Spy sheriff woes

[barndog]

I was a recent victim of spysheriff. I mannaged to unistall it, which still left 3notices that I had been infected. After a few hours later and a fresh restart the 3 notices are gone but some effects still linger. There is some window that opens for a split second durring start up, bandwith is being syphoned somewhere and when I hit ctrl + alt + del my computer informs me that the administrator has disabled task manager. I am not sure how to get the last few remnants off my machine. I have both spybot and AVG running and neither has been able to beat this. Any help would be great.

[Corrine]

Welcome to Safer Networking Forums. Please see the thread linked below for complete instructions. Be sure to create the preliminary HijackThis log and post it along with the other logs as reply to this topic for a final check.

Thank you.

http://forums.spybot.info/showthread.php?t=1316

[barndog]

Thank you Corrine!!! This took me awhile following step by step instructions I can only imagine the time you have spent to create them. Here the the many and varied logs.

Original HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 5:37:24 PM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe
O2 - BHO: Acrobat IE Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE083} - C:\WINDOWS\system\ctldlg32.dll (file missing)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - J:\OFFICE~1\OFFICE11\REFIEBAR.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Remote Procedure Call (RPC) Helper (�%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\d3ex.exe (file missing)

Contents of the C:\smitfiles.txt log

smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Tue 01/03/2006
The current time is: 18:20:04.87

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 748 'explorer.exe'
Killing PID 748 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN!

Ewido Log

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:21:01 PM, 1/3/2006
+ Report-Checksum: 32D54A47

+ Scan result:

HKLM\SOFTWARE\Classes\AppID\adm.EXE -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\SearchHelp.DLL -> Spyware.MidAddle : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1EA0CE66-D6D5-2CEB-D734-97906011F9A8} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{36A41F9E-B433-C078-89AE-486D2624C972} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{551764CC-ABCF-335C-76F6-62283B478A0F} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7DFA112F-21B6-72CE-A5DE-09FEAF22C151} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7E2B347A-52AA-597F-9371-80822A8D1263} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{966FA744-197F-E95E-EB31-73BE39619DE2} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B33C5B98-F4B9-B550-C81A-4EE9720874BF} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{CC6B2B65-2D60-CC2D-B4A6-7C0945964771} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{DD25AEF3-3DC7-625D-F3C6-DE10B7C6BF82} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{DF74F87A-B7C0-F480-1D25-D81A257B3152} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E5E59618-FEBB-174D-3A09-E2EF1B2CDA17} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FC955BB2-DAA2-E394-1DD3-E8A207B823A6} -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{E318D698-27B3-44D5-8998-C35EAFB9C034} -> Spyware.MidAddle : Cleaned with backup
HKLM\SOFTWARE\Classes\WinTaskAdX.Installer -> Spyware.BlazeFind : Cleaned with backup
HKLM\SOFTWARE\Classes\WinTaskAdX.Installer\CLSID -> Spyware.BlazeFind : Cleaned with backup
HKLM\SOFTWARE\ClickSpring -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\MemoryWatcher -> Spyware.MemoryWatcher : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\70tovmto -> Spyware.SAHA : Cleaned with backup
HKLM\SOFTWARE\midADdle -> Spyware.MidAddle : Cleaned with backup
HKLM\SOFTWARE\WildMedia -> Spyware.MidAddle : Cleaned with backup
HKLM\SOFTWARE\WildMedia\LicenseStores -> Spyware.MidAddle : Cleaned with backup
HKU\S-1-5-21-1645522239-1409082233-1801674531-1003\Software\Bundles -> Spyware.SecondThought : Cleaned with backup
HKU\S-1-5-21-1645522239-1409082233-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321E378-FFAD-4999-8C62-03CA8155F0B3} -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-1645522239-1409082233-1801674531-1003\Software\SerG -> Spyware.EZ-Finder : Cleaned with backup
C:\Documents and Settings\Barney\Application Data\cdac.exe -> Spyware.PurityScan : Cleaned with backup
C:\Documents and Settings\Barney\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-22395e63-3c7dc423.class -> Trojan.Nocheat : Cleaned with backup
C:\Documents and Settings\Barney\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\ok.class-26e95bb1-38689955.class -> Trojan.Nocheat : Cleaned with backup
C:\Documents and Settings\Barney\Cookies\barney@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Barney\Cookies\barney@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Barney\Cookies\barney@adtech[1].txt -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Documents and Settings\Barney\Cookies\barney@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Barney\Cookies\barney@highbeam.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Barney\Cookies\barney@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\Barney\Cookies\barney@qksrv[1].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Barney\Cookies\barney@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Barney\Cookies\barney@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Barney\Cookies\barney@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\ezStub.exe -> Adware.eZula : Cleaned with backup
C:\Program Files\STC\bundles.exe -> Trojan.SecondThought.al : Cleaned with backup
C:\Program Files\STC\bundles53.exe -> Trojan.SecondThought.bg : Cleaned with backup
C:\Program Files\Windows ServeAd\WinServAd.exe -> Spyware.WinAD : Cleaned with backup
C:\SEPinst.exe -> Trojan.Septic.a : Cleaned with backup
C:\WINDOWS\70tovmto.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\bundles\bs5-vwqouc.exe -> Spyware.BookedSpace.c : Cleaned with backup
C:\WINDOWS\bxxs5.dll -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\cxtpls_loader.exe -> Spyware.AproposMedia : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\webdlg32.dll -> Spyware.SBSoft : Cleaned with backup
C:\WINDOWS\inet20001\3.00.12.dll -> Spyware.Ihbo : Cleaned with backup
C:\WINDOWS\inet20001\3.00.13.dll -> Spyware.Ihbo : Cleaned with backup
C:\WINDOWS\inet20001\alg.exe.bak -> Worm.Delf.i : Cleaned with backup
C:\WINDOWS\inet20001\mm4.exe -> Proxy.Delf.an : Cleaned with backup
C:\WINDOWS\inet20001\mm4.exe.bak -> Proxy.Delf.an : Cleaned with backup
C:\WINDOWS\inet20001\services.exe -> Downloader.CWS.r : Cleaned with backup
C:\WINDOWS\Oknoaqux.dll -> Spyware.SearchBand : Cleaned with backup
C:\WINDOWS\system32\2b3fsk0h.dll -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\2ndsrch.dll -> Trojan.SecondThought.ag : Cleaned with backup
C:\WINDOWS\system32\449166.exe -> Spyware.Beginto.a : Cleaned with backup
C:\WINDOWS\system32\70tovmto.ini -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\abetterinternet.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\bln02nqv.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\exdl1.exe -> Adware.eXact : Cleaned with backup
C:\WINDOWS\system32\gah95on6.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\IdleUI.dll -> Logger.Idly.c : Cleaned with backup
C:\WINDOWS\system32\kernels64.exe -> Downloader.Tibs.ai : Cleaned with backup
C:\WINDOWS\system32\lsp.dll_tobedeleted -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\maxd64.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\system32\newdevin.exe -> Spyware.BookedSpace.c : Cleaned with backup
C:\WINDOWS\system32\SahAgent.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\SuiteInstall.exe -> Downloader.NSIS.Gen : Cleaned with backup
C:\WINDOWS\WildApp.dll -> Spyware.MetaDirect : Cleaned with backup
K:\Program Files\Altnet\Download Manager\asm.exe -> Spyware.Altnet : Cleaned with backup
K:\Program Files\Altnet\Download Manager\asmps.dll -> Spyware.Altnet : Cleaned with backup


::Report End

Second HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 8:07:18 PM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe
O2 - BHO: Acrobat IE Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE083} - C:\WINDOWS\system\ctldlg32.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - J:\OFFICE~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Remote Procedure Call (RPC) Helper (�%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\d3ex.exe (file missing)

Again huge thanks, I will let you know if I have been sucessful.

[LonnyRJones]

Hi barndog
Sorry for the delay, please post a fresh hijackthis log and mention any current problems.

[tashi]

Hello, this topic will now be archived.
I hope you will return if you have not resolved the problem.
If you need the topic re-opened please pm me or one of the forum mods.