Malware attack! Spy Sheriff!!!

Akaz1976

Platinum Member
Jun 5, 2000
2,810
0
71
My wifes laptop has gotten attacked by this.

I have not faced this daunting a problem ever before.

Its completely f***** her computer. No wifi net connection. no task manager. Nothing works. And its continuously bombarded with 'spyware warnings' and 'offers to fix' etc.

I tried the solution from follwing
http://tinyurl.com/7ndqu

But didnt complete fix it. It go rid of spy sheriff program but i still am getting tons of warnings and wifi wont connect (its get stuff on acquiring setting state).

Following is the most current hijack this log run in safemode.

Logfile of HijackThis v1.99.1
Scan saved at 8:40:39 PM, on 21/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
E:\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - URLSearchHook: (no name) - {3F10A9F2-4E4C-419C-60D2-40469797D9B1} - C:\WINDOWS\system32\pgnzytn.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=explorer.exe
F3 - REG:win.ini: run=,
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: (no name) - {3F10A9F2-4E4C-419C-60D2-40469797D9B1} - C:\WINDOWS\system32\pgnzytn.dll
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: winapi32.MyBHO - {AF79D4A2-725D-4627-9E34-08C04833D798} - C:\WINDOWS\system32\winapi32.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [eventwvr] C:\WINDOWS\system32\eventwvr.exe
O4 - HKLM\..\Run: [rpcc] rpcc.exe
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKLM\..\RunServices: [eventwvr] C:\WINDOWS\system32\eventwvr.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [eventwvr] C:\WINDOWS\system32\eventwvr.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [WinMedia] "C:\WINDOWS\system32\vxgame6.exe3584.exe"
O4 - HKCU\..\Run: [Aaou] "C:\WINDOWS\SMBOLS~1\svchost.exe" -vt yazr
O4 - HKCU\..\Run: [Ego] C:\WINDOWS\??crosoft\??rss.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Harmony Remote.lnk = C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v...86/client/wuweb_site.cab?1095902120125
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O20 - Winlogon Notify: 2006reg - C:\Documents and Settings\All Users\Documents\Settings\2006.dll
O20 - Winlogon Notify: prtsks - C:\WINDOWS\SYSTEM32\prtsks.dll
O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

Akaz1976

Platinum Member
Jun 5, 2000
2,810
0
71
ugh! that looks ugly. Shoud i just tell hijack to 'fix' all red stuff?

Akaz

PS. thanks for the website. Useful, though all the explainations are in german!
 

thecrecarc

Diamond Member
Aug 17, 2004
3,364
3
0
Originally posted by: Akaz1976
ugh! that looks ugly. Shoud i just tell hijack to 'fix' all red stuff?

Akaz

PS. thanks for the website. Useful, though all the explainations are in german!

ya.. well.. a few of em are in english, tho most are in german

yup, u should fix all the red stuff, but dont delete any vital stuff

 

Akaz1976

Platinum Member
Jun 5, 2000
2,810
0
71
Okay i deleted most of the stuff that was red.

But i cant delete

O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll

also for some reason in safe mode the task manager keeps showing iexplorer.exe as turning on and off and CPU usage at 100%!

really weird.

Just gonna try and reboot into windows normal.

lets see what happens.

Akaz
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Do this and watch SpySherrif get pwned: http://www.omnicast.net/~tmcfadden/scan.txt

When it's done you're gonna owe me an e-pizza :D Follow the directions precisely, including using Safe Mode With Command Prompt, not normal Windows and not standard Safe Mode either.

Since that stuff don't just fall from the sky, afterwards review your security situation.

The system should have current-generation (not old obsolete-generation) antivirus software that is fully configured to use all options, and getting updates for the virus definitions at least daily. I see you got Norton, and if it's older than 2005 generation you should bail.

It should have firewall protection.

It should have its Automatic Updates feature turned on, and you should fully enable DEP like in this pic.

Also analyze it with the easy-to-use Microsoft Baseline Security Analyzer download here. The older 1.2.1 version can check for missing Office2000 patches, the newer 2.0 version is better at everything else.

If you do have any Office products (Word, Excel, Outlook, whatever) then run it through http://officeupdate.microsoft.com to get them secured.

It would also be good to install Windows Defender download here, which is free and not too aggravating. It provides real-time spyware protection to supplement your antivirus software's capabilities.

Lastly, if you can get your wife to use a Limited account instead of a Computer Administrator account, that's a major help. To try it out, simply create a new user account on the system and leave it as a Computer Administrator account, and now switch her regular account to Limited (in Control Panel > User Accounts). See how it goes.
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Incidentally, your HJT log includes an item that the HJT.de site identifies as a Haxdoor component. Haxdoor is rootkit-enhanced stuff. You might want to PM me the text from the C:\report.html file so I can check it out.
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Originally posted by: John
Mech, the McAfee virus scanner you link to removes Spy Sherriff?
Yeah, and clones of it too (MalwareWipe, etc). At least that's what people are telling me, I haven't gone out of my way to test it firsthand :Q

McAfee seems to be on top of that stuff. We use McAfee at work, so I read every day's DAT report to see what's new, and McAfee will keep on revising their DATs, day after day, to counter the bad guys as they repack their stupid scamware to try to evade signature-based detection.
 

John

Moderator Emeritus<br>Elite Member
Oct 9, 1999
33,944
1
0
Thanks! I'll try it out next time I encounter an infected machine and report back with the results. :)
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Originally posted by: John
Thanks! I'll try it out next time I encounter an infected machine and report back with the results. :)
Cool, I hope it comes in useful :) The scan.bat file never changes, it just calls scan.exe with all the possible option switches so people don't typo something.

 

TheRyuu

Diamond Member
Dec 3, 2005
5,479
14
81
I just ran Hijack This and it found nothing wrong with my computer :) (nothing came up red or was serious)
 

Akaz1976

Platinum Member
Jun 5, 2000
2,810
0
71
ugh! thanks guys.

I am really regreting jumping the gun on this one.

I deleted all the keys that were flagging red. and then lost her desktop completely.

Then after a while (and few reboots) most functionality came back except two major issues.

1. Desktop background is stuck on white. Cant change it for some reason.
2. Her wifi net connection wont work. It connects to the router alright be forever is stuck on 'acquiring network address' step.

Any idea how i can fix it?

Akaz

PS. any idea how this gets on PCs? so we can avoid it in the future.
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Originally posted by: Akaz1976
ugh! thanks guys.

I am really regreting jumping the gun on this one.

I deleted all the keys that were flagging red. and then lost her desktop completely.

Then after a while (and few reboots) most functionality came back except two major issues.

1. Desktop background is stuck on white. Cant change it for some reason.
2. Her wifi net connection wont work. It connects to the router alright be forever is stuck on 'acquiring network address' step.

Any idea how i can fix it?

Akaz

PS. any idea how this gets on PCs? so we can avoid it in the future.

1) right-click in the desktop space and choose Properties. The usual Display panel appears. Go to the Desktop tab and click the Customize Desktop button. Now another panel appears. Click the Web tab and remove all the things in the white box.

2) Start > Run > cmd to start a command-line box, and then type ipconfig /all and post a screenshot of what the output is, maybe the malware has tampered with the setup.

3) if you go up to my first post in the thread, that pretty much is the answer to how you can avoid it in the future: keep the system patched & protected, and don't use an Administrator-level user account for daily-driver stuff like Web browsing, email, and IM. I guess it goes without saying, don't wantonly install junk off the Internet either (screensavers, smilies, codecs, P2P, etc).
 

Akaz1976

Platinum Member
Jun 5, 2000
2,810
0
71
Ok. I stumped. Some times it works sometime it doesnt.

Would reinstalling windows fix the problem? Is there a particular type of install that would work better than other?

Akaz
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Originally posted by: Akaz1976
Ok. I stumped. Some times it works sometime it doesnt.

Would reinstalling windows fix the problem? Is there a particular type of install that would work better than other?

Akaz
If you want to be rid of it, then run DBAN to utterly erase your drive, then reinstall Windows. If your WinXP CD doesn't have SP2 onboard, then keep the computer isolated from any networks and install SP2 offline from a CD or USB drive. full SP2 installation file here

Other than that, keep the system patched, fully arm your Data Execution Prevention like this, patch & update all other software (Adobe, Java, Office, and especially web browsers of any kind and media players of any kind). Use antivirus software and turn on all its options for a change. Install Windows Defender antispyware from Microsoft.com. Don't install stuff that you stumble across on the Internet, don't play with P2P/warez. And do not use an Administrator-level account for daily-driver stuff like Web browsing, IM and email!!! You, her, and any visitors should be using Limited accounts. Bust out the Administrator account when you need to do Admin tasks.

Also (duh) protect the system with software & hardware firewalls. more setup security suggestions Incidentally, get rid of the WebShots habit too.