PDA

View Full Version : Spyware Sherrif ---need help


sachin000
2006-05-10, 00:26
Hi My PC is infected with malware etc etc

it is infected with spyware sherriff

please help

instaled trend micros and ewido

everytime it says PC is infetcted with spyware download anti spyware
and it takes me to the page of spyware sherriff

plz help as it is getitn very annoying

here is the log of HJT


Logfile of HijackThis v1.99.1
Scan saved at 3:51:00 AM, on 5/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\WINDOWS\TEMP\EX3F14.EXE
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe
C:\Program Files\OpenOffice.org1.1.5\program\soffice.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\GURGAO~1\LOCALS~1\Temp\Rar$EX10.699\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.0.15:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [0mcamcap] C:\WINDOWS\system32\0mcamcap.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SifyBuzz] c:\program files\sifybuzz\SifyBuzz.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\system32\0mcamcap.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\system32\0mcamcap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: OpenOffice.org 1.1.5.lnk = C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7EB58EF2-342D-4D70-A8F9-BCBF7BE8BCF2}: NameServer = 202.144.50.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4DE84C7-948A-4BEC-BC6A-E60555A23196}: NameServer = 202.144.50.4,202.144.13.50
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\system32\snmptrap.exe (file missing)
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
pskelley
2006-05-11, 01:53
Hello and welcome to the forum. If you still need help and are not receiving it elsewhere, please follow the directions.

1) Your Java is outdated and will get you infected fast: C:\Program Files\Java\j2re1.4.2_05\ <<< use this information to fix that: http://forums.spybot.info/showthread.php?t=2559

2) Your HJT.exe is running from an unsafe Temp folder. Move it to a safe permanent folder, I prefer it here: C:\HJT\HijackThis.exe. If you need more instructions use these: http://russelltexas.com/malware/createhjtfolder.htm

3) Follow the instructions in this link: http://forums.spybot.info/showthread.php?t=4015 then post those three logs in this same topic. I will respond as soon as possible after that. We may have more to do.

Thanks...pskelley
Safer Networking Forums
tashi
2006-05-15, 06:16
This topic is closed due to lack of a response.
If you need it re-opened please send me a pm and provide a link to the thread.
Applies only to the original topic starter.