Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spysheriff Problems


  • This topic is locked This topic is locked
2 replies to this topic

#1 Baile

Baile

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 17 October 2005 - 08:36 PM

Alright -- well unfortunately last night I got hit with more spyware, after just reformatting my computer! Anyway -- the spyware is called SpySheriff (I believe, as it keeps coming back after I remove it). Also, I have these two red circles that contain white x's within them in system tray that keep flashing notifications every 5 seconds saying "Your computer is infected!".

Last night these messages changed my background to "Your computer is infected!" and then a brief description in a white textbox, and the background color to black. I had to go to my regedit >> current_user >> system >> and so forth to get that removed, and finally did.

I have just gotten HiJackThis! and have created a log. Here is the log. All help is appreciated! Thank you !

Logfile of HijackThis v1.99.1
Scan saved at 9:12:01 PM, on 10/17/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\System\svchost.exe
C:\WINDOWS\System\SMSS.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\winstall.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\split1.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\sysvcs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRAM FILES\COMMON FILES\AOL\1126235632\EE\AOLHostManager.exe
C:\PROGRAM FILES\COMMON FILES\AOL\1126235632\EE\AOLServiceHost.exe
C:\PROGRAM FILES\COMMON FILES\AOL\1126235632\EE\AOLServiceHost.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\Documents and Settings\HP Authorized Custom\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - (no file)
O2 - BHO: C:\WINDOWS\adsldpbc.dll - {4BAD11A3-05EB-4D77-9DC7-A0C421D6665B} - C:\WINDOWS\adsldpbc.dll
O2 - BHO: C:\WINDOWS\q43422.dll - {7A7E6D97-B492-4884-9ABB-C31281DCC4F2} - C:\WINDOWS\q43422.dll
O2 - BHO: (no name) - {C7CF1142-0785-4B12-A280-B64681E4D45E} - C:\WINDOWS\system32\prflbmsgp32.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [drwebupdate] C:\WINDOWS\System32\drwebupdate.exe
O4 - HKLM\..\Run: [smss] C:\WINDOWS\System\SMSS.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [drwebupdate] C:\WINDOWS\System32\drwebupdate.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [drwebupdate] C:\WINDOWS\System32\drwebupdate.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sysvcs.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.searchmeup.com
O16 - DPF: Win32 Classes -
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0595065-2F60-4B43-8FD1-373CD0F093F9}: NameServer = 85.255.113.125,85.255.112.26
O17 - HKLM\System\CS2\Services\Tcpip\..\{A0595065-2F60-4B43-8FD1-373CD0F093F9}: NameServer = 85.255.113.125,85.255.112.26
O17 - HKLM\System\CS3\Services\Tcpip\..\{A0595065-2F60-4B43-8FD1-373CD0F093F9}: NameServer = 85.255.113.125,85.255.112.26
O20 - Winlogon Notify: mcfG7A - C:\WINDOWS\SYSTEM32\mcfG7A.dll
O20 - Winlogon Notify: style32 - C:\WINDOWS\q43422.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:08 PM

Posted 21 October 2005 - 03:23 PM

Download this program:

submit files packer

Highlight the files listed below in bold and right-click and selecting copy.


C:\WINDOWS\System32\drwebupdate.exe


Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername.cab (for example grinler.cab).

Then go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.


Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:


O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - (no file)
O2 - BHO: C:\WINDOWS\adsldpbc.dll - {4BAD11A3-05EB-4D77-9DC7-A0C421D6665B} - C:\WINDOWS\adsldpbc.dll
O2 - BHO: C:\WINDOWS\q43422.dll - {7A7E6D97-B492-4884-9ABB-C31281DCC4F2} - C:\WINDOWS\q43422.dll
O2 - BHO: (no name) - {C7CF1142-0785-4B12-A280-B64681E4D45E} - C:\WINDOWS\system32\prflbmsgp32.dll
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [drwebupdate] C:\WINDOWS\System32\drwebupdate.exe
O4 - HKLM\..\Run: [smss] C:\WINDOWS\System\SMSS.EXE
O4 - HKLM\..\RunServices: [drwebupdate] C:\WINDOWS\System32\drwebupdate.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [drwebupdate] C:\WINDOWS\System32\drwebupdate.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.searchmeup.com
O16 - DPF: Win32 Classes -
O20 - Winlogon Notify: mcfG7A - C:\WINDOWS\SYSTEM32\mcfG7A.dll
O20 - Winlogon Notify: style32 - C:\WINDOWS\q43422.dll

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\adsldpbc.dll
C:\WINDOWS\q43422.dll
C:\WINDOWS\system32\prflbmsgp32.dll
C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\System\svchost.exe
C:\WINDOWS\System32\drwebupdate.exe
C:\WINDOWS\System\SMSS.EXE
C:\winstall.exe
C:\WINDOWS\SYSTEM32\mcfG7A.dll
C:\WINDOWS\q43422.dll

Reboot your computer to go back to normal mode.

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.
Let us know if any problems persist.

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:08 PM

Posted 14 November 2005 - 10:33 AM

As you have not responded to this topic in some time I have closed this topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users