0

Hi!! I have read some of the threads giving advice on how to help with the virus spysheriff...but my problem is that from the beginning I have been unable to run ad-aware, spybot, or anything else I tried to do to clean it up-it has been like they were deactivated by the virus. I double-click on the icons and nothing happens -I even tried to open directly from the program files and they still did nothing. I ended up searching for the spysheriff files and manually deleting them...but things are not working right yet. The only scan I have gotten to work is registry cleaner. The scan programs don't work still - including new ones I have tried to download like hijackthis and cleanup - also internet explorer keeps saying it has an error message and must close. Not to mention how extremely slow my computer is running. I think I made a mistake trying to manually remove the virus, but I didn't know what else to do. Can someone PLEASE help me get my computer running again!! I don't want to have to do a recovery disk - I also read on one thread that this won't work anyway because of how spysheriff imprints on the start-up (or something like that...I'm still learning). Thanks in advance for any help at all that you all could give me!!


5
Contributors
15
Replies
16
Views
11 Years
Discussion Span
Last Post by crunchie
0

Have you tried running the anti-spyware utilities while booted into Safe Mode? (You get to the Safe Mode boot option by hitting the F8 key just as your computer is starting up).

0

I hadn't thought of that...thanks. I was able to run spybot & ad-aware in safe mode, and cleared their problems. Internet explorer is still not running right though. It immediately pops up that it has encountered a problem and needs to close - I am able to move the message out of the way to use the internet, but I don't know how to fix it.

0

Let's do this:

Download HijackThis (current verison is v1.99.1)

or here (Alternate 1, a self-extracting zip file)
or here (Alternate 2, an *.exe file)

Make a new folder to put your HijackThis.exe into.

(Anywhere on your hard drive is fine other than your Desktop or the Temp folder. Suitable examples are:

  • C:\HijackThis\
  • C:\Programs\hijackthis\
  • C:\Windows\My Documents\HJT\

but feel free to use any name.)

Extract and save the HijackThis download to the new folder you made. Then navigate to it and run HijackThis from there. (This is to ensure it makes the necessary backups for recovery if fixes are made) Then, doubleclick HijackThis.exe, and click Scan.

When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that and copy & paste its contents in your reply. Most of what it lists will be harmless or even essential, don't try to fix anything yourself.

Thanks.

0

I was able to reinstall internet explorer and it is working fine now. BUT...nothing else is!! I can't download updates to any of the programs like ad-aware and spybot - they will only run in safe mode. I also purchased xoftspyse and it runs okay out of safe mode, but it is the only one. I tried re-installing the others and it gets to the installation wizard and then just stops. I really am stuck and don't know what to do. My computer is still running slow and I don't have anymore ideas on what I could be infected with. Please someone help me get my computer running again-I don't want to have to do a whole system reinstall. Thanks

0

I didn't even see the request for a Hijackthis log before posting earlier..sorry!! I'm just so frustrated!! Anyway, I was finally able to get hijackthis to run in safe mode and here is the scan:

Logfile of HijackThis v1.99.1
Scan saved at 1:21:06 PM, on 5/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\My Documents\Hijack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - blank (file missing)
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} - C:\WINDOWS\system32\sfg.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: PosHelp - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LWW Setup] D:\LWWSetup.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [0mcamcap] C:\WINDOWS\system32\0mcamcap.exe
O4 - HKLM\..\Run: [PCMMRealtime] C:\Program Files\PC MightyMax\pcmm.exe /R
O4 - HKLM\..\Run: [ZPoint] C:\WINDOWS\system32\winmuse.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\system32\0mcamcap.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\system32\0mcamcap.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &KewlBar Search - res://C:\Program Files\KewlBar 5.0\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O9 - Extra 'Tools' menuitem: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AdsGone - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\PopUpBlockerPro\popblock (file missing)
O9 - Extra 'Tools' menuitem: &AdsGone Settings - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\PopUpBlockerPro\popblock (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: ieen445F8764.dll usrs445F8764.dll
O20 - Winlogon Notify: com32 - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: prwsks - C:\WINDOWS\SYSTEM32\prwsks.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

I don't understand any of it, so any help would be appreciated. I thought I might also mention that when my computer turns on it is very, very slow and ends up finally displaying the error message that "windows security center notification app has encountered a problem..." I know this is part of the SP2 pack for windows with the new security system, but I can't find out how to reinstall it to try and fix it. Thanks again.

0

heh yep, ya got a couple infections.

BUT, let's see what Ewido/CCleaner will pick up first.

Begin by downloading CCleaner, and specifically choosing the most recent version.

Then, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

Now, install the program. Open it, and choose the 'Options' tab. Inside, hit the 'Custom' tab, and add the following folders (Note: Not all of these files are on every computer. If one of these isn't present, skip it):

C:\Windows\Temp
C:\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\<Every user listed>\Local Settings\History
C:\Documents and Settings\<Every user listed>\Cookies
C:\Windows\Prefetch

After doing this, move back to the 'Cleaner' tab, and inside this, be sure your open to the 'Windows' tab. Inside, check the box labeled 'Custom Files and Folders'.

Next, after following all of these steps, you're ready to scan. Run scans in both the 'Cleaner' and 'Issues'. Note: It might take several scans in each to remove all of the junk.

____________________

Now you're ready for Ewido.

Follow up by downloading Ewido Security Suite.

  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click Update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display "Update successful"
  • Click on Scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.

Now, post back here with a new HJT log, and the Ewido scan log.

Thanks.

0

joyleigh,

Your log indicates that you have a trojan infection which will, among other things, try to prevent many antispyware and antivirus programs from running. If jhay116's procedures do not work when booted normally, try them in Safe Mode as well. Even if you cannot get ewido to do its online update, run the program anyway if possible and have it fix what it can.

0

Sorry it took so long. My internet explorer completely stopped working and I had to figure out how to uninstall it and reinstall it from my operating cd. But it seems okay now. I was finally able to run the scans you asked, but I am still having 2 problems. First, randomly there is a message "windows explorer has encountered a problem and needs to close...." and second, every few minutes an ewido box pops up that says that there is a file that needs to be cleaned: xptdtt.dll - it says it is backdoor.haxdoor.im - I click on the option to clean, but it keeps coming back. Any ideas??? Here are the scan logs. Thanks again for all of your help!!

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 1:59:54 PM, 5/13/2006
+ Report-Checksum: 6FFF75B2
+ Scan result:
[1492] C:\WINDOWS\system32\xptptt.dll -> Backdoor.Haxdoor.im : Error during cleaning
[432] C:\WINDOWS\system32\xptptt.dll -> Backdoor.Haxdoor.im : Error during cleaning
[484] C:\WINDOWS\system32\xptptt.dll -> Backdoor.Haxdoor.im : Error during cleaning
[1160] C:\WINDOWS\system32\xptptt.dll -> Backdoor.Haxdoor.im : Error during cleaning
[1304] C:\WINDOWS\system32\xptptt.dll -> Backdoor.Haxdoor.im : Error during cleaning
[1600] C:\WINDOWS\System32\xptptt.dll -> Backdoor.Haxdoor.im : Cleaned without backup
[1608] C:\WINDOWS\system32\xptptt.dll -> Backdoor.Haxdoor.im : Cleaned without backup
[1656] C:\WINDOWS\system32\xptptt.dll -> Backdoor.Haxdoor.im : Cleaned without backup
[1684] C:\WINDOWS\system32\xptptt.dll -> Backdoor.Haxdoor.im : Cleaned without backup
[1728] C:\WINDOWS\system32\xptptt.dll -> Backdoor.Haxdoor.im : Cleaned without backup
[1784] C:\WINDOWS\system32\xptptt.dll -> Backdoor.Haxdoor.im : Cleaned without backup
[1816] C:\WINDOWS\system32\xptptt.dll -> Backdoor.Haxdoor.im : Cleaned without backup
[1920] C:\WINDOWS\system32\xptptt.dll -> Backdoor.Haxdoor.im : Cleaned without backup
[2964] C:\WINDOWS\system32\xptptt.dll -> Backdoor.Haxdoor.im : Cleaned without backup
[3012] C:\WINDOWS\system32\xptptt.dll -> Backdoor.Haxdoor.im : Cleaned without backup
C:\Documents and Settings\Owner\Complete\Ashampoo Burning Studio 5.5.0.zip/Setup.exe -> Worm.VB.an : Error during cleaning
C:\Documents and Settings\Owner\Complete\Ashampoo Photo Commander 4.zip/Setup.exe -> Worm.VB.an : Cleaned without backup
C:\Documents and Settings\Owner\Complete\Ashampoo UnInstaller Platinum Suite 1.0.zip/Setup.exe -> Worm.VB.an : Error during cleaning
C:\Documents and Settings\Owner\Complete\Ashampoo UnInstaller Suite Plus 1.32.zip/Setup.exe -> Worm.VB.an : Error during cleaning
C:\Documents and Settings\Owner\Complete\Corel Photo Album 6 Deluxe.zip/Setup.exe -> Worm.VB.an : Error during cleaning
C:\Documents and Settings\Owner\Complete\Norton Antivirus 2006.zip/Setup.exe -> Worm.VB.an : Error during cleaning
C:\Documents and Settings\Owner\Complete\Norton SystemWorks 2006 Premier.zip/Setup.exe -> Worm.VB.an : Error during cleaning
C:\Documents and Settings\Owner\Complete\Norton SystemWorks 2006.zip/Setup.exe -> Worm.VB.an : Error during cleaning
C:\Documents and Settings\Owner\Complete\Roxio Easy Media Creator 8 Suite Plus.zip/Setup.exe -> Worm.VB.an : Cleaned without backup
C:\tool2.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned without backup
C:\WINDOWS\system32\agdrgqwf.exe -> Trojan.Regger.s : Cleaned without backup
C:\WINDOWS\system32\__delete_on_reboot__taskdir.dll -> Proxy.Lager.aq : Cleaned without backup

::Report End


Logfile of HijackThis v1.99.1
Scan saved at 2:01:19 PM, on 5/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\Program Files\Armor2net\Armor2net Personal Firewall\Armor2net.exe
C:\WINDOWS\system32\taskdir.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Documents and Settings\Owner\My Documents\Hijack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - blank (file missing)
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: A2NPopUpKiller Class - {8A321C7D-9CED-45A8-870D-DAE843A45FD0} - C:\Program Files\Armor2net\Armor2net Personal Firewall\PopUpKiller.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: PosHelp - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LWW Setup] D:\LWWSetup.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Armor2net] C:\Program Files\Armor2net\Armor2net Personal Firewall\Armor2net.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O8 - Extra context menu item: &KewlBar Search - res://C:\Program Files\KewlBar 5.0\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O9 - Extra 'Tools' menuitem: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AdsGone - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\PopUpBlockerPro\popblock (file missing)
O9 - Extra 'Tools' menuitem: &AdsGone Settings - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\PopUpBlockerPro\popblock (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: ieen445F8764.dll usrs445F8764.dll
O20 - Winlogon Notify: com32 - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: prwsks - C:\WINDOWS\SYSTEM32\prwsks.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: xptptt - C:\WINDOWS\SYSTEM32\xptptt.dll
O21 - SSODL: eeDGCV - {54AB0977-FE01-A3DD-451A-B19E73EB878D} - (no file)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

0

Ok, based on what was found in your Ewido log, we are currently in a predictament.

Backdoor.Haxdoor is a rootkit-type virus that has been known to steal bank records from its infected computer.

Because of this, You are strongly advised to do the following immediately:

1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.

2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

3. From a clean computer, change *all* your online passwords -- for ISP login, email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

and what ever else seems appropriate.


Here's an article on the infection.


There are 2 options to go from here:

1) The complete reformat. This is the only 100% guarenteed way to rid yourself of the infection. This is also my personal recomendatoion.

As said by a fellow IT pro:

Personally...You can always backup files to multiple CD’s, Network or another PC. Yup it's work. Once financial information or an identity is stolen, however, it takes a lot more work to get that back.

2) We can attempt to remove the rootkit manually, using several removal-tools. However, as stressed earlier, there is no guarentee for completely removing the rootkit.

Please post back on your plan of action.

Thanks.

0

Thanks for taking the time to look at the logs. I went to my sister's house and changed all my passwords, etc...will call the bank too. I suppose the only way is to completely reboot my system. The question is..do I just put in the operating cd I got when I got my computer and let it start over? Will that really erase all the traces of these viruses? One thread I read implied that the spysheriff would still come back...any ideas? Thanks again...

0

At this point spysheriff is the least of your worries.

Download haxfix.exe.
Save it to your desktop.
Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files)
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
A red "dos window" (dos box) will open.
This message will appear:

Insert the haxdoor notify subkey without the numbers,
and then press enter:

At this point please type the following: xptptt.dll
Press Enter to continue with the fix.

If an infection is found, you'll get a message to close all other open windows.
Close them, except the red dos window from haxfix and press Enter.
The computer will reboot.
After reboot find the logfile c:\haxfix.txt.

______________________________________________________________________

Please download Pocket Killbox by O^E.

  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\Owner\Complete\Ashampoo Burning Studio 5.5.0.zip/Setup.exe

    C:\Documents and Settings\Owner\Complete\Ashampoo Photo Commander 4.zip/Setup.exe

    C:\Documents and Settings\Owner\Complete\Ashampoo UnInstaller Platinum Suite 1.0.zip/Setup.exe

    C:\Documents and Settings\Owner\Complete\Ashampoo UnInstaller Suite Plus 1.32.zip/Setup.exe

    C:\Documents and Settings\Owner\Complete\Corel Photo Album 6 Deluxe.zip/Setup.exe

    C:\Documents and Settings\Owner\Complete\Norton Antivirus 2006.zip/Setup.exe

    C:\Documents and Settings\Owner\Complete\Norton SystemWorks 2006 Premier.zip/Setup.exe

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

_________________________________________________________________________
Post the contents of c:\haxfix.txt along with a new hijackthislog. And a new ewido log.

0

Well, completely reformatting the disc will remove EVERYTHING from it, including legitiate programs and such.

SO, for this reason, we recommend burning a CD/buying and using a memory key to save all the data, documents, etc that ya wanna keep.

The question is..do I just put in the operating cd I got when I got my computer and let it start over?

Well, it's slightly more complicated then that, but generally, that's the idea.

Here's a very good set of instructions for help with it. More or less, you're going to have to print it out, as you won't be able to access internet while reformatting.

_________________


Acknowledgements: Thanks to DKnoppix and Crow for most the images and dgosling for helping get this setup.

This guide shows how to reformat your computer in case of a severe corruption or a severe malware infection where helpers cannot guarantee the security of your computer.

This guide is for reinstalling XP only. Do not use this guide if you are not reinstalling windows XP. Only use this guide if you are reformatting using the XP cd (not using a 'recovery partition' that some computer manufacturers use)

This guide is 'as is'. There are many circumstances which may change the success of your reformat.

Now then, let's get started:
Before you can reformat, you will need to have the following:

Prerequistes:
1. Your windows XP cd.
2. A means of backing up your most important data. Don't backup everything, the more you backup, the more chance there is that malware will get on your newly formatted computer. You might use another hard drive, some cd roms, or anything that holds data to backup your files.
3. There is a small chance you will need a floppy drive.


First Steps:
1. We need to make sure that your product key is still valid. Otherwise you might not be able to install windows. To do so,

Please go HERE (Microsoft website) using Internet Explorer (NOTE: Do not use Firefox or any other browser as they won't work)
- Click on Windows Validation Assistant
- Click on the Validate Now button.
- Be patient while the ActiveX loads, do not click on any links.
- Read the instructions on this page while it's loading. You will be prompted to install - click YES.
- Enter your product key then click continue

Make sure that your license key is legit. If it is NOT legit, do NOT reformat, contact Microsoft to see if a mistake has been made, and if not, tell your helper.


You can also use this tool to ensure validity.
Click here
Then hit "save"
Save the folder to your desktop. Then right click on the file and select extract all. Extract the folder to the desktop. Then open the folder and double click on xpinfo.exe
If all is well you should get something that looks like this:
[img]http://i25.photobucket.com/albums/c73/wng_z3r0/licenturion.jpg[/img]


Then, backup your important files to another media. Do NOT save them on the same partition. I would personally suggest a cd-rom backup or a flash drive. You may want to make sure that you can open the files on another computer BEFORE reformatting.


Next, download these programs.
Save them on a CD or something, we will need them immediately after reformatting. Do not skip this step!

  • SP2 can be downloaded here. Safe this file to a CD. If you are on dialup and this download is unbearably large, you can get a free copy from Microsoft here. The downside is that it will take awhile for the CD to get there.
  • A firewall. There are many good ones out there, If you don't know of a good one to get, I personally suggest either Zone Alarms or Sygate Firewall
  • The latest drivers for your computer (optional). Drivers allow Windows to use your hardware in the most effective manner. IF you need help finding what drivers you need, go to start->run->msinfo32.exe and that will tell you what hardware you have. Then go to the appropriate hardware vendor's website and download the correct drivers.
  • A imaging software (VERY optional). Reformatting is a pain in the but isn't it... If you have a drive imaging software, you can literally take snapshots of your hard drive, and if something screws up, you can roll back the state of your hard drive to an earlier time. Two of the most popular drive imaging sofware utilities are Acronis True Image and Norton Ghost. Neither of these products are free, but they are well worth it in my opinion.

Checking the hard drive
Please go to start->run->diskmgmt.msc
you should see something like this:
[img]http://i25.photobucket.com/albums/c73/wng_z3r0/diskmgmt1.jpg[/img]
Highlight Disk 0 like I have done. Then you will see one or more partitions on the top half. Make a note of the size of the drive. Very important: Look and see if there's a hidden 'recovery' partition on your hard drive. If so, STOP!! because you will need to follow different instructions on how to reformat correctly.


Let's Reformat!

  1. while your computer is still on, put in the XP cd
  2. Turn off your computer
  3. Turn on your computer. Your computer should go through a black and white screen called POST. Then one of 2 things will happen.
    You will either get a message like this:
    "press any key to boot off the CD"

    or your computer will boot windows normally. If you get that first screen, quickly! press a key, and boot off the cd. If you DON'T get that screen, reboot your computer, and continually press the f12 key. You should get an option screen. Use the arrow keys to highlight your CD drive, and then hit ok.

  4. If everything goes well, you should get a blue screen with white letters. Windows will load from the cd. This takes awhile. Once it is loaded, you will see this screen:
    [img]http://img114.imageshack.us/img114/5599/wininstall17xe.jpg[/img]
  5. Hit the Enter Button.
  6. You will then be presented with a EULA. Press f8 to agree to the EULA
  7. Unless your previous windows version is really screwed up, you will get a screen like this
    [img]http://img465.imageshack.us/img465/8596/wininstall35nn.jpg[/img]

    Press the ESC Key

  8. Next you will get a screen similar to this:
    [img]http://i25.photobucket.com/albums/c73/wng_z3r0/multipartview.gif[/img]
    You need to make some decisions. I do NOT like having only 1 partition on a computer. You can make your files safer by having them on a separate partition. Personally, I have 5 partitions on my computer for various things, but at minimum I would recommend making 2 partitions. 1 of them should be the normal c:\ drive like you're accustomed to, and 1 should be for your important files/programs. You're free to setup windows however you want though. It's your computer.

    No matter what you choose to do, you need to use the arrow keys and highlight the c:\drive
    Press the d button.
    Then press the enter at the warning prompt.
    Windows will give you a second warning prompt. Hit L to continue.

  9. Your screen will now look like this:
    [img]http://i25.photobucket.com/albums/c73/wng_z3r0/creatingpart.gif[/img]
    Press the C
  10. Then you will be presented with this screen:
    [img]http://i25.photobucket.com/albums/c73/wng_z3r0/creatingpart.gif[/img]
    This is where you need to decide how many paritions you wish to have.
    If you are unsure and just want to go the easy route, press the enter button. Now skip the instructions below in Purple, and continue on.
    If you wish to create multiple partitions, press the backspace key and change the size of your partition. Don't make it too small! I would recommend having at least 4 GB (4096 MB) on the first partition, and more if your hard drive is big enough. Then press the enter button.
    Then use the arrow keys and highlight the "unpartitioned space" Press the c button, and then type in how big you want the partition to be. Hit the enter key. You can repeat this process until you have as many partitions as you want.
  11. Your screen should look something like this depending on how many partitions you have:
    [img]http://i25.photobucket.com/albums/c73/wng_z3r0/creatingmultipart.gif[/img]
    Highlight the drive you want to install windows on. It SHOULD be the 1st one. (c:\)
    Then hit the enter button
  12. Next you will get this screen:
    [img]http://i25.photobucket.com/albums/c73/wng_z3r0/chooseFS.gif[/img]
    Select "Format the partition using the NTFS file system"
    Hit the enter button.
  13. Your computer will format the drive. Wait until that's done.
    Windows will setup. When you see this screen:
    [img]http://i25.photobucket.com/albums/c73/wng_z3r0/reboots.gif[/img]
  14. Then you need to take out your CD.
  15. Your computer will reboot.
  16. Windows Setup will continue from the hard drive. Follow the instructions, and voila! Windows will be reinstalled.

DO NOT CONNECT TO THE INTERNET UNTIL THE FOLLOWING STEPS ARE COMPLETE!!!!

  • Put in the cd that contains service pack 2
  • Install service Pack 2 by doubleclicking the setup file and following the instructions on the screen
  • Once SP2 is installed, reboot, then install the drivers that you have found.
  • Next, install the firewall and AV.

NOW CONNECT TO THE INTERNET.
Immediately go here:
http://windowsupdate.microsoft.com/

and get all the critical updates.
Don't forget to restart your computer!
Then update your AV and firewall.
Install all your other programs and documents.
Then (if you have an imaging software) make a snapshot of your computer. If something goes terribly wrong, you can always start from this point again instead of from the beginning.

Lastly, keep us updated on how it's worked.

Thanks again.

0

I tried the haxfix and killbox, but neither would download or work correctly-even in safemode. I have finally tonight got my computer up and running. I can't seem to find sygate anywhere, but I downloaded avg...any others I need? I also reinstalled ad-aware, spybot and xoftspyse. I want to thank you all for all of your detailed instructions and help. I couldn't have done it without your help!!

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.