[JenniferElyssa]

Hi so I am visiting my parents trying to fix their computer which has been infected with Spyware (Spy Sheriff). I therefore downloaded the Hijack this and was impatient and therefore deleted a lot of the stuff I saw. I think I probably deleted too much, but I do have backups.... But some things that looked familiar I kept. The problems seem to be less, though the computers display still says the computer is infected, etc. and I can't get rid of that as the display.

What can I do to fully fix the problem? Also how can I prevent something like this from happening again? Please describe in simple terms -- I am very unfamiliar with such virus problems.
Thanks.

Right now the log that I have is the following:
Logfile of HijackThis v1.99.1
Scan saved at 8:30:27 PM, on 8/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.exe
c:\windows\system32\txtknr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis-1.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O20 - AppInit_DLLs: repairs.dll
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\ldpsd11n.dll
O21 - SSODL: AOL Spyware Protection - {769CDB4C-A3BA-680F-D7DE-235C5EA474FB} - (no file)
O21 - SSODL: HP Photo Printing Software - {6A6FBFCA-1991-F476-0179-6629152C0120} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

[Advertisements]

Sorry we didn't get to your log earlier, but as you can see, the helpers here are really busy. If you still require help, please post a new HJT log.

[LostAccount]

Sorry we didn't get to your log earlier, but as you can see, the helpers here are really busy. If you still require help, please post a new HJT log.

[JenniferElyssa]

Hi so I am visiting my parents trying to fix their computer which has been infected with Spyware (Spy Sheriff). I therefore downloaded the Hijack this and was impatient and therefore deleted a lot of the stuff I saw. I think I probably deleted too much, but I do have backups.... But some things that looked familiar I kept. The problems seem to be less, though the computers display still says the computer is infected, etc. and I can't get rid of that as the display.

What can I do to fully fix the problem? Also how can I prevent something like this from happening again? Please describe in simple terms -- I am very unfamiliar with such virus problems.
Thanks.

Right now the log that I have is the following:
Logfile of HijackThis v1.99.1
Scan saved at 8:30:27 PM, on 8/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.exe
c:\windows\system32\txtknr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis-1.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O20 - AppInit_DLLs: repairs.dll
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\ldpsd11n.dll
O21 - SSODL: AOL Spyware Protection - {769CDB4C-A3BA-680F-D7DE-235C5EA474FB} - (no file)
O21 - SSODL: HP Photo Printing Software - {6A6FBFCA-1991-F476-0179-6629152C0120} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

[LostAccount]

Run HJT, go to Config, open the Backups Section and restore everything that you had deleted. I am asking you to do this mainly because of these two reasons:

• I need to see everything so that I may diagnose the infections your PC has.
• You might have fixed something important.

Go to Start>Control Panel>Add/Remove Programs and uninstall this program if present:

WinTools

You may want to print or save these instructions locally before starting.

Please download, install, and update the free version of Ewido trojan scanner:

• When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
• Run Ewido --- When you run it for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
• From the main ewido screen, click on update in the left menu, then click the Start update button.
• After the update finishes (the status bar at the bottom will display "Update successful")
• Exit Ewido. DO NOT scan yet.

Download CCleaner and install, but do not run it yet.

Please download the Nailfix utility.
DO NOT run it yet.

Reboot into Safe Mode. To do this with Windows XP, you can follow these steps from Microsoft:

• Restart your computer and start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when you the Boot Menu appears.
• Select an option when the Windows Advanced Options menu appears, and then press ENTER.
• When the Boot menu appears again, and the words "Safe Mode" appear in blue at the bottom, select the installation that you want to start, and then press ENTER.

Once in Safe Mode, please double-click on nailfix.exe. Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish". Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Next, run Ewido again.

• Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
• If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
• When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Then run HijackThis, click Scan, and place a checkmark by the following item:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O20 - AppInit_DLLs: repairs.dll
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

Close all open windows except for HijackThis and click Fix Checked.

Now, run CCleaner.

• Uncheck "Cookies" under "Internet Explorer".
• Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.

Finally, restart your computer in normal mode.

Delete this file:

C:\WINDOWS\system32\repairs.dll

Delete this folder:

C:\Program Files\Common Files\WinTools

Please run HijackThis and click Config -> Misc Tools -> Delete an NT service. In the Delete window, type WinToolsSvc and press OK. OK any prompts, close HijackThis, and restart your computer.

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread. Please post a new HijackThis log, as well as the log from the Ewido scan as well.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Edited by LostAccount, 23 August 2005 - 08:40 AM.

[LostAccount]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.