:41 PM: Found Trojan Horse: trojan-backdoor-zubox
3:41 PM: HKCR\acpi.acpi.1\ (3 subtraces) (ID = 484081)
3:41 PM: HKCR\acpi.acpi.1\clsid\ (1 subtraces) (ID = 484083)
3:41 PM: HKCR\acpi.ext\ (5 subtraces) (ID = 484085)
3:41 PM: HKCR\*\shellex\contextmenuhandlers\sysacpildap\ (1 subtraces) (ID = 484093)
3:41 PM: HKCR\typelib\{5e2121e1-0300-11d4-8d3b-444553540000}\ (9 subtraces) (ID = 484124)
3:41 PM: HKLM\software\classes\acpi.acpi.1\ (3 subtraces) (ID = 484140)
3:41 PM: HKLM\software\classes\acpi.ext\ (5 subtraces) (ID = 484144)
3:41 PM: HKLM\software\classes\*\shellex\contextmenuhandlers\sysacpildap\ (1 subtraces) (ID = 484152)
3:41 PM: HKLM\software\classes\typelib\{5e2121e1-0300-11d4-8d3b-444553540000}\ (9 subtraces) (ID = 484210)
3:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:41 PM: HKU\S-1-5-21-1614895754-1644491937-839522115-1003\software\mzs\mdms\ (4 subtraces) (ID = 480808)
3:41 PM: HKU\S-1-5-21-1614895754-1644491937-839522115-1003\software\mzs\mdms\mzu\ || pt (ID = 656825)
3:41 PM: Found Trojan Horse: trojan-backdoor-superbgirlz
3:41 PM: HKU\S-1-5-21-1614895754-1644491937-839522115-1003\software\classes\clsid\{4f141cba-1457-6cca-03a7-7aa21b61ea0f}\ (3 subtraces) (ID = 954563)
3:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:41 PM: Registry Sweep Complete, Elapsed Time:00:05:50
3:41 PM: Starting Cookie Sweep
3:41 PM: Found Spy Cookie: abcsearch cookie
3:41 PM: owner@abcsearch[1].txt (ID = 2033)
3:41 PM: Found Spy Cookie: yieldmanager cookie
3:41 PM: owner@ad.yieldmanager[1].txt (ID = 3751)
3:41 PM: Found Spy Cookie: adknowledge cookie
3:41 PM: owner@adknowledge[1].txt (ID = 2072)
3:41 PM: Found Spy Cookie: atlas dmt cookie
3:41 PM: owner@atdmt[2].txt (ID = 2253)
3:41 PM: Found Spy Cookie: azjmp cookie
3:41 PM: owner@azjmp[2].txt (ID = 2270)
3:41 PM: Found Spy Cookie: belnk cookie
3:41 PM: owner@belnk[1].txt (ID = 2292)
3:41 PM: owner@dist.belnk[2].txt (ID = 2293)
3:41 PM: Found Spy Cookie: starware.com cookie
3:41 PM: owner@h.starware[1].txt (ID = 3442)
3:41 PM: Found Spy Cookie: screensavers.com cookie
3:41 PM: owner@i.screensavers[1].txt (ID = 3298)
3:41 PM: Found Spy Cookie: overture cookie
3:41 PM: owner@perf.overture[1].txt (ID = 3106)
3:41 PM: Found Spy Cookie: rn11 cookie
3:41 PM: owner@rn11[2].txt (ID = 3261)
3:41 PM: owner@starware[2].txt (ID = 3441)
3:41 PM: Found Spy Cookie: tribalfusion cookie
3:41 PM: owner@tribalfusion[1].txt (ID = 3589)
3:41 PM: Found Spy Cookie: paypopup cookie
3:41 PM: owner@www.paypopup[1].txt (ID = 3120)
3:41 PM: owner@www.starware[1].txt (ID = 3442)
3:41 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
3:41 PM: Starting File Sweep
3:42 PM: Found Adware: keenvalue/perfectnav
3:42 PM: c:\program files\perfectnav (1 subtraces) (ID = -2147480782)
3:42 PM: Found Adware: look2me
3:42 PM: gpp0l37m1.dll (ID = 159)
3:42 PM: Found Adware: altnet
3:42 PM: admdata.dll (ID = 49784)
3:42 PM: Found Adware: bonzi buddy
3:42 PM: newshortcut2.url (ID = 51620)
3:42 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:42 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:42 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:42 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:43 PM: cydc0001.dll (ID = 159)
3:43 PM: Found Adware: bullguard popup ad
3:43 PM: bulldownload.exe (ID = 52017)
3:43 PM: dminfo2.cab (ID = 49820)
3:44 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:44 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:44 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:44 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:44 PM: Found Adware: spysheriff
3:44 PM: secure32.html (ID = 184319)
3:44 PM: m228lcfu1f28.dll (ID = 159)
3:45 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:45 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:45 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:45 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:45 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:45 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:45 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:45 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:45 PM: adm.exe (ID = 49774)
3:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:49 PM: tsuninst.exe (ID = 193501)
3:49 PM: oiuol.exe (ID = 195130)
3:49 PM: oiuop.exe (ID = 195132)
3:49 PM: class-barrel (ID = 78229)
3:49 PM: oiuoc.dll (ID = 195129)
3:49 PM: vocabulary (ID = 78283)
3:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:50 PM: secure32.html (ID = 184319)
3:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:50 PM: File Sweep Complete, Elapsed Time: 00:08:41
3:50 PM: Full Sweep has completed. Elapsed time 00:16:20
3:50 PM: Traces Found: 94
3:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:51 PM: Removal process initiated
3:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:51 PM: Quarantining All Traces: icannnews
3:51 PM: icannnews is in use. It will be removed on reboot.
3:51 PM: C:\WINDOWS\BACKUP\system32\m228lcfu1f28.dll is in use. It will be removed on reboot.
3:51 PM: C:\WINDOWS\BACKUP\system32\CYDC0001.DLL is in use. It will be removed on reboot.
3:51 PM: Quarantining All Traces: look2me
3:51 PM: look2me is in use. It will be removed on reboot.
3:51 PM: gpp0l37m1.dll is in use. It will be removed on reboot.
3:51 PM: cydc0001.dll is in use. It will be removed on reboot.
3:51 PM: m228lcfu1f28.dll is in use. It will be removed on reboot.
3:51 PM: Quarantining All Traces: spysheriff
3:51 PM: Quarantining All Traces: trojan-backdoor-zubox
3:51 PM: Quarantining All Traces: bonzi buddy
3:51 PM: Quarantining All Traces: trojan-backdoor-superbgirlz
3:51 PM: Quarantining All Traces: altnet
3:51 PM: Quarantining All Traces: bullguard popup ad
3:51 PM: Quarantining All Traces: keenvalue/perfectnav
3:51 PM: Quarantining All Traces: targetsaver
3:51 PM: Quarantining All Traces: abcsearch cookie
3:51 PM: Quarantining All Traces: adknowledge cookie
3:51 PM: Quarantining All Traces: atlas dmt cookie
3:51 PM: Quarantining All Traces: azjmp cookie
3:51 PM: Quarantining All Traces: belnk cookie
3:51 PM: Quarantining All Traces: overture cookie
3:51 PM: Quarantining All Traces: paypopup cookie
3:51 PM: Quarantining All Traces: rn11 cookie
3:51 PM: Quarantining All Traces: screensavers.com cookie
3:51 PM: Quarantining All Traces: starware.com cookie
3:51 PM: Quarantining All Traces: tribalfusion cookie
3:51 PM: Quarantining All Traces: yieldmanager cookie
3:51 PM: Warning: Launched explorer.exe
3:51 PM: Warning: Quarantine process could not restart Explorer.
3:52 PM: Removal process completed. Elapsed time 00:01:25
********
3:31 PM: | Start of Session, Friday, November 25, 2005 |
3:31 PM: Spy Sweeper started
3:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:33 PM: Your spyware definitions have been updated.
3:34 PM: | End of Session, Friday, November 25, 2005 |

#4 Bannock123Love

Bannock123Love
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 25 November 2005 - 06:02 PM

HJT log after REboot


Logfile of HijackThis v1.99.1
Scan saved at 3:59:24 PM, on 11/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\BACKUP\System32\smss.exe
C:\WINDOWS\BACKUP\system32\winlogon.exe
C:\WINDOWS\BACKUP\system32\services.exe
C:\WINDOWS\BACKUP\system32\lsass.exe
C:\WINDOWS\BACKUP\system32\svchost.exe
C:\WINDOWS\BACKUP\System32\svchost.exe
C:\WINDOWS\BACKUP\system32\spoolsv.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\BACKUP\System32\MsPMSPSv.exe
C:\WINDOWS\BACKUP\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\BACKUP\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\BACKUP\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1132896664687
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\BACKUP\SYSTEM32\WRLogonNTF.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\BACKUP\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#5 Bannock123Love

Bannock123Love
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 25 November 2005 - 06:49 PM

Now when I reboot, I get a blue screen saying stuff.... i386p.sys
Rebooted in last known configuration and then rebooted again and still got the message.
Rebooted once more and message was gone.
OMG ITS WORSE NOW AHHH HELP!

Edited by Bannock123Love, 25 November 2005 - 07:00 PM.


#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:07 PM

Posted 26 November 2005 - 04:14 AM

Download WinPFind!
  • Extract WinPFind.zip to your c:\ folder.
  • Reboot your computer into Safe Mode
  • Then open c:\WinPFind and double-click on WinPFind.exe.
  • When the program is open, click on the Start Scan button to start scanning your computer.
  • Be patient as this scan may take a while. When it is done, it will show a log and tell you the scan is completed.
  • Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users