Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

STRANGE! Had SpySherriff, now computer won't start


  • Please log in to reply

#1
kstansley

kstansley

    New Member

  • Member
  • Pip
  • 1 posts
I've looked through other SpySherriff posts but haven't seen anything similar, I apoligize if this is a repeat:

My work computer runs on Windows 2000 Professional. Had a major problem with SpySherriff. As I was trying to run SpyBot (before I knew about smitRem) all applications on that computer froze. (Along with the other popups, I kept getting the "refrenced memory at --whatever-- not read" errors. Not sure if that's normal.)

I attempted to restart... the computer will get past the "Windows 2000 Professional" startup screen to the blue screen (where you expect start menu and desktop icons to pop-up) and then there is a click and the whole thing restarts again. This goes on indefinitely.

I started the computer in safe mode but could not log on with my user ID, I could only log on as administrator. I did my best to follow the steps for removing SpySherriff listed on this site.

1. I successfully ran smitRem.exe (downloaded from another computer and transferred via flash drive... I ran this as Administrator because I couldn't log with any other ID)

2. Tried to run a complete scan with the ewido anti-malware program but there was an error halfway through. I did successfully run a "Fast System Scan" and saved this report:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:05:39 PM 10/11/2006

+ Scan result:



[144] VM_00B40000 -> Downloader.Agent.uj : Cleaned with backup (quarantined).
[164] VM_009B0000 -> Downloader.Agent.uj : Cleaned with backup (quarantined).
[276] VM_00840000 -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\WINNT\loadclean.exe -> Downloader.Delf.aeu : Cleaned with backup (quarantined).
C:\WINNT\system32\icasServ.exe -> Hijacker.Small.fd : Cleaned with backup (quarantined).
C:\WINNT\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Ignored.
C:\WINNT\system32\adir.dll -> Worm.Banwarum.f : Cleaned with backup (quarantined).


::Report end

3. I am unable to run the Panda ActiveScan, as I can only start the computer in Safe Mode.

4. I did run HijackThis and have this logfile:

Logfile of HijackThis v1.99.0
Scan saved at 3:08:27 PM, on 10/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\kstansley.DOMAIN1.000\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\MSOffice\Office10\OSA.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - http://stforum.st.ut...va/cfs40301.cab
O16 - DPF: {01A57E5C-3F7E-4AB1-89CF-6AFD334E2CC4} (Real Time Message Receiver (Customer Server, Apartment) Class) - http://209.137.103.3...b/TmsCommCS.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {D8D562C6-878C-11D2-943F-444553540000} (ctList Control 3.3) - http://209.137.103.3.../cab/ctlist.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O16 - DPF: {FCACC1F7-19F3-4A85-92BE-1D024739E7B0} (ThinMap Control) - http://209.137.103.3...b/MapApplet.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain1
O17 - HKLM\System\CCS\Services\Tcpip\..\{1934078D-5FF6-43DE-A307-0C4597465ED5}: NameServer = 85.255.114.99,85.255.112.229
O17 - HKLM\System\CCS\Services\Tcpip\..\{778C51D6-AF07-46B1-A6F8-9A9BC0803E1D}: NameServer = 85.255.114.99,85.255.112.229
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = domain1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.99 85.255.112.229
O17 - HKLM\System\CS1\Services\Tcpip\..\{1934078D-5FF6-43DE-A307-0C4597465ED5}: NameServer = 85.255.114.99,85.255.112.229
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = domain1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = domain1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.99 85.255.112.229
O17 - HKLM\System\CS2\Services\Tcpip\..\{1934078D-5FF6-43DE-A307-0C4597465ED5}: NameServer = 85.255.114.99,85.255.112.229
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = domain1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.99 85.255.112.229
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

5. I also tried to run AdAware SE which was already installed on the computer to no avail. It pretty much froze up at some point with no progress for an hour. In my experience this isn't normal for AdAware.

At this point just getting the computer to restart normally would be a great help so that I can continue trying to clean up this mess. I appreciate any help or advice. If anyone needs any other information, please let me know... Thank you!

~k
  • 0

Advertisements


#2
Guest_rushin1nd_*

Guest_rushin1nd_*
  • Guest
can rename hijack

rename it JHK.EXE then post in malware forum

can you start in safemode with networking

you are infected with vundo and hes not alone

there are some vundofixes out there

but your best bet is to get to the MALWARE FORUM
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP