Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Infection With Spysheriff Or Renos B


  • Please log in to reply
8 replies to this topic

#1 scruffbag

scruffbag

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Location:UK
  • Local time:03:03 PM

Posted 07 August 2007 - 10:30 AM

Hi,

I think I may have all but solved the problem I had but would be grateful if someone who knows about these things would just cast their eye over the following and wonder if I should post a hijack this log.

Operating system is win xp home edition
Norton antivirus 2005 installed with auto updates turned on, full scan hadn’t been done in a while before the problem occurred.
Ad-aware se personal installed but not used for a while
Spybot Search and Destroy installed but not used for a while
Spywareblaster installed but rarely used

All steps outlined at http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/ have been carried out.

The problem began when a flashing icon was noticed in the systray alternating between a red disc with a white “X” on it and an icon that looked a bit like a windows update symbol. Every so often a “balloon” appeared from the flashing icons saying something to the effect of “the machine was infected with a virus and to click hear to down load the best antimalware software”. I’m sure that it was clicked on but nothing happened.

On running a full Norton Scan it picked a file named xpuudate.exe which it designated as “Spysheriff” and apparently deleted it. The flashing icon didn’t go though! I found a startup entry for xpuudate with the following command C:WINDOWS\system32\xpuupdate.exe and location SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
I disabled it in startup which got rid of the flashing icon. Then did a search for the file and there it was in the system32 folder.

Did another Norton scan which again detected it and deleted it. This time it had gone from the system32 folder. Mind you at the same time I was doing ad-aware and spybot scan’s to but I don’t think they picked nything up.

After this ran through all of the various anti virus/malware scanners as detailed on the above mentioned link, some things found particularly by “Bit Defender” from memory, and I believe this identified something call Renos B.

Anyhow what I’m left with, as far as I can tell, is a disabled startup entry xpuudate as described above and the following entries in the registry when searching for xpuudate;

HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603\ab000 REG_SZ xpuudate.exe

HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603\ab001 REG_SZ xpuudate.exe.

Not sure what you would prefer me to do now, please advise.
Thanks for your patience

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:03 AM

Posted 07 August 2007 - 11:15 AM

I would run the fix recommended in this Bleeping Computer removal guide:

How to remove the Spysheriff
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 scruffbag

scruffbag
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Location:UK
  • Local time:03:03 PM

Posted 07 August 2007 - 02:53 PM

Thanks Budapest, tried using the smitfraudfix as per the instructions. It didn't finnish by going to a red screen and count down to a reboot, and notepad opened with the log while still in safe mode.

Nothings changed, still have the registry entries and the startup entry (which I have disabled) in msconfig. I was wondering if the registry entries are just as a result of me searching for the file "xpuudate.exe". But how do I get rid of the startup entry. I know it's not doing anything but it bugs me that it's there :thumbsup:

#4 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:08:03 AM

Posted 07 August 2007 - 03:14 PM

Have you run a scan with spybot in safe mode yet? I have seen it get rid of those registry entries before. Make sure that you update completely. Also, if you used ms config to disable the startup, please reset ms config back to a normal startup, and remove the startup entry using Spybots advanced mode = tools, startup select the startup items and click the red X
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#5 scruffbag

scruffbag
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Location:UK
  • Local time:03:03 PM

Posted 07 August 2007 - 05:12 PM

Thanks oldf@rt, ran spybot search and destroy in safe mode but it did nothing. I did however use it as you said to get rid of the startup entry :thumbsup:

I'm pretty sure that the references to xpuupdate in the registry are to do with me searching for that file. I've just noticed that of the two entries in the registry one is mis-spelled as xpuudate and of the two searches I did (one of which came up negative) on one I had mis-spelled the name of the file in exactly that way, obviously why it couldn't be found :flowers:

Thanks again and to you and Budapest for your help, i think we are all done on this one now.

That's my wife's machine sorted out, better start looking at mine now :trumpet:

#6 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:08:03 AM

Posted 07 August 2007 - 05:27 PM

Keep following this post, I have a question to ask, about posting a hijack this log, and other things

Edited by oldf@rt, 07 August 2007 - 07:47 PM.

The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#7 scruffbag

scruffbag
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Location:UK
  • Local time:03:03 PM

Posted 07 August 2007 - 06:10 PM

OK, thanks. Off to bed now though, just past midnight here in the UK. I'll check it out tomorrow

#8 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:03 AM

Posted 07 August 2007 - 08:24 PM

Hi scruffbag,

I think a BFU script is a bit of overkill here. Those reg entries are harmless and shouldn't be that hard to remove--but I would be more concerned about what else might have come along with that version of SpySherriff/Smitfraud.

If you don't mind I would like to take a closer look to see if there is anything stealthed and verify that what you had is gone. If you are cleared, we can deal with the reg entries later. So I would like to see a HiajckThis log along with another enumerator with more extensive information.

Please do this in the following way:

1. Open Add or Remove Programs via Control Panel and uninstall HijackThis if present.
2. Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges and it is best to run DSS from your Desktop.
3. Close all applications and windows.
4. Double-click on dss.exe to run it, and OK the disclaimer.
5. When the screen in the image below appears, click Yes and follow the promts to download the new version of HijackThis. Please tell your firewall to allow this download.

Posted Image

Note that a shortcut to HijackThis will appear on your desktop and you can run it from there when asked for a follow up log.

6. DSS will now scan your computer. If you get a warning from your anti-virus, please allow it as the scan is not harmful.
7. When complete, two text files will open - main.txt that will include a HijackThis log<- this one will be maximized and extra.txt <-this one will be minimized
8. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in a new topic in the HijackThis Logs and Analysis forum. If you have any problems with the logs, both can be found in C:\Deckard\System Scanner.

Once you get your log posted, lease come back here and post a link to the thread and I will take a look.

The thing about people

is they change

when they walk away.--Mipso


#9 scruffbag

scruffbag
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Location:UK
  • Local time:03:03 PM

Posted 08 August 2007 - 02:19 AM

Hi Papakid,

Have complied with your instructions, all seemed to go well and have posted logs in the "HijackThis logs and Analysis forum" at the following address

http://www.bleepingcomputer.com/forums/t/103284/possible-infection-with-spysheriff-or-renos-b/

Thanks for your help




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users