Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Spy Sheriff


  • This topic is locked This topic is locked
16 replies to this topic

#1 Furnace

Furnace

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 14 March 2006 - 10:01 AM

Hi

can anybody help me I've been trying to get rid of SPY SHERIFF off my computer for the past week
with only partial success. I have followed the instruction's posted by Grinler and managed to remove the desktop message which said YOU HAVE BEEN INFECTED or something similar,i noticed this is different to what is posted i"m not sure if that is significant or not? Any way i still have some very annoying glitch's happening to my computer no1 being i can't access my window's firewall setting's (it's has been turned off). no2 I'm stuck in window's classic mode and no3 the infection is stopping me from connecting with window's update and online virus scan's. How can a company infected your computer as way to make you buy it's software surely it's illegal, if any one can help it would be much appreciate. :thumbsup:


P.S. i have attached this hijack log if it's of any help?
Logfile of HijackThis v1.99.1
Scan saved at 10:10:51 PM, on 14/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iRiver\HSeries\iHPDetect.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPROXY.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\Documents and Settings\D.O'doherty\Desktop\HijackThis.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe
O23 - Service: NTLOAD - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: NTSVCMGR - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:51 AM

Posted 14 March 2006 - 11:28 AM

Hello,

This is indeed a nasty log. Spysheriff is only a small concern here. You are dealing with a much worse infection.

First of all, uninstall AdwareAlert, because this one was present on the blacklist before. Now it is removed from the blacklist but I have still my doubts whether it is trustworthy or not.

Uninstall Spysheriff as well if still present.

* Download Killbox.
Click killbox.exe.
Select the option "Delete on reboot".

Now copy the next bold part:


C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe
C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines must be there together if the files are present!

Click the button: All Files (!important!)

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.

Your computer must reboot now.

After reboot,

* Download: Hoster
Unzip hoster to an own folder, eg C:\Hoster
Start Hoster.exe, click 'Restore Original Hosts' and click OK.

Now you should be able to connect to security related sites.

Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE, then click "OK"
7. Select a target to scan: Click on "My Computer"
8. When the scan is complete choose to save the results as "Save as Text"
I'll need that log afterwards.

Now let's take a look at your Windows Firewall and other security related settings...

Open notepad and copy and paste next bold from the quotebox in it:

regedit /e peek1.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy"
regedit /e peek2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall"
regedit /e peek3.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center"
regedit /e peek4.txt "HKEY_CURRENT_USER\Software\Microsoft\Security Center"
regedit /e peek5.txt "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\WindowsFirewall"
type peek1.txt >> look.txt
type peek2.txt >> look.txt
type peek3.txt >> look.txt
type peek4.txt >> look.txt
type peek5.txt >> look.txt
del peek*.txt
start notepad look.txt


Save this as look.bat , choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick look.bat and notepad will open.
Copy and paste the contents in your next reply together with a new hijackthislog and the log from Kaspersky Online.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Furnace

Furnace
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 15 March 2006 - 04:42 AM

Hi Miekiemoes


In Reply to your last post, i followed your instruction's I'm pretty sure i didn't miss anything out and here's the result's for you to digest.I really appreciate your help you deserve a medal :thumbsup:


Logfile of HijackThis v1.99.1
Scan saved at 5:36:09 PM, on 15/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iRiver\HSeries\iHPDetect.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPROXY.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\Documents and Settings\D.O'doherty\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)
O23 - Service: NTLOAD - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe (file missing)
O23 - Service: NTSVCMGR - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, March 15, 2006 4:51:58 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 14/03/2006
Kaspersky Anti-Virus database records: 182422
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
J:\

Scan Statistics:
Total number of scanned objects: 167783
Number of viruses found: 8
Number of infected objects: 27
Number of suspicious objects: 0
Duration of the scan process: 02:01:05

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\D.O'doherty\Local Settings\Application Data\Identities\{F6DF63F6-EB46-4F6C-9284-BA3EE538B040}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx/[From "ally_lewis76" <ally_lewis76@hotmail.com>][Date 14 Mar 2006 10:56:28 -0800]/UNNAMED/Attachments00.HQX/Attachments,zip Infected: Email-Worm.Win32.Nyxem.e skipped
C:\Documents and Settings\D.O'doherty\Local Settings\Application Data\Identities\{F6DF63F6-EB46-4F6C-9284-BA3EE538B040}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx/[From "ally_lewis76" <ally_lewis76@hotmail.com>][Date 14 Mar 2006 10:56:28 -0800]/UNNAMED/Attachments00.HQX Infected: Email-Worm.Win32.Nyxem.e skipped
C:\Documents and Settings\D.O'doherty\Local Settings\Application Data\Identities\{F6DF63F6-EB46-4F6C-9284-BA3EE538B040}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx/[From "ally_lewis76" <ally_lewis76@hotmail.com>][Date 14 Mar 2006 10:56:28 -0800]/UNNAMED Infected: Email-Worm.Win32.Nyxem.e skipped
C:\Documents and Settings\D.O'doherty\Local Settings\Application Data\Identities\{F6DF63F6-EB46-4F6C-9284-BA3EE538B040}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx/[From "ally_lewis76" <ally_lewis76@hotmail.com>][Date 14 Mar 2006 10:56:28 -0800]/UNNAMED/Attachments00.HQX/Attachments,zip Infected: Email-Worm.Win32.Nyxem.e skipped
C:\Documents and Settings\D.O'doherty\Local Settings\Application Data\Identities\{F6DF63F6-EB46-4F6C-9284-BA3EE538B040}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx/[From "ally_lewis76" <ally_lewis76@hotmail.com>][Date 14 Mar 2006 10:56:28 -0800]/UNNAMED/Attachments00.HQX Infected: Email-Worm.Win32.Nyxem.e skipped
C:\Documents and Settings\D.O'doherty\Local Settings\Application Data\Identities\{F6DF63F6-EB46-4F6C-9284-BA3EE538B040}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx/[From "ally_lewis76" <ally_lewis76@hotmail.com>][Date 14 Mar 2006 10:56:28 -0800]/UNNAMED Infected: Email-Worm.Win32.Nyxem.e skipped
C:\Documents and Settings\D.O'doherty\Local Settings\Application Data\Identities\{F6DF63F6-EB46-4F6C-9284-BA3EE538B040}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx Mail MS Outlook 5: infected - 6 skipped
C:\My Documents\Muther Store\cracks patch\hl1110.zip/hl1110.exe/WISE0025.BIN Infected: not-a-virus:Server-Proxy.Win32.Hltv skipped
C:\My Documents\Muther Store\cracks patch\hl1110.zip/hl1110.exe Infected: not-a-virus:Server-Proxy.Win32.Hltv skipped
C:\My Documents\Muther Store\cracks patch\hl1110.zip ZIP: infected - 2 skipped
C:\secure32.html Infected: Trojan.Win32.Harnig.a skipped
C:\System Volume Information\_restore{051361BB-EFCB-4AEA-9420-01EBBBEECB00}\RP374\A0030315.dll Infected: Backdoor.Win32.IRCBot.ma skipped
C:\System Volume Information\_restore{051361BB-EFCB-4AEA-9420-01EBBBEECB00}\RP374\A0030316.dll Infected: Backdoor.Win32.IRCBot.ma skipped
C:\System Volume Information\_restore{051361BB-EFCB-4AEA-9420-01EBBBEECB00}\RP387\A0032176.exe Infected: not-a-virus:NetTool.Win32.BSM.18 skipped
C:\System Volume Information\_restore{051361BB-EFCB-4AEA-9420-01EBBBEECB00}\RP387\A0032211.dll Infected: Backdoor.Win32.IRCBot.ma skipped
C:\System Volume Information\_restore{051361BB-EFCB-4AEA-9420-01EBBBEECB00}\RP387\A0032212.exe Infected: Trojan-Downloader.Win32.Tiny.al skipped
C:\System Volume Information\_restore{051361BB-EFCB-4AEA-9420-01EBBBEECB00}\RP387\A0032214.bat Infected: Trojan.BAT.Zapchast skipped
C:\System Volume Information\_restore{051361BB-EFCB-4AEA-9420-01EBBBEECB00}\RP387\A0032241.dll Infected: Backdoor.Win32.IRCBot.ma skipped
C:\WINDOWS\secure32.html Infected: Trojan.Win32.Harnig.a skipped
G:\internet Progam's\net ant's\netants.zip/setup.exe/CD_INSTALL_268.EXE/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
G:\internet Progam's\net ant's\netants.zip/setup.exe/CD_INSTALL_268.EXE/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
G:\internet Progam's\net ant's\netants.zip/setup.exe/CD_INSTALL_268.EXE Infected: not-a-virus:AdWare.Win32.Cydoor skipped
G:\internet Progam's\net ant's\netants.zip/setup.exe Infected: not-a-virus:AdWare.Win32.Cydoor skipped
G:\internet Progam's\net ant's\netants.zip ZIP: infected - 4 skipped
G:\Muther Store\cracks patch\hl1110.zip/hl1110.exe/WISE0025.BIN Infected: not-a-virus:Server-Proxy.Win32.Hltv skipped
G:\Muther Store\cracks patch\hl1110.zip/hl1110.exe Infected: not-a-virus:Server-Proxy.Win32.Hltv skipped
G:\Muther Store\cracks patch\hl1110.zip ZIP: infected - 2 skipped

Scan process completed.


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP"="139:TCP:*:Enabled:@xpsp2res.dll,-22004"
"445:TCP"="445:TCP:*:Enabled:@xpsp2res.dll,-22005"
"137:UDP"="137:UDP:*:Enabled:@xpsp2res.dll,-22001"
"138:UDP"="138:UDP:*:Enabled:@xpsp2res.dll,-22002"
"1900:UDP"="1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007"
"2869:TCP"="2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP"="139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004"
"445:TCP"="445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005"
"137:UDP"="137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001"
"138:UDP"="138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002"
"1900:UDP"="1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007"
"2869:TCP"="2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center]
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Security Center]
"FirstRun"=dword:00000001

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:51 AM

Posted 15 March 2006 - 05:19 AM

Hi,

Go to start > run and copy and paste next commands one by one in the field and click enter after every command:

sc delete NTBOOT

sc delete NTLOAD

sc delete NTSVCMGR

delete next files (cracks and patches, main cause of an infected system -- so you have to change your habits if you want to stay clean and avoid this):

C:\My Documents\Muther Store\cracks patch\hl1110.zip
G:\internet Progam's\net ant's\netants.zip
G:\Muther Store\cracks patch\hl1110.zip
C:\secure32.html

Open Outlook express, select the Hotmail account in there and delete everything present in the 'deleted items folder'

Let's reenable your windows Firewall now... first check if you can already access it. In case you don't, perform next:

1. go to start > run and copy and paste next command in the field:

NETSH FIREWALL RESET

Click ok

Wait till the Dosprompt (black window) closes again.
Then look if you can access the firewall settings again.
If this doesn't work, go to step 2.

2. Go to start > run and copy and paste next command in the field:

services.msc

Search in the list for Windows Firewall/Internet Connection Sharing (ICS) <== if this isn't present, go to step 3.

Click "stop" there.
click OK and close the window.

Then go back to your Controlpanel and click: Windows Firewall
You should get an error then.. telling you that the service Windows Firewall/Internet Connection Sharing (ICS) is disabled/stopped and if you want to enable/start it.
Click Yes/ok
So the service should be started again and you will be able to change settings in it.

3. (Only perform this if step 1 failed)
Download this regfix:
http://windowsxp.mvps.org/reg/sharedaccess.reg
Place it on your desktop.
Now doubleclick sharedaccess.reg
Ckick yes/ok at the prompt.

Then REBOOT!! Important!

After reboot, go to start > run and copy and paste next command in the field:

NETSH FIREWALL RESET

Click ok

Wait till the Dosprompt (black window) closes again.
Then look if you can access the firewall settings again.

Post a new hijackthislog in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:51 AM

Posted 15 March 2006 - 05:27 AM

By the way, did you modify some settings in your security Center yourself?
Because I see that you don't receive an alert when your Antivirus is disabled.

You can change that again, by opening Security Center, click the ''Change the way Security Center Alerts me'
Check Virus Protection.
This enables the alert again if your Antivirus got disabled.

Also look here for more info and screenshots:
http://www.theeldergeek.com/security_center.htm
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 Furnace

Furnace
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 16 March 2006 - 04:35 AM

Hi miekiemoes

i followed the instruction in your last post and have attached the hijack log you requested.i am now able to access my firewall but still can't change from the window's classic display mode. Just wondering if this is virus related or something else.


Thanx Furnace :thumbsup:


Logfile of HijackThis v1.99.1
Scan saved at 4:44:52 PM, on 16/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\EXPLORER.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iRiver\HSeries\iHPDetect.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPROXY.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\Documents and Settings\D.O'doherty\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:51 AM

Posted 16 March 2006 - 08:55 AM

Hello,

i am now able to access my firewall but still can't change from the window's classic display mode. Just wondering if this is virus related or something else.


Good the Firewall problem is fixed.
So, as I understand here, you are stuck in Windows Classic mode? Did you use CleanUp! recently? This is a cleanup tool. Because CleanUp can delete the luna.msstyles.

Also check next, if you rightclick your desktop > properties > tabb appearance and look under Windows and buttons if Windows XP style is present there. If not, perform next fisrt:

Open notepad, copy and paste next content (bold) in it:

dir C:\WINDOWS\Resources\Themes\Luna /a h > files.txt
notepad files.txt


Save this as look.bat ,choose to save as *all files and save it to your desktop.
Doubleclick on it and notepad will open with some text in it.
Copy and paste this in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 Furnace

Furnace
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 17 March 2006 - 01:42 AM

Hi again

to answer to your question from your last post, yes i used Clean up when trying to get rid of Spy sheriff and after following your instructions have realized i must have deleted it off my system anyway i have pasted the report you wanted.


Regard's Furnace.


Volume in drive C is Local Disk
Volume Serial Number is 284D-462C

Directory of C:\WINDOWS\Resources\Themes\Luna

03/02/2006 06:04 PM <DIR> .
03/02/2006 06:04 PM <DIR> ..
06/06/2004 09:22 PM <DIR> Shell
0 File(s) 0 bytes

Directory of C:\Documents and Settings\D.O'doherty\Desktop

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:51 AM

Posted 17 March 2006 - 05:34 AM

Hello,

Well, you are indeed missing your luna.msstyles. So let's fix that.

* Go to Kelly's Korner: http://www.kellys-korner-xp.com/xp_tweaks.htm
Go to list item #187, and in the RHS column, click on "Restore Luna Theme" to download "Resources.zip".
Unzip that, (where ever you wish) and within those folders, navigate to the "luna.msstyles"
Now MOVE the luna.msstyles which is present in that folder to next folder: C:\WINDOWS\Resources\Themes\Luna
Don't move it to anywhere else than that folder!

When moved it there, rightclick on your desktop > properties > tab appearance and look under Windows and buttons if Windows XP style is present again. Select it and Choose apply and OK.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Furnace

Furnace
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 17 March 2006 - 12:53 PM

Hi

thanks for the help you have done a great job I'm now able to get xp mode on my desktop.big shout out to miekiemoes RESPECT! . although i've still have a feeling there's something nasty on my hard drive lurking some where slowing my comp down !.

Regards Furnace

P.S how do you use clean up without deleting luna file's :thumbsup:

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:51 AM

Posted 17 March 2006 - 01:26 PM

Hello,

It's a good idea to post a new hijackthislog if you think there's still something present there.
Keep in mind, a slow system can also have other causes. But let's take a look at your hijackthislog first.

P.S how do you use clean up without deleting luna file's


Well, I don't use CleanUp since it deletes the luna.msstyles in some cases.
I use Ccleaner instead: http://www.ccleaner.com/
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:51 AM

Posted 17 March 2006 - 06:27 PM

Hi,

Can you perform next please.. just to be sure, because I see secure32.html in one of the previous logs and this one comes in 80% with a hidden infection present as well....

Download and Save blacklight to your desktop.
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Furnace

Furnace
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 20 March 2006 - 07:59 PM

Hi


i have scanned my copmuter with hijack this and Blacklight although i didn't find anything with Blacklight. i have attached the log's for both.

Regard's Furnace. :thumbsup:


Logfile of HijackThis v1.99.1
Scan saved at 8:47:38 AM, on 21/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iRiver\HSeries\iHPDetect.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPROXY.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\D.O'doherty\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


03/21/06 08:41:40 [Info]: BlackLight Engine 1.0.33 initialized
03/21/06 08:41:40 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/21/06 08:41:40 [Note]: 7019 4
03/21/06 08:41:40 [Note]: 7005 0
03/21/06 08:41:57 [Note]: 7006 0
03/21/06 08:41:57 [Note]: 7011 1852
03/21/06 08:41:57 [Note]: FSRAW library version 1.7.1015
03/21/06 08:43:34 [Note]: 7007 0

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:51 AM

Posted 21 March 2006 - 01:00 AM

Hello,

That's good concerning Blacklight. I just wanted to be sure here.
Both logs look clean. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 Furnace

Furnace
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 22 March 2006 - 05:05 AM

Hi

Just thought i post one last thankyou for you help I've learnt a lot and really appreciate your advice
bye :thumbsup:


Regard's Furnace




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users