Please help!! Recovering from Spysheriff!!!
 

Re: Please help!! Recovering from Spysheriff!!!
 

Have you tried running the anti-spyware utilities while booted into Safe Mode? (You get to the Safe Mode boot option by hitting the F8 key just as your computer is starting up).

Re: Please help!! Recovering from Spysheriff!!!
 

I hadn't thought of that...thanks. I was able to run spybot & ad-aware in safe mode, and cleared their problems. Internet explorer is still not running right though. It immediately pops up that it has encountered a problem and needs to close - I am able to move the message out of the way to use the internet, but I don't know how to fix it.

Re: Please help!! Recovering from Spysheriff!!!
 

Let's do this:

Download HijackThis (current verison is v1.99.1)

or here (Alternate 1, a self-extracting zip file)
or here (Alternate 2, an *.exe file)

Make a new folder to put your HijackThis.exe into.

(Anywhere on your hard drive is fine other than your Desktop or the Temp folder. Suitable examples are:

• C:\HijackThis\
• C:\Programs\hijackthis\
• C:\Windows\My Documents\HJT\

but feel free to use any name.)

Extract and save the HijackThis download to the new folder you made. Then navigate to it and run HijackThis from there. (This is to ensure it makes the necessary backups for recovery if fixes are made) Then, doubleclick HijackThis.exe, and click Scan.

When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that and copy & paste its contents in your reply. Most of what it lists will be harmless or even essential, don't try to fix anything yourself.

Thanks.

Re: Please help!! Recovering from Spysheriff!!!
 

I was able to reinstall internet explorer and it is working fine now. BUT...nothing else is!! I can't download updates to any of the programs like ad-aware and spybot - they will only run in safe mode. I also purchased xoftspyse and it runs okay out of safe mode, but it is the only one. I tried re-installing the others and it gets to the installation wizard and then just stops. I really am stuck and don't know what to do. My computer is still running slow and I don't have anymore ideas on what I could be infected with. Please someone help me get my computer running again-I don't want to have to do a whole system reinstall. Thanks

Re: Please help!! Recovering from Spysheriff!!!
 

I didn't even see the request for a Hijackthis log before posting earlier..sorry!! I'm just so frustrated!! Anyway, I was finally able to get hijackthis to run in safe mode and here is the scan:

Logfile of HijackThis v1.99.1
Scan saved at 1:21:06 PM, on 5/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\My Documents\Hijack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Link...cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - blank (file missing)
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} - C:\WINDOWS\system32\sfg.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: PosHelp - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LWW Setup] D:\LWWSetup.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [0mcamcap] C:\WINDOWS\system32\0mcamcap.exe
O4 - HKLM\..\Run: [PCMMRealtime] C:\Program Files\PC MightyMax\pcmm.exe /R
O4 - HKLM\..\Run: [ZPoint] C:\WINDOWS\system32\winmuse.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\system32\0mcamcap.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\system32\0mcamcap.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &KewlBar Search - res://C:\Program Files\KewlBar 5.0\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O9 - Extra 'Tools' menuitem: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AdsGone - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\PopUpBlockerPro\popblock (file missing)
O9 - Extra 'Tools' menuitem: &AdsGone Settings - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\PopUpBlockerPro\popblock (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: ieen445F8764.dll usrs445F8764.dll
O20 - Winlogon Notify: com32 - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: prwsks - C:\WINDOWS\SYSTEM32\prwsks.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



I don't understand any of it, so any help would be appreciated. I thought I might also mention that when my computer turns on it is very, very slow and ends up finally displaying the error message that "windows security center notification app has encountered a problem..." I know this is part of the SP2 pack for windows with the new security system, but I can't find out how to reinstall it to try and fix it. Thanks again.

Re: Please help!! Recovering from Spysheriff!!!
 

heh yep, ya got a couple infections.

BUT, let's see what Ewido/CCleaner will pick up first.

Begin by downloading CCleaner, and specifically choosing the most recent version.

Then, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

Now, install the program. Open it, and choose the 'Options' tab. Inside, hit the 'Custom' tab, and add the following folders (Note: Not all of these files are on every computer. If one of these isn't present, skip it):

C:\Windows\Temp
C:\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\<Every user listed>\Local Settings\History
C:\Documents and Settings\<Every user listed>\Cookies
C:\Windows\Prefetch


After doing this, move back to the 'Cleaner' tab, and inside this, be sure your open to the 'Windows' tab. Inside, check the box labeled 'Custom Files and Folders'.

Next, after following all of these steps, you're ready to scan. Run scans in both the 'Cleaner' and 'Issues'. Note: It might take several scans in each to remove all of the junk.

____________________

Now you're ready for Ewido.

Follow up by downloading Ewido Security Suite.

• Install ewido security suite
• When installing, under "Additional Options" uncheck..
  • Install background guard
  • Install scan via context menu
• Launch ewido, there should be an icon on your desktop, double-click it.
• The program will now open to the main screen.
• When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
• You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click Update.
  • Then click on Start Update.
• The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display "Update successful"
• Click on Scanner
• Click on Complete System Scan and the scan will begin.
• You will be prompted to clean the first infection.
• Select "Perform action on all infections", then proceed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop or a location where you can find it easily.

Now, post back here with a new HJT log, and the Ewido scan log.

Thanks.

Re: Please help!! Recovering from Spysheriff!!!
 

joyleigh,

Your log indicates that you have a trojan infection which will, among other things, try to prevent many antispyware and antivirus programs from running. If jhay116's procedures do not work when booted normally, try them in Safe Mode as well. Even if you cannot get ewido to do its online update, run the program anyway if possible and have it fix what it can.

Re: Please help!! Recovering from Spysheriff!!!
 

Sorry it took so long. My internet explorer completely stopped working and I had to figure out how to uninstall it and reinstall it from my operating cd. But it seems okay now. I was finally able to run the scans you asked, but I am still having 2 problems. First, randomly there is a message "windows explorer has encountered a problem and needs to close...." and second, every few minutes an ewido box pops up that says that there is a file that needs to be cleaned: xptdtt.dll - it says it is backdoor.haxdoor.im - I click on the option to clean, but it keeps coming back. Any ideas??? Here are the scan logs. Thanks again for all of your help!!

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 1:59:54 PM, 5/13/2006
+ Report-Checksum: 6FFF75B2
+ Scan result:
[1492] C:\WINDOWS\system32\xptptt.dll -> Backdoor.Haxdoor.im : Error during cleaning
[432] C:\WINDOWS\system32\xptptt.dll -> Backdoor.Haxdoor.im : Error during cleaning
[484] C:\WINDOWS\system32\xptptt.dll -> Backdoor.Haxdoor.im : Error during cleaning
[1160] C:\WINDOWS\system32\xptptt.dll -> Backdoor.Haxdoor.im : Error during cleaning
[1304] C:\WINDOWS\system32\xptptt.dll -> Backdoor.Haxdoor.im : Error during cleaning
[1600] C:\WINDOWS\System32\xptptt.dll -> Backdoor.Haxdoor.im : Cleaned without backup
[1608] C:\WINDOWS\system32\xptptt.dll -> Backdoor.Haxdoor.im : Cleaned without backup
[1656] C:\WINDOWS\system32\xptptt.dll -> Backdoor.Haxdoor.im : Cleaned without backup
[1684] C:\WINDOWS\system32\xptptt.dll -> Backdoor.Haxdoor.im : Cleaned without backup
[1728] C:\WINDOWS\system32\xptptt.dll -> Backdoor.Haxdoor.im : Cleaned without backup
[1784] C:\WINDOWS\system32\xptptt.dll -> Backdoor.Haxdoor.im : Cleaned without backup
[1816] C:\WINDOWS\system32\xptptt.dll -> Backdoor.Haxdoor.im : Cleaned without backup
[1920] C:\WINDOWS\system32\xptptt.dll -> Backdoor.Haxdoor.im : Cleaned without backup
[2964] C:\WINDOWS\system32\xptptt.dll -> Backdoor.Haxdoor.im : Cleaned without backup
[3012] C:\WINDOWS\system32\xptptt.dll -> Backdoor.Haxdoor.im : Cleaned without backup
C:\Documents and Settings\Owner\Complete\Ashampoo Burning Studio 5.5.0.zip/Setup.exe -> Worm.VB.an : Error during cleaning
C:\Documents and Settings\Owner\Complete\Ashampoo Photo Commander 4.zip/Setup.exe -> Worm.VB.an : Cleaned without backup
C:\Documents and Settings\Owner\Complete\Ashampoo UnInstaller Platinum Suite 1.0.zip/Setup.exe -> Worm.VB.an : Error during cleaning
C:\Documents and Settings\Owner\Complete\Ashampoo UnInstaller Suite Plus 1.32.zip/Setup.exe -> Worm.VB.an : Error during cleaning
C:\Documents and Settings\Owner\Complete\Corel Photo Album 6 Deluxe.zip/Setup.exe -> Worm.VB.an : Error during cleaning
C:\Documents and Settings\Owner\Complete\Norton Antivirus 2006.zip/Setup.exe -> Worm.VB.an : Error during cleaning
C:\Documents and Settings\Owner\Complete\Norton SystemWorks 2006 Premier.zip/Setup.exe -> Worm.VB.an : Error during cleaning
C:\Documents and Settings\Owner\Complete\Norton SystemWorks 2006.zip/Setup.exe -> Worm.VB.an : Error during cleaning
C:\Documents and Settings\Owner\Complete\Roxio Easy Media Creator 8 Suite Plus.zip/Setup.exe -> Worm.VB.an : Cleaned without backup
C:\tool2.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned without backup
C:\WINDOWS\system32\agdrgqwf.exe -> Trojan.Regger.s : Cleaned without backup
C:\WINDOWS\system32\__delete_on_reboot__taskdir.dll -> Proxy.Lager.aq : Cleaned without backup

::Report End


Logfile of HijackThis v1.99.1
Scan saved at 2:01:19 PM, on 5/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\Program Files\Armor2net\Armor2net Personal Firewall\Armor2net.exe
C:\WINDOWS\system32\taskdir.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Documents and Settings\Owner\My Documents\Hijack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - blank (file missing)
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: A2NPopUpKiller Class - {8A321C7D-9CED-45A8-870D-DAE843A45FD0} - C:\Program Files\Armor2net\Armor2net Personal Firewall\PopUpKiller.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: PosHelp - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LWW Setup] D:\LWWSetup.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Armor2net] C:\Program Files\Armor2net\Armor2net Personal Firewall\Armor2net.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O8 - Extra context menu item: &KewlBar Search - res://C:\Program Files\KewlBar 5.0\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O9 - Extra 'Tools' menuitem: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AdsGone - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\PopUpBlockerPro\popblock (file missing)
O9 - Extra 'Tools' menuitem: &AdsGone Settings - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\PopUpBlockerPro\popblock (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: ieen445F8764.dll usrs445F8764.dll
O20 - Winlogon Notify: com32 - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: prwsks - C:\WINDOWS\SYSTEM32\prwsks.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: xptptt - C:\WINDOWS\SYSTEM32\xptptt.dll
O21 - SSODL: eeDGCV - {54AB0977-FE01-A3DD-451A-B19E73EB878D} - (no file)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Re: Please help!! Recovering from Spysheriff!!!
 

Ok, based on what was found in your Ewido log, we are currently in a predictament.

Backdoor.Haxdoor is a rootkit-type virus that has been known to steal bank records from its infected computer.

Because of this, You are strongly advised to do the following immediately:

1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.

2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

3. From a clean computer, change *all* your online passwords -- for ISP login, email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

and what ever else seems appropriate.


Here's an article on the infection.


There are 2 options to go from here:

1) The complete reformat. This is the only 100% guarenteed way to rid yourself of the infection. This is also my personal recomendatoion.

As said by a fellow IT pro:
2) We can attempt to remove the rootkit manually, using several removal-tools. However, as stressed earlier, there is no guarentee for completely removing the rootkit.

Please post back on your plan of action.

Thanks.