Results 1 to 3 of 3

Thread: Spy Sherrif Infestation

  1. 2005-12-17, 00:20 #1
    vk5jjj
    vk5jjj is offline
    Junior Member
    Join Date
    Dec 2005
    Posts
    0

    Unhappy Spy Sherrif Infestation

    Hello all, My wife's PC has just got infected. A pop up warning of a 'Spyware Infection' (red letters on black background) appears on start up. Numerous other pop ups appear. There was also some porn sites on the favourites colum which i quite confident wife wife did not put there.

    I have run ad-aware, spybot. The system runs Symantec Antivirus Corporate edition.

    Here is the Hi jack log

    Logfile of HijackThis v1.99.1
    Scan saved at 9:44:47 AM, on 17/12/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\netdx.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\igfxtray.exe
    C:\WINNT\System32\hkcmd.exe
    C:\WINNT\system32\AVWLPSTA.EXE
    C:\WINNT\shico.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\WINNT\SOUNDMAN.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINNT\system32\sdkll32.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\TEMP\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\vviah.dll/sp.html#53926%everything4find.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\vviah.dll/sp.html#53926%everything4find.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\vviah.dll/sp.html#53926%everything4find.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\vviah.dll/sp.html#53926%everything4find.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\vviah.dll/sp.html#53926%everything4find.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\vviah.dll/sp.html#53926%everything4find.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\vviah.dll/sp.html#53926%everything4find.com
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {02DAAF1A-BCBB-44FB-C176-7F4CDEFE89CE} - C:\WINNT\sdkbo32.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [AVWLPSTA.exe] AVWLPSTA.EXE START
    O4 - HKLM\..\Run: [shico] C:\WINNT\shico.exe
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [wersds.exe] C:\WINNT\system32\doriot.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [crnu32.exe] C:\WINNT\system32\crnu32.exe
    O4 - HKLM\..\Run: [sdkll32.exe] C:\WINNT\system32\sdkll32.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
    O4 - HKCU\..\Run: [wersds.exe] C:\WINNT\system32\doriot.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://www.virgincreditcard.com.au
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/995...TunesSetup.exe
    O16 - DPF: {81296632-05C2-4A99-8271-77EBCFE7844A} (NPEVPCFG.UserControl1) - http://voicecafe.optecs.net/confighelp/NPEVPCFG.CAB
    O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
    O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\netdx.exe" /s (file missing)
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

    The everything4find..., R3 defaultURL..., is peristent (have deleted it with HiJack twice)

    Your suggestions welcome.

    Chris

    Hi there, please don't add to your topic as helpers look for zero replies. I removed your last post. - tashi
    Last edited by tashi; 2005-12-17 at 12:42. Reason: Removed email address for member's protection against spam bots
  2. 2005-12-19, 19:33 #2
    LonnyRJones
    LonnyRJones is offline
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi vk5jjj, Welcome to the forum.

    Turn off SpyBots Tea timer in this fashion >
    Open SpyBot, on the toolbar menu select mode and switch to advanced mode, >tools > resident uncheck tea timer, close SpyBot, if the tea timer icon is still in the tray (clock area) right-click exit resident, dont turn it on until we are completely finished or we suggest it.

    Make and Post a fresh Hiajckthis log now that tea timer is off
  3. 2005-12-23, 18:15 #3
    tashi
    tashi is offline
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,959

    Default

    vk5jjj, do you still need assistance?
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules