Spyware I can't remove

[Slickone]

Sorry if this sounds screwy. I've done so much now that I forgotten a lot of the details.

I had something called SpySheriff automatically install through IE.

AdAware (AA) found and removed ~100 things, but said it couldn't remove at least one thing (1, or 4?). I think (?) that same thing it said it was (or could be?) a shell replacement or hijacker (I cant remember what it called it).

I ran Spybot (SB), and it couldn't remove everything either. Though after running AA again, then SB, it removed everything it found. But running AA again, it found 52 more objects.

Also, how do you get SB to show a long of what it found?


One thing AA found was
ClickSpring
C:\windows\System32\m?iexec.exe


One thing SB found was:
Kazaa.Irc.DarkIrc11.LiteStalky
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate

(I didnt get this from Kazaa).


So, how do I get ride of Spysheriff?



Also is there no way to select everything at once in AA to be removed?

 

[BlueWeasel]

Have you tried MS Antispyware? I've found several items that it removed with no problems where AA and Spybot couldn't.

 

[mechBgon]

Also, what antivirus are you using exactly? By "exactly" I mean brand, version, and how recent the updates are.

Considering the appearance of something apparently relating to IRC, I would be doing some heavy antivirus scanning pronto, and lock down your router on all ports you don't actually need open. Actually, *I* would be nuking that Windows installation completely, but I'm just crazy like that :evil:

router lockdown concept

suggested antivirus software & configuration if you need something good or at least try their web-based scanner overnight

Microsoft Baseline Security Analyzer

Microsoft AntiSpyware Beta

 

[Slickone]

Well things have gotten worse. I can't even access this thread anymore on that machine. When I can get IE to load, it redirects most URLs (even links I click), and often crashes. I had to go over to my parents Win95 Dial Up machine to send this.

It seems like more and more spyware is being downloaded and installed. The modem light is very busy. I unplugged the modem cable after awhile, but plug it back in briefly to try to get to this thread. Is someone likely getting my data or what? Who the heck creates and uses all this junk?

Some more apps that have shortcuts on the desktop are Aurora, Kill All Apyware, Pop UP Killer, Virus Hunter Security, and Free Pics icon. And a search box above the tasktray.

One AA entry description was "shell possibly compromised" and another "URL prefix possibly compromised".

The system is very slow. After I boot, I can't do anything for awhile.

Ctrl Alt Del is disabled most of the time.

I get a BSOD if I let AA or SB scan long enough. The BSOD says something about a page fault in nonpaged area. If I stop the scan early, I can remove some things, but several things (12 one time) it said it couldn't remove, all items in "c:\windows\isrus\" and "c:\windows\system32", including msdbhk.dll, DrPMon.dll, desktop.exe, m?ixec.exe, mfiltis.dll, and ffisearch.exe.

I also get a BSOD after trying navigate to a folder in Windows Explorer.

Another problem is this HDD only has like 15MB (yes MB) left on it after all this crap installed (I didnt have much left to begin with, havent had time to install new HDD). I can't get far enough in Windows Explorer to delete anything.

The last run of AA I did found 254+ before a BSOD.

Can I run something from a CD, from DOS? Then reinstall WinXP Pro on top of the old installation?

Will safe mode help? I tried F8 but couldn't get into it.

Is my data corrupt?

I can't reformat this drive since it has all my data on it.
If there is nothing else I can do to save the installation, think I can still copy data off of it to another drive?


As far as your questions, I haven't tried MS Antispyware, and couldn't D/L it now, unless I could D/L and burn it on another machine, and the PC in question will even let me install it.

Antivirus - I'm using NAV 2003, with the newest DEFS.

I dont use a router. Only XP's orig. Firewall.

 

[mechBgon]

NAV2003 doesn't detect adware/spyware threats even with the latest definitions, unlike 2004 and 2005, so that hasn't helped you. What I would do is find a different, healthy WinXP/Win2000 system, put your system's hard drive into it, pull out whatever data/files you want to save, then reformat your system's drive blank, put it back into your system again, and reinstall Windows on it fresh.

Also buy a dasm router Here are some pages you might want to look at:

precautions during Windows Setup to avoid immediate worm infection

ongoing security after Setup is done

suggested router and how to lock it down all the way

Kaspersky Antivirus Personal 5 (not Pro) 30-day trialware & configuration

Hope that helps The best single defense you could've used in this situation is actually a Limited account and strong passwords on the system's Admin-class accounts, so pay attention to that part when you come to it.

BTW if you do have access to another system that has a burner, then you could take a crack at your badware by following the instructions in this text file, which runs a McAfee emergency scanner that doesn't need any installation per se. Disable System Restore and run that scanner in Safe Mode if you want. It'll take a while, so be sure you have enough snacks :Q

The modem light is very busy.

...because someone is using your machine in their botnet, or hosting a phishing website on it, or running an IRC channel or a server on it, or etc. It's not your computer any more. Get a router and lock it down.

 

[Slickone]

Thanks a lot for the tips.
As far as the McAfee thing, could I not use the /del switch and just delete what I want?


I'll read your website in depth tomorrow, but quickly looking, it shows how to make a SP2 CD. How about just making a slipstream WinXP CD with SP2 already installed?

Do you not recommend wireless routers?

 

[mechBgon]

Originally posted by: Slickone
Thanks a lot for the tips.
As far as the McAfee thing, could I not use the /del switch and just delete what I want?

You could use the /clean switch or the /move switch in place of /del, but basically the /del switch is going to go after the Trojans, Downloaders and Backdoors that I'm sure you don't want anyway, and which could not be cleaned because they're inherently evil :evil: I really think you have a lost cause overall and should just Drop The Bomb On It, period. The sooner you start, the sooner you'll be lookin' at your nice fresh malware-free WinXP installation

I'll read your website in depth tomorrow, but quickly looking, it shows how to make a SP2 CD. How about just making a slipstream WinXP CD with SP2 already installed?

Actually it doesn't show making a SP2 CD, it shows downloading the whole 220MB+ SP2 installer itself. Or maybe that's what you meant. Slipstreaming SP2 into your WinXP would be great though, go for it One way or the other, getting SP2 installed before making a connection is a good plan.

Do you not recommend wireless routers?

Wired is the safe bet if you're not up-to-speed on wireless security and aren't sure what to shop for and how to set it up securely. Or you could get a wireless one, and disable the wireless part if you don't need it just yet. WPA encryption is a must, don't settle for WEP.

 

[Slickone]

Yeah, downloading the SP2 patch and copying to a CD is what I meant. So where's a good place to read about creating a slipstream CD? I'm not sure I can get to my info about it on the other PC now.

I could find more use for a wireless router than I could a wired one, other than just for the security. So saying I got up to snuff on the wireless security and locked it down, is it just as good?
Any wireless routers you recommend? Maybe something in Hot Deals?

 

[mechBgon]

Originally posted by: Slickone
Yeah, downloading the SP2 patch and copying to a CD is what I meant. So where's a good place to read about creating a slipstream CD? I'm not sure I can get to my info about it on the other PC now.

I could find more use for a wireless router than I could a wired one, other than just for the security. So saying I got up to snuff on the wireless security and locked it down, is it just as good?
Any wireless routers you recommend? Maybe something in Hot Deals?

I'm not up-to-speed on the wireless-equipped router scene, but you don't want to get stuck with some piece-of-junk Belkin or something, and end up not being able to actually block ports to your tastes You could hit Newegg and search for models from Netgear, Linksys and D-Link that feature WPA, and see what you think of the prices. Maybe I'm being paranoid about the importance of WPA over WEP, but I'd rather be safe than sorry myself.

Do a Forum search in Operating Systems for "slipstream sp2" and you should have some good leads Or just download the installer, burn it to CD, and patch to SP2 before letting the new installation of Windows get a network connection, it will take less time to install SP2 than to do the slipstream and burn, I think.

 

[KeyserSoze]

Originally posted by: Slickone
Yeah, downloading the SP2 patch and copying to a CD is what I meant. So where's a good place to read about creating a slipstream CD? I'm not sure I can get to my info about it on the other PC now.

I could find more use for a wireless router than I could a wired one, other than just for the security. So saying I got up to snuff on the wireless security and locked it down, is it just as good?
Any wireless routers you recommend? Maybe something in Hot Deals?

Download AutoStreamer. All you need is your WinXP Disc (Or older versions of Windows as well), and the Service Pack. It'll find your Windows Disc, then you point it to your Service Pack File. It will create an ISO image of Windows with the Service Pack integrated. (Then, just burn with your favorite burning program, remember that you are burning an ISO, or "image", not a data CD.) Really easy to use.

Here is a link:
AutoStreamer
More Info on AutoStreamer

ALSO, get this program:
AutoPatcher

Updated every month, to incorporate new Security Fixes from MS, as well as Add-Ons, and Power Tools. Really easy to use, with a menu to let you pick what options you want on your machine. Nice program! This way, after you install with SP2, you'll be fully patched with security fixes NOT in SP2.

Good Luck!




KS

 

[Oakenfold]

Originally posted by: Slickone
Yeah, downloading the SP2 patch and copying to a CD is what I meant. So where's a good place to read about creating a slipstream CD? I'm not sure I can get to my info about it on the other PC now.

I could find more use for a wireless router than I could a wired one, other than just for the security. So saying I got up to snuff on the wireless security and locked it down, is it just as good?
Any wireless routers you recommend? Maybe something in Hot Deals?

I don't happen to see anything scorching on routers over in HD forum @ the moment. I'd recommend the WRT54G or WRT54GS. I've owned the WRT54G for quite some time and a dlink DI-624, either would be fine but the linksys has some very nice FW alternatives since linksys went open source with their code. You can read more about it over in the HD forum Here.

 

[Slickone]

Wow that sounds good. Last time I read about slipstreaming (SP1), a couple years ago, you had to figure out which fixes you needed, find/download, and add them in yourself. Thanks.

BTW, I've noticed a few other threads in the past couple days that also mention Aurora, and DrPMon.dll. Several different (conflicting?) suggestions on how to remove it.
And a thread that mentioned a way to run scanners from a CD.

 

[computeerrgghh]

Dunno if you got rid of it or not, but have you tried hijackthis
edit: here is the link

 

[Slickone]

Does anyone know a good place (here?) to post a scan log from hijackthis to know what all should be deleted?

 

[Nocturnal]

Post your log and I'll look it over.

 

[Slickone]

Logfile of HijackThis v1.99.1

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allstarsearch.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allstarsearch.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allstarsearch.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/advanced_search"); (C:\Documents and Settings\Brian\Application Data\Mozilla\Profiles\default\gayx5x0t.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Brian\Application Data\Mozilla\Profiles\default\gayx5x0t.slt\prefs.js)
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - D:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsm6A.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash 2.4.20\SaveFlash.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{95086361-EA83-4642-9B39-5D4012C0C9D8}\SVCHOST.EXE
O4 - HKLM\..\Run: [feoxend] c:\windows\system32\mkfuytb.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\cxtpls_loader.exe" /HideUninstall /HideDir /PC=CP.AMS /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [gh4lm4tq] C:\WINDOWS\System32\gh4lm4tq.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{95086361-EA83-4642-9B39-5D4012C0C9D8}\SECURITY.EXE
O4 - HKLM\..\Run: [_Cat1] C:\WINDOWS\nmmst.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [Tese] C:\Documents and Settings\Brian\Application Data\stwt.exe
O4 - HKCU\..\Run: [Ysqxetz] C:\WINDOWS\System32\m?iexec.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [System] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Startup: c-program files-fastfolder by bb v330-fastfolder.LNK = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSIns....com/vehicles/2005/corolla/ext360.html
O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.richfx.com/player/mediaversion/005/latest/twophase.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-18.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O21 - SSODL: System - {A09B23FE-2BDE-41BC-A9E6-27355E132C23} - vr_sys.dll (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe