Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

SpySherriff


  • Please log in to reply

#1
paxtonsmith

paxtonsmith

    New Member

  • Member
  • Pip
  • 6 posts
Hi,

My system is infected with SpySherriff. This is what I have done so far:

1. Cleanup
2. Can't install/run Ad-aware SE:
- Error: After the "Checking for previously installed components" message,
the installer dies.
3. Can't install/run CWShredder:
- Error: "A required .DLL, OLEACC.DLL, was not found"
4. Installed SpyBot, but when I run it I get this:
- Error: "A device attached to the system is not functioning", then
- Error: "SpybotSD.exe is linked to missing export
USER32.DLL:EndMenu."
- Note: Windows startup: "TeaTimer.exe is linked to missing export
USER32.DLL:EndMenu".
5. Ran Trend housecall
6. Installed and ran AVG (currently running)
7. Installed and ran TrojanHuner (currently running)
8. I downloaded the W95 updates and installed them, but when I re-ran
Trend Housecall it said I was still missing all of the updates! Maybe I'll
repeat this once the SpySherriff is off.
9. Installed and ran XoftSpy
- I manually removed all of the trojans, malware, hijackers etc. it found
using the instructions posted on the Symantec website.
10. Re-ran cleanup
11. Rebooted
12. Posted this.

Can you please help me out? I don't know how to get rid of SpySherriff!

Thanks!

Paxton

(HijackThis log to follow)
  • 0

Advertisements


#2
paxtonsmith

paxtonsmith

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Logfile of HijackThis v1.99.1
Scan saved at 10:33:27 PM, on 8/18/05
Platform: Windows 95 B (Win9x 4.00.1212)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WNETFIN\NETFBASE.EXE
C:\PROGRAM FILES\TIVOLI\LCF\BIN\WIN95\MRT\LCFD.EXE
C:\WINDOWS\MWW32\MANAGER\MWSSW32.EXE
C:\SDWORK\ISSIMSVC.EXE
C:\PROGRAM FILES\C4EBREG\ISAMSMT.EXE
C:\WNETFIN\PFAB.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WNETFIN\ALERTMGR.EXE
C:\WNETFIN\MONBASE.EXE
C:\WINDOWS\SYSTEM\DMCONFIG.EXE
C:\WNETFIN\CMBASE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\WINDOWS\SYSTEM\DAEMON.EXE
C:\WINDOWS\SYSTEM\IBMBAYSN.EXE
C:\THINKPAD\TP98.EXE
C:\PROGRAM FILES\C4EBREG\C4EBREG.EXE
C:\PROGRAM FILES\MTS\ENTERNET 300\APP\ENTERNET.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\HPRTRY07.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.usefulware.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://w3.can.ibm.com/"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [TrackPointSrv] daemon.exe
O4 - HKLM\..\Run: [IBMUltraBayHotSwapSound] C:\WINDOWS\SYSTEM\IBMBAYSN.EXE
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINDOWS\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [TP98UTIL] C:\THINKPAD\TP98.EXE /s
O4 - HKLM\..\Run: [LexStart] LexStart.EXE
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [C4EBReg] "C:\PROGRAM FILES\C4EBREG\C4EBREG.EXE" /q
O4 - HKLM\..\Run: [ISAM SMT Service] "C:\PROGRAM FILES\C4EBREG\isamsmt.exe"
O4 - HKLM\..\Run: [$EnterNet] C:\PROGRA~1\MTS\ENTERN~1\APP\ENTERNET.EXE -AutoStart
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [NetFinity] C:\WNETFIN\netfbase.exe
O4 - HKLM\..\RunServices: [lcfd1] "C:\Program Files\Tivoli\lcf\bin\win95\mrt\LCFD.EXE" -C "C:\Program Files\Tivoli\lcf\dat\1"
O4 - HKLM\..\RunServices: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\RunServices: [ISAM SMT Service] "C:\PROGRAM FILES\C4EBREG\isamsmt.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HP 2000C Taskbar Icon.lnk = C:\WINDOWS\SYSTEM\HPRTRY07.EXE
O10 - Broken Internet access because of LSP provider 'c:\windows\system\nwws2slp.dll' missing
O13 - WWW. Prefix: http://
O14 - IERESET.INF: START_PAGE_URL=http://www.usefulware.com/
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mht!http://vxiframe.biz/...chm::/win32.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = ibm.com,ibm.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 158.98.208.3,158.98.208.4
O21 - SSODL: System - {17D71D60-0AD0-11DA-8B0A-000629355A3B} - vr_sys.dll (file missing)
  • 0

#3
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Download: DelDomains.inf
Should the link above display the text instead of downloading the file, then copy & paste the text into notepad and save the file as DellDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items, then click FIX CHECKED:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.usefulware.com/

O13 - WWW. Prefix: http://
O14 - IERESET.INF: START_PAGE_URL=http://www.usefulware.com/

O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mht!http://vxiframe.biz/...chm::/win32.exe

O21 - SSODL: System - {17D71D60-0AD0-11DA-8B0A-000629355A3B} - vr_sys.dll (file missing)

Close HiJackThis.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.

Regards,
  • 0

#4
paxtonsmith

paxtonsmith

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Incident Status Location
Adware:adware/adsmart No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\win32.exe
Adware:adware/spysheriff No disinfected Windows Registry
Dialer:Dialer.CBZ No disinfected C:\WINDOWS\SYSTEM\maxd1.exe.tcf
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\SYSTEM\ztoolb008.dll.tcf
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\SYSTEM\50277376.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\DESKTOP\AntiVirus\ps_uninstaller.exe
Virus:Trj/Downloader.EBM Disinfected C:\WINDOWS\Downloaded Program Files\win32.exe
Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe
Virus:Trj/Downloader.EBM Disinfected C:\lo733411634.exe

Logfile of HijackThis v1.99.1
Scan saved at 5:25:26 PM, on 8/24/05
Platform: Windows 95 B (Win9x 4.00.1212)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WNETFIN\NETFBASE.EXE
C:\WINDOWS\MWW32\MANAGER\MWSSW32.EXE
C:\PROGRAM FILES\TIVOLI\LCF\BIN\WIN95\MRT\LCFD.EXE
C:\SDWORK\ISSIMSVC.EXE
C:\PROGRAM FILES\C4EBREG\ISAMSMT.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WNETFIN\PFAB.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WNETFIN\ALERTMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WNETFIN\MONBASE.EXE
C:\WINDOWS\SYSTEM\DMCONFIG.EXE
C:\WNETFIN\CMBASE.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\WINDOWS\SYSTEM\DAEMON.EXE
C:\WINDOWS\SYSTEM\IBMBAYSN.EXE
C:\THINKPAD\TP98.EXE
C:\PROGRAM FILES\C4EBREG\C4EBREG.EXE
C:\PROGRAM FILES\MTS\ENTERNET 300\APP\ENTERNET.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\HPRTRY07.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://w3.can.ibm.com/"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [TrackPointSrv] daemon.exe
O4 - HKLM\..\Run: [IBMUltraBayHotSwapSound] C:\WINDOWS\SYSTEM\IBMBAYSN.EXE
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINDOWS\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [TP98UTIL] C:\THINKPAD\TP98.EXE /s
O4 - HKLM\..\Run: [LexStart] LexStart.EXE
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [C4EBReg] "C:\PROGRAM FILES\C4EBREG\C4EBREG.EXE" /q
O4 - HKLM\..\Run: [ISAM SMT Service] "C:\PROGRAM FILES\C4EBREG\isamsmt.exe"
O4 - HKLM\..\Run: [$EnterNet] C:\PROGRA~1\MTS\ENTERN~1\APP\ENTERNET.EXE -AutoStart
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [NetFinity] C:\WNETFIN\netfbase.exe
O4 - HKLM\..\RunServices: [lcfd1] "C:\Program Files\Tivoli\lcf\bin\win95\mrt\LCFD.EXE" -C "C:\Program Files\Tivoli\lcf\dat\1"
O4 - HKLM\..\RunServices: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\RunServices: [ISAM SMT Service] "C:\PROGRAM FILES\C4EBREG\isamsmt.exe"
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HP 2000C Taskbar Icon.lnk = C:\WINDOWS\SYSTEM\HPRTRY07.EXE
O10 - Broken Internet access because of LSP provider 'c:\windows\system\nwws2slp.dll' missing
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = ibm.com,ibm.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 158.98.208.3,158.98.208.4




smitRem log file
version 2.3

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~




~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll Present!!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~




~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll Clean!! :)
  • 0

#5
paxtonsmith

paxtonsmith

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
The only problems that I'm having now are the following messages,
which seemed to appear when my system first got infected, but I'm
not sure. Do you know what causes these?

1. When I try to run CWShredder.exe, I get:
"A required .DLL file, OLEACC.DLL, was not found"

2. When I try to run SpyBot Search and Destroy, I get:
"A device attached to the system is not functioning" and
"The SPYBOTSD.EXE file is linked to missing export USER32.DLL:EndMenu"

3. On startup, I get:
"A device attached to the system is not functioning" and
"The TEATIMER.EXE file is linked to missing export
USER32.DLL:MsgWaitForMultipleObjectsEx"
  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Those errors are due to the fact that the software is not suitable for running on Windows 95

For CWShredder, you can try to install Microsoft Active Accessibility 2.0
as described here: http://support.micro...KB;en-us;810684
But I am not sure if it will work.

Version 1.3 of Spybot S&D should work for Windows 95
Or, at least it should not give you that error.
That version is available at these mirrors: http://www.filemirro...exe&action=Find

Regards,
  • 0

#7
paxtonsmith

paxtonsmith

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thanks! That version of SpyBot works, and after I installed the MS Active Accessibility 1.3 (not 2.0) for Win95, and I was able to install CWShredder:

http://www.microsoft...&displaylang=en


That takes care of everything - thanks for your help!
  • 0

#8
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts

Thanks! That version of SpyBot works, and after I installed the MS Active Accessibility 1.3 (not 2.0) for Win95, and I was able to install CWShredder:

View Post


Oh cool. :tazz:

Thanks for letting me know. That might come in handy. :)

Glad we could help.

Regards,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP