spysheriff and commandservice

[Daniel6]

Excuseme for the unintentional smile!

thankyou again LonnyRJones

[LonnyRJones]

Hi

Delete the eacceleration file

i suggest running sysclean in safe mode since HackDefender was found
Sysclean a standalone scanner
Make a new folder called C:\Sysclean
Download Sysclean from http://www.trendmicro.com/download/dcs.asp
Click the sysclean.txt link to learn how to use it. Download the latest pattern file : http://www.trendmicro.com/download/pattern.asp
lpt(xxxx).zip (AS/400, S/390, Windows)
Unzip it to the Sysclean folder.
Boot to Safe Mode. Scan the system with Sysclean. It will take awhile but
it is very thorough. When it's done, close Sysclean. restart back to a normal session.



If your system is problem free and stable after a week or so >
Purge the old System Restore points
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Then Reboot. < Dont skip that step.
Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

[Daniel6]

Hello

Scanned system in safe mode with trend micro sysclean
Here the report



/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2006-01-30, 23:23:08, Auto-clean mode specified.
2006-01-30, 23:23:08, Running scanner "C:\sysclean\TSC.BIN"...
2006-01-30, 23:24:10, Scanner "C:\sysclean\TSC.BIN" has finished running.
2006-01-30, 23:24:10, TSC Log:

Damage Cleanup Engine (DCE) 3.98(Build 1012)
Windows XP(Build 2600: Service Pack 2)

Start time : lun gen 30 2006 23:23:09

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 700) [success]

Complete time : lun gen 30 2006 23:24:10
Execute pattern count(4688), Virus found count(0), Virus clean count(0), Clean failed count(0)

2006-01-30, 23:26:49, An error occurred while scanning file "C:\WINDOWS\system32\config\system.LOG": Accesso negato.
2006-01-30, 23:26:49, An error occurred while scanning file "C:\WINDOWS\system32\config\software.LOG": Accesso negato.
2006-01-30, 23:26:49, An error occurred while scanning file "C:\WINDOWS\system32\config\default.LOG": Accesso negato.
2006-01-30, 23:26:49, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM.LOG": Accesso negato.
2006-01-30, 23:26:49, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY.LOG": Accesso negato.
2006-01-30, 23:26:50, An error occurred while scanning file "C:\WINDOWS\system32\config\DEFAULT": Accesso negato.
2006-01-30, 23:26:50, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY": Accesso negato.
2006-01-30, 23:26:50, An error occurred while scanning file "C:\WINDOWS\system32\config\SOFTWARE": Accesso negato.
2006-01-30, 23:26:50, An error occurred while scanning file "C:\WINDOWS\system32\config\SYSTEM": Accesso negato.
2006-01-30, 23:26:50, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM": Accesso negato.
2006-01-30, 23:34:11, An error occurred while scanning file "C:\Documents and Settings\NetworkService\ntuser.dat.LOG": Accesso negato.
2006-01-30, 23:34:11, An error occurred while scanning file "C:\Documents and Settings\NetworkService\NTUSER.DAT": Accesso negato.
2006-01-30, 23:34:12, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG": Accesso negato.
2006-01-30, 23:34:12, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat": Accesso negato.
2006-01-30, 23:58:43, An error occurred while scanning file "C:\Documents and Settings\Administrator\NTUSER.DAT": Accesso negato.
2006-01-30, 23:58:43, An error occurred while scanning file "C:\Documents and Settings\Administrator\ntuser.dat.LOG": Accesso negato.
2006-01-30, 23:58:44, An error occurred while scanning file "C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG": Accesso negato.
2006-01-30, 23:58:44, An error occurred while scanning file "C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat": Accesso negato.
2006-01-31, 00:14:07, Running scanner "C:\sysclean\VSCANTM.BIN"...
2006-01-31, 00:24:47, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/31/2006 00:14:08
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 183 (121065 Patterns) (2006/01/29) (318300)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\sysclean

C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP7\A0002327.exe [TROJ_TINY.AF]
19324 files have been read.
19324 files have been checked.
16518 files have been scanned.
21283 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/31/2006 00:24:47
---------*---------*---------*---------*---------*---------*---------*---------*
2006-01-31, 00:24:47, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/31/2006 00:14:08
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 183 (121065 Patterns) (2006/01/29) (318300)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\sysclean

Success Clean [ TROJ_TINY.AF]( 1) from C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP7\A0002327.exe
19324 files have been read.
19324 files have been checked.
16518 files have been scanned.
21283 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/31/2006 00:24:47 10 minutes 34 seconds (633.63 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-01-31, 00:24:47, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/31/2006 00:14:08
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 183 (121065 Patterns) (2006/01/29) (318300)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\sysclean

19324 files have been read.
19324 files have been checked.
16518 files have been scanned.
21283 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/31/2006 00:24:47 10 minutes 34 seconds (633.63 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-01-31, 00:24:47, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.
2006-01-31, 00:24:47, Running scanner "C:\sysclean\VSCANTM.BIN"...
2006-01-31, 00:24:52, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/31/2006 00:24:47
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 183 (121065 Patterns) (2006/01/29) (318300)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\sysclean

21 files have been read.
21 files have been checked.
21 files have been scanned.
21 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/31/2006 00:24:52
---------*---------*---------*---------*---------*---------*---------*---------*
2006-01-31, 00:24:52, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/31/2006 00:24:47
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 183 (121065 Patterns) (2006/01/29) (318300)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\sysclean

21 files have been read.
21 files have been checked.
21 files have been scanned.
21 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/31/2006 00:24:52 0.05 seconds has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-01-31, 00:24:52, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/31/2006 00:24:47
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 183 (121065 Patterns) (2006/01/29) (318300)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\sysclean

21 files have been read.
21 files have been checked.
21 files have been scanned.
21 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/31/2006 00:24:52 0.05 seconds has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-01-31, 00:24:52, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.


Thanks LonnyRJones!

[LonnyRJones]

Hi
Looks good,
Purge the old System Restore points
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Then Reboot. < Dont skip that step.
Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.


Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
How did that go ?
Replace it about once monthly to keep it updated

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

[Daniel6]

Hello again!

I did all the work you said to me.
After dowloading hosts file I copied it here:
Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC

but here i had not hosts file
I had NOHOSTS:
127.0.0.1 localhost

127.0.0.1 localhost


have i to rename NOHOSTS?

System is going oK!
Thank you LonnyRJones

[LonnyRJones]

Running the bat included in the zip will put the hosts file in the correct folder

As the problems appear to be resolved, this topic will now be closed and archived. If a problem related to malware, spyware or adware returns and you need this topic re-opened, please send a PM message to me or Tashi.

Regards
Lonny