Hi.
Have the Spyware infestation - need to get rid of it (obviously).

I'm not very good with this stuff so please try to explain everything as simply as possible.

I'm aware that you don't ever click on the fake 'you've got spyware' windows that pop-up when you're browsing, but when I started-up the computer & saw the Spy-Sheriff 'desktop ad', I fell for the 'Windows warning' (little yellow box that pops up from the taskbar) telling me to 'click here'. Then it installed the Spy-Sheriff program on the system.
** (I'm not sure whether this makes any difference, that's all)

As of right now I've gotten rid of the stupid background (a friend reccommended that I use 'Ad-Aware SE Personal'), but that was before I found this site, so I haven't done any of the other things this site suggests, and wasn't sure what to do since I've already used this first.

* And using Ad-Aware has gotten rig of the false desktop, but not the Spy-Sheriff detection program itself, or the 3 or 4 different kinds of pop-ups it seems to cause.
------------------------
I've downloaded 'Hijack-This' as your site reccommends and run it only to get the log, nothing else.

The log follows:

Logfile of HijackThis v1.99.1
Scan saved at 9:32:44 AM, on 31/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\javapr32.exe
E:\Program Files\Winamp\Winampa.exe
E:\WINDOWS\System32\atiphexx.exe
E:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Pintimh\Miryk.exe
E:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
E:\My Documents\Tim's Stuff\Guitar Pro\DVD Region Killer\RegKillTray.exe
E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\Program Files\SurfAccuracy\SAcc.exe
E:\WINDOWS\System32\rundll32.exe
E:\WINDOWS\netmv.exe
E:\DOCUME~1\Dave\LOCALS~1\Temp\9.tmp.exe
E:\DOCUME~1\Dave\LOCALS~1\Temp\A.tmp.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\winstall.exe
E:\Program Files\Microsoft Office\Office\OSA.EXE
E:\WINDOWS\system.exe
E:\WINDOWS\System32\cmd.exe
E:\PROGRA~1\MOZILL~1\FIREFOX.EXE
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS\system32\sfprr.dll/sp.html#54688%
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://E:\WINDOWS\mlncb.dll/sp.html#54688%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://E:\WINDOWS\system32\sfprr.dll/sp.html#54688%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS\system32\sfprr.dll/sp.html#54688%
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://E:\WINDOWS\mlncb.dll/sp.html#54688%
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {1F3E69FD-6860-5121-9E8D-9B547E4E1698} - E:\WINDOWS\netbv.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - E:\Program Files\NewDotNet\newdotnet7_14.dll
O2 - BHO: Class - {708A6730-F9CB-D58D-1A1A-478BEC083EC0} - E:\WINDOWS\netze.dll
O2 - BHO: Class - {DEB4CCFF-72DB-C680-F21A-6DD02CE877D8} - E:\WINDOWS\system32\mfcsm.dll
O2 - BHO: Class - {FFCD035F-429E-054F-1D01-F49E14490C2E} - E:\WINDOWS\sdkwz32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - E:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [ati control panel] atiphexx.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ti] %systemroot%\ttt.bat
O4 - HKLM\..\Run: [version] E:\WINDOWS\System32\Qsnafh.exe
O4 - HKLM\..\Run: [Xbyhg] C:\Program Files\Pintimh\Miryk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [RegKillElbyCheck] "E:\My Documents\Tim's Stuff\Guitar Pro\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RegKillTray] "E:\My Documents\Tim's Stuff\Guitar Pro\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SurfAccuracy] E:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 E:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,ClientStartup -s
O4 - HKLM\..\Run: [nmvkt] E:\WINDOWS\nmvkt.exe
O4 - HKLM\..\Run: [javafi32.exe] E:\WINDOWS\javafi32.exe
O4 - HKLM\..\Run: [9.tmp] E:\DOCUME~1\Dave\LOCALS~1\Temp\9.tmp.exe
O4 - HKLM\..\Run: [A.tmp] E:\DOCUME~1\Dave\LOCALS~1\Temp\A.tmp.exe
O4 - HKLM\..\Run: [netmv.exe] E:\WINDOWS\netmv.exe
O4 - HKLM\..\Run: [9.tmp.exe] E:\DOCUME~1\Dave\LOCALS~1\Temp\9.tmp.exe
O4 - HKLM\..\Run: [A.tmp.exe] E:\DOCUME~1\Dave\LOCALS~1\Temp\A.tmp.exe
O4 - HKLM\..\RunServices: [ati control panel] atiphexx.exe
O4 - HKCU\..\Run: [ati control panel] atiphexx.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = E:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = E:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - E:\WINDOWS\system32\javapr32.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bit Torrent (Bt) - Unknown owner - E:\WINDOWS\system.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe



------------------------------------------------------------------------
Any help you can give will be greatly appreciated, and once again, I'm not very good with this stuff so please try to explain everything as simply as possible.


P.S. sorry the post is so long

Thanks,

Nameless One

Hello

In the windows control panel addremove programs uninstall
SurfAccurac
new.net
SpySheriff
restart the PC

Start Hijackthis and place a check next to these items If there.
O4 - HKLM\..\Run: [ti] %systemroot%\ttt.bat
O4 - HKLM\..\Run: [version] E:\WINDOWS\System32\Qsnafh.exe
O4 - HKLM\..\Run: [Xbyhg] C:\Program Files\Pintimh\Miryk.exe
O4 - HKLM\..\Run: [SurfAccuracy] E:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 E:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,ClientStartup -s
O4 - HKLM\..\Run: [nmvkt] E:\WINDOWS\nmvkt.exe
O4 - HKLM\..\Run: [9.tmp] E:\DOCUME~1\Dave\LOCALS~1\Temp\9.tmp.exe
O4 - HKLM\..\Run: [A.tmp] E:\DOCUME~1\Dave\LOCALS~1\Temp\A.tmp.exe
O4 - HKLM\..\Run: [9.tmp.exe] E:\DOCUME~1\Dave\LOCALS~1\Temp\9.tmp.exe
O4 - HKLM\..\Run: [A.tmp.exe] E:\DOCUME~1\Dave\LOCALS~1\Temp\A.tmp.exe
O4 - HKLM\..\RunServices: [ati control panel] atiphexx.exe
O4 - HKCU\..\Run: [ati control panel] atiphexx.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O23 - Service: Bit Torrent (Bt) - Unknown owner - E:\WINDOWS\system.exe
====================================
Hit fix checked and close Hijackthis.dont restart the pc just yet.

Download extract then run aboutbuster
http://www.downloads.subratam.org/AboutBuster.zip
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Fallow the instuctions here and post the logs mentioned
http://forums.spybot.info/showthread.php?t=1958
(no need for the before Hiajckthis log)

Thankyou very much!
Will try what you suggested right away!

Followed your advice and have run into a few problems.

1: Used HijackThis and removed/fixed the files you suggested, (I) couldn't find the following ones in the list (this is after uninstalling Spy-Sheriff before-hand, as you suggested):
EPROGRA~1NEWDOT~1NEWDOT~1.DLL,ClientStartup -s
O4 - HKCU..Run [SpySheriff] CProgram FilesSpySheriffSpySheriff.exe
O23 - Service Bit Torrent (Bt) - Unknown owner - EWINDOWSsystem.exe
----
2: I did everything else in your post, then followed the directions in the "httpforums.spybot.infoshowthread.phpt=1958" thread, I followed down to 'B' and did a Hijack Scan anyway, and noticed that a lot of the 'O2-' are missing (will put the log at the end of post).
----
3: Proceeded fine down to 'D'. Ran SmitRem without problem until it got me to do the normal Windows 'Disk Cleanup'. That hasn't worked on my computer since about a fortnight after I got it 2 years ago! I let it go, once again, for about an hour, then cancelled it and went on to the next part.
I included the 'smitfiles.txt' at the end of the post anyway, just in-case.
If you know anything I can do to fix the 'Disk Cleanup' after everything else is fixed, that would be great. (maybe a Defrag?)
----
4: Went to 'E' (open Spybot-S&D). Did the 'check for problems' - went fine until about 3700 of 34714 - it then said "Scan aborted by user".
I hadn't touched anything and didn't have anything open/running except a text file of your instructions, which I closed and tried the scan again, but same result. I can't tell if the scan keeps going after it says it's aborted because the file progress at the bottom (3700 of 34714) changes to 'scan aborted'.
----
5: Would like to know if there is anyway to increase desktop resolution in Safe Mode. 640 x 480 is too small to see everything!

****
HIJACKTHIS LOG:

Logfile of HijackThis v1.99.1
Scan saved at 3:02:06 PM, on 4/02/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system.exe
E:\WINDOWS\System32\cmd.exe
E:\Program Files\Winamp\Winampa.exe
E:\WINDOWS\System32\atiphexx.exe
E:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
E:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
E:\My Documents\Tim's Stuff\Guitar Pro\DVD Region Killer\RegKillTray.exe
E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program Files\Microsoft Office\Office\OSA.EXE
E:\PROGRA~1\MOZILL~1\FIREFOX.EXE
E:\WINDOWS\System32\wuauclt.exe
E:\PROGRA~1\MOZILL~1\FIREFOX.EXE
E:\Program Files\ewido anti-malware\ewidoctrl.exe
E:\Program Files\Hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {1F3E69FD-6860-5121-9E8D-9B547E4E1698} - E:\WINDOWS\netbv.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Class - {708A6730-F9CB-D58D-1A1A-478BEC083EC0} - E:\WINDOWS\netze.dll (file missing)
O2 - BHO: Class - {955DE456-4FC8-12F9-FA9B-0600591E904D} - E:\WINDOWS\apptg32.dll (file missing)
O2 - BHO: Class - {DEB4CCFF-72DB-C680-F21A-6DD02CE877D8} - E:\WINDOWS\system32\mfcsm.dll (file missing)
O2 - BHO: Class - {FFCD035F-429E-054F-1D01-F49E14490C2E} - E:\WINDOWS\sdkwz32.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - E:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [ati control panel] atiphexx.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [RegKillElbyCheck] "E:\My Documents\Tim's Stuff\Guitar Pro\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RegKillTray] "E:\My Documents\Tim's Stuff\Guitar Pro\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [javafi32.exe] E:\WINDOWS\javafi32.exe
O4 - HKLM\..\RunServices: [ati control panel] atiphexx.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ati control panel] atiphexx.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = E:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = E:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bit Torrent (Bt) - Unknown owner - E:\WINDOWS\system.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe

****

SmitRem Log:

smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Sat 04/02/2006
The current time is: 15:28:50.40

Running from
E:\Documents and Settings\Dave\Desktop\Wizards Island\anti-Spyware programs\smitRem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Install.dat


~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 900 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)

****

Any help would be greatly appreciated (quickly if at all possible - the rest of the family is riding me constantly to have this fixed and up and running)


P.S. The 'visual symptoms' of the Spy-Sheriff problem appear to have stopped (Spy-Sherrif, 'Your comp is infected' pop-ups, and some weird thing that would ALT-TAB out of the game I was playing by itself, then move the mouse cursor by itself and click on an icon - I never noticed whether it could actually double-click and start/open whatever the icon was.)

If what you suggest doesn't work, is it possible to just install something that guards against spyware in the first place (any suggestions) and leave it at that?

(ie: Are the rest of the instructions in the thread "httpforums.spybot.infoshowthread.phpt=1958" for the Spy-Sheriff problem, or spyware in general, or just to make sure your system is squeaky clean?)

Thanks for your help, please reply soon, and sorry again that my posts are so damn 'wordy' - I can't help it.

Thanks

Nameless_One

Do you have an ati or NVIDIA vidio adapter (card)

Open a command prompt (start run type cmd press enter)
type
sc delete BT
press enter, type exit and press enter to exit the command prompt
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Start Hijackthis and place a check next to these items If there.
Close all browser windows and shut down all other programs that show in the taskbar.(even Folders)
O2 - BHO: Class - {1F3E69FD-6860-5121-9E8D-9B547E4E1698} - E:\WINDOWS\netbv.dll (file missing)
O2 - BHO: Class - {708A6730-F9CB-D58D-1A1A-478BEC083EC0} - E:\WINDOWS\netze.dll (file missing)
O2 - BHO: Class - {955DE456-4FC8-12F9-FA9B-0600591E904D} - E:\WINDOWS\apptg32.dll (file missing)
O2 - BHO: Class - {DEB4CCFF-72DB-C680-F21A-6DD02CE877D8} - E:\WINDOWS\system32\mfcsm.dll (file missing)
O2 - BHO: Class - {FFCD035F-429E-054F-1D01-F49E14490C2E} - E:\WINDOWS\sdkwz32.dll (file missing)

O4 - HKLM\..\Run: [javafi32.exe] E:\WINDOWS\javafi32.exe

====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post a fresh hijackthis log please, be sure to mention any current problems.

It appears you dont run an antivirus program ?

Hi. Thanks for the quick reply. http://forums.spybot.info/images/smilies/bigthumb.gif
:bigthumb:
Ok. Found and deleted all the files that you listed. HijackThis log follows:
==========================

Logfile of HijackThis v1.99.1
Scan saved at 1:43:12 PM, on 5/02/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\ewido anti-malware\ewidoctrl.exe
E:\Program Files\Winamp\Winampa.exe
E:\WINDOWS\System32\atiphexx.exe
E:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
E:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
E:\My Documents\Tim's Stuff\Guitar Pro\DVD Region Killer\RegKillTray.exe
E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program Files\Microsoft Office\Office\OSA.EXE
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\Hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - E:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [ati control panel] atiphexx.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [RegKillElbyCheck] "E:\My Documents\Tim's Stuff\Guitar Pro\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RegKillTray] "E:\My Documents\Tim's Stuff\Guitar Pro\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\RunServices: [ati control panel] atiphexx.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ati control panel] atiphexx.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = E:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = E:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe

===============================

Ok. 3 more things.

1. Should I proceed with the directions in the "httpforums.spybot.infoshowthread.phpt=1958" thread (SpyAxe, SpySheriff, Winhound, Spywarestrike)? I was up to 'E' from memory - using Spybot S&D, but couldn't complete the scan - says 'check aborted by user'.

2. When I start-up the computer & the Windows desktop comes up, 'Ewido anti-Malware 3.5' comes up with a message saying "Infected Object Found"
File: atiphexx.exe
Path: E:\Windows
Infection: Backdoor.Rbot

I just keep shutting Ewido down until I can get your advice - I assume that it's a real threat and not something similar to SpySheriff?

3. Not running any virus checker/scanner that I'm aware of - tried one once and it slowed down the system too much (and the games) so I had to get rid of it.

That's it - will await your reply. (Once again, if you could respond quickly please, 'cos my family is bugging me to get it fixed by the end of the weekend.)

Thanks for your help, will await reply.

Nameless_One

Hi
We can get back to those questions in a bit, first run hiajcthis click config
> misc tools > open process manager and end task on this file
E:\WINDOWS\System32\atiphexx.exe
then click back then scan , place a check next to these items
O4 - HKLM\..\Run: [ati control panel] atiphexx.exe
O4 - HKLM\..\RunServices: [ati control panel] atiphexx.exe
O4 - HKCU\..\Run: [ati control panel] atiphexx.exe
=============
Click fix checked, close Hiajckthis and restart your PC

Run Ewido and let it remove anything it finds

Check for and fix any problems found with SpyBot

Continue with the instructions in the SpyAxe, SpySheriff, Winhound, Spywarestrike" thread

And most important of all never never run a pc without an antivirus program
and never disable it simply becouse the pc runs faster without it,,,
find and insatall one asap, update then perform a full system scan
Otherwise there is no sence in trying to clean your pc

Only After that do post a fresh log

Due to lack of a response this topic will be archived.
If you need it re-opened please send me a pm and provide a link to the topic.

Re-opened upon request, please let Lonny know if the computer was used to surf internet while in middle of a fix.

Cheers. :)

Topic on hold by request.

No problem nameless_one. :)

Hi there.
I will close this topic to prevent others with similar issues posting in it.
When you need it re-opened please send me a pm and provide a link to the thread. :)

nameless_one, I am archiving this thread, just pm me when/if you need it re-opened.

Cheers.