help help im over my head

General Computing Microsoft Windows
1

hi i was sent here by my buddy wyntrblue and said look here for help, basicaly i have been got woth a nasty lil git called spysherrif he told me to post below body of text and see who could help, any ideas?

Logfile of HijackThis v1.99.1
Scan saved at 16:12:51, on 08/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus
avapsvc.exe
C:\WINDOWS\system32
vsvc32.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\D-Tools\daemon.exe
C:\winstall.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RDSHOST.exe
C:\WINDOWS\system32\sessmgr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\rename me\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/uk/*http://www.yahoo.co.uk
F3 - REG:win.ini: run=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: (no name) - {5C7E671D-3878-4C16-8445-30FE63162EBC} - blank (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM…\Run: [nwiz] nwiz.exe /install
O4 - HKLM…\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 - HKLM…\Run: [ccRegVfy] “C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe”
O4 - HKLM…\Run: [KAZAA] “C:\Program Files\KaZaA Lite\kpp.exe” “C:\Program Files\Kazaa Lite\kazaalite.kpp” /SYSTRAY
O4 - HKLM…\Run: [drvupd] rundll32 setupapi,InstallHinfSection infupd3 128 C:\WINDOWS\drvupd.inf
O4 - HKLM…\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM…\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM…\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM…\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033
O4 - HKLM…\RunServices: [Kernel32] Kernel32.exe
O4 - HKCU…\Run: [CFDStart] C:\WINDOWS\WinMuschi.exe -m
O4 - HKCU…\Run: [Messenger] C:\PROGRA~1\LYCOSM~1\Messenger.exe
O4 - HKCU…\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU…\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU…\Run: [Windows installer] C:\winstall.exe
O4 - HKCU…\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\rename me\Application Data\Mozilla\Firefox\Profiles\Default User\extensions{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\rename me\Application Data\Mozilla\Firefox\Profiles\Default User\extensions{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin
pjpi141_02.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin
pjpi141_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100354247470
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip…{29078874-2E73-4C45-8A77-89DC43B0F8B4}: NameServer = 194.168.4.100,194.168.8.100
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LifeMapper - Unknown owner - c:\LM\srvany.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus
avapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
vsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

2

:\winstall.exe
Nasty running process. (winstall.exe)
Spy Sheriff
This is a nasty process! You should fix it and try to delete it manually!
Probably safe.! According to our database this process runs normally in "logfile of hijackthis v1.99.1 scan saved at 16:22:35, on 06.11.2005 platform: windows xp sp2 (winnt 5.01.2600) msie: internet explorer v6.00 sp2 (6.00.2900.2180) running processes: c:\windows\system32\smss.exe c:\windows\system32\winlogon.exe c:\win! Check if you know this process and arrange a viruscheck where required.

C:\WINDOWS\system32\RDSHOST.exe
Unknown running process. (RDSHOST.exe)

This is a unknown process.

F3 - REG:win.ini: run=
Unknown F3 - REG:win.ini: run= the following information has been found about this entry: .
Unknown application.

O4 - HKLM…\Run: [KAZAA] “C:\Program Files\KaZaA Lite\kpp.exe” “C:\Program Files\Kazaa Lite\kazaalite.kpp” /SYSTRAY
Nasty O4 - HKLM…Run: [KAZAA] “i:ProgrammeKazaa Lite K++kpp.exe” “i:ProgrammeKazaa Lite K++KazaaLite.kpp” /SYSTRAY
Hit rate: 91 % (result)
Must be fixed!

O4 - HKLM…\Run: [drvupd] rundll32 setupapi,InstallHinfSection infupd3 128 C:\WINDOWS\drvupd.inf
Unknown
Hit rate: -1 % (result)
Unknown application.

O4 - HKLM…\RunServices: [Kernel32] Kernel32.exe
Nasty Added as a result of a number of VIRUSES - such as BABYLONIA, KERNEL and HOOKER
Hit rate: 99 % (result)
Must be fixed!

O4 - HKCU…\Run: [CFDStart] C:\WINDOWS\WinMuschi.exe -m
Nasty WINMUSCHI dialler
Hit rate: 99 % (result)
Must be fixed!

O4 - HKCU…\Run: [Messenger] C:\PROGRA~1\LYCOSM~1\Messenger.exe
Nasty Added as a result of the KUTEX VIRUS!
Hit rate: 95 % (result)
Must be fixed!

O4 - HKCU…\Run: [Windows installer] C:\winstall.exe
Nasty This entry was classified from our visitors as bad.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.

O4 - HKCU…\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
Nasty This entry was classified from our visitors as bad.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.

O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\rename me\Application Data\Mozilla\Firefox\Profiles\Default User\extensions{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
Possibly nasty Entries shown in the menu that pops up when right-clicking into the Internet Explorer. Unknown entries should be fixed.
To be fixed if the entry 'Open Link Target in Firefox ’ is unknown.

O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\rename me\Application Data\Mozilla\Firefox\Profiles\Default User\extensions{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
Possibly nasty Entries shown in the menu that pops up when right-clicking into the Internet Explorer. Unknown entries should be fixed.
To be fixed if the entry 'View This Page in Firefox ’ is unknown.

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.co...v45/yacscom.cab
Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words ‘dialer’, ‘casino’, ‘free plugin’ etc, it should be fixed!
Check if you know this site and fix it if you do not.

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yah...utocomplete.cab
Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words ‘dialer’, ‘casino’, ‘free plugin’ etc, it should be fixed!
Check if you know this site and fix it if you do not.

O17 - HKLM\System\CCS\Services\Tcpip…{29078874-2E73-4C45-8A77-89DC43B0F8B4}: NameServer = 194.168.4.100,194.168.8.100
Possibly nasty If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. ‘SearchList’ entries should be fixed too.
Do you know the IP or Domain ‘194.168.4.100,194.168.8.100’? If not, fix this entry.

3

Post your log file into this link to get the breakdown on everything.

http://www.hijackthis.de/en

4

From memory thats NTL’s DNS servers.

It looks absolutely riddled to me, not a very good advert for Norton AV.

I bet you’ll end up re-installing

5

:nod:

6

Do I see both Norton’s AV and AVG’s AV running at the same time? That could cause a problem as I recall somone (Greg STEP2000?) mentioning that Norton and AVG do not play well together on the same system. Probably want to completely remove one of them and just run a single AV.

I think MrTFWitt’s suggestion of reinstalling might be the best. There appear to be quite a few strange/unknown processes running. Cleaning may take a while and you run the risk of leaving virus/trojan/spyware residue on your system.

7

this one is removable without a re-install, but is not an easy task. I’ve seen this one before and even following the guides such as this one I found the thing kept coming back.

MS-AntiSpyware should remove it though in system safe mode. Or you can try the combination guides as in the link.

Good luck :smiley:

DT.

8

well thanks for the help it did just that, i have very nearly solved the problem,
the last thing left to do is somehow get mydesktop wallpaper back…in the dislay options it wont allow me to select anything else…so im stuck with a grey back round…anyone know how to restore my desktop? any help would be appriciated
:smiley: :smiley: :smiley:

9

AVG and Norton don’t get along…

I have seend it take systems into what I call the slow lane on running. The issue is that Norton uses Root Kit to hide items and AVG see this and well tries to sort it all out. Symantec also knowing them looks for AVG and well screws around with it…so all being said…NO NORTON is my vote …go AVG, MS Spyware, ADWARE SE and scan scan scan…also Kazaa…bad stuff for sure…it tends to bring bad like flies…