Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spy Sheriff


  • This topic is locked This topic is locked
3 replies to this topic

#1 marklm

marklm

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 29 May 2005 - 07:22 PM

Hi,

Totally stuck and need help! :thumbsup:

This morning suddenly got a warning on the desktop (blue wallpaper with black box and red text in the centre) saying "System Stopped" and warning me I have Malware.

System is still working normally but Spy Sherrif (unregistered) has been loaded and it scans and says I have:

"Win.Desktop.Adware.720"

Tried EVERYTHING I can think of but no good.

Tried uninstalling Spy Sheriff, registry cleaners etc. but it's there again next time I reboot. Also, Windows Security Centre has been disabled, and unable to access Task Manager - says Administrator has disabled it. Have checked trusted zone websites and removed the couple of bad boys that had been put in there (sorry, didn't keep a note)

Panda Scan on-line picked up a couple of bits of adware which I have removed but not solved the problem.

Trend Micro says my system is clean.

Spybot Search and Destroy says the system is clean.

Hijack This Logfile results:

Logfile of HijackThis v1.99.1
Scan saved at 01:12:57, on 30/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Handspring\HOTSYNC.EXE
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\SpySheriff\SpySheriff.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
F2 - REG:system.ini: Shell=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - d:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Zone Labs Client] d:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Global Startup: HotSync Manager.lnk = D:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/14cec4cff66c7d779a20/...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1117310904878
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) -
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC3E8E89-8CA8-4D3F-A90B-B3A37633FFDB}: NameServer = 195.92.195.94 195.92.195.95
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\System32\ZoneLabs\vsmon.exe

Help!!!

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:58 PM

Posted 30 May 2005 - 07:17 PM

Hello marklm and welcome to the BC forums. After reviewing your log I see that you are running msconfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure. This can hide malware from us when we are performing a fix, so we would like you to reenable those startup entries by doing the following:

Please click on Start, then Run, and type msconfig and then press Enter. When the window opens you should be on the General tab. Click on the Normal Startup item. Then press ok until you are out of the program. It will ask you to reboot so reboot normally.

Now please create a new Hijackthis Log and post it here as a reply. I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 marklm

marklm
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 31 May 2005 - 03:07 PM

:thumbsup:

Sorry - found the problem in the meantime. Had a browse thru other posts and used bits I found here and there to trace the problem.

The nasty had added a file called winstall.exe in the c:/ root directory which was being called during startup in the registry. Had also reduced the IE trusted level security setting to low, and added some junk sites to the trusted list.

Worth noting that this baddy was using a trojanned version of Spy Sheriff to give a false positive hit for a fictitious piece of malware warning of file deletion and the like. Only the fact it was reinstalling itself that made me even think it was non-legit (computer used by all the family and kids have a habit of downloading legit shareware / trials no matter how many times you tell them otherwise!)

I blocked the program at the firewall ran a packet sniffer on the output - clicking on the 'activate now' option led to packets being sent to a xxx.xxx.xxx.xxx website address (NOT www.spysheriff.com!) which I guess would have led to more rubbish being downloaded.

Thanx anyway - interesting way to waste a bank holiday Monday off work!!

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:58 PM

Posted 31 May 2005 - 05:08 PM

Looks like this is resolved so I am closing this topic.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users