Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: SpySheriff

  1. #1
    Senior Member
    Join Date
    Jan 2004
    Posts
    228

    SpySheriff

    My irritating myspace junkie of a sister has been using one of my computers for the last month and ended up installing kazaa. Well, she also picked up SpySheriff and now I'm having trouble removing this thing. So far I went into safemode and ran adaware; SBS&D and AVG. Didn't kill it. Do people on this site help out with Malware? If I download hijackthis or some other program like it, will someone help me get rid of this thing? So far, got rid of the background and all that stuff, but the SpySheriff is still there.

  2. #2
    AO's Resident Redneck The Texan's Avatar
    Join Date
    Aug 2003
    Location
    Texas
    Posts
    1,539
    http://www.spywareinfo.com/~merijn/downloads.html

    http://labs.paretologic.com/spyware....ove=SpySheriff

    The first link is for HijackThis, the 2nd is how to removed spysheriff.... took me about 10 seconds to find on google. if you have anymore probs let me know.
    Git R Dun - Ty
    A tribe is wanted

  3. #3
    Senior Member
    Join Date
    Jan 2004
    Posts
    228
    Thanks, I googled it too and found hijackthis. In fact, I already had it. There were some other sites that people post their logs on and people help them find the exploits. I just figured that people do that here too.

  4. #4
    AO's Resident Redneck The Texan's Avatar
    Join Date
    Aug 2003
    Location
    Texas
    Posts
    1,539
    http://www.delphifaq.com/faq/windows_user/f850.shtml - try this link to remove spysheriff if the link i gave you doesnt work. if you post ur hijack this log i will take a look at it for u
    Git R Dun - Ty
    A tribe is wanted

  5. #5
    Senior Member
    Join Date
    Jan 2004
    Posts
    228
    Thanks. I ran it and got rid of the exploits that were told to be bad. Still there though. Man, it's one in the morning here. I'll give that link a crack and see if I can get this thing out before I sleep. Thanks for the help.

  6. #6
    Senior Member
    Join Date
    Jan 2004
    Posts
    228
    Got it. Thanks the link worked. Also, went to this Coyote site that went over all the fields for hijackthis for me.

    Here is a copy of what I have now:



    Anything else you think I should kill?


    Logfile of HijackThis v1.99.1
    Scan saved at 12:53:55 AM, on 12/14/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\WINDOWS\Explorer.EXE
    D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    D:\WINDOWS\system32\nvsvc32.exe
    D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\system32\ctfmon.exe
    D:\Program Files\MSN Messenger\MsnMsgr.Exe
    D:\Program Files\RMClient\PMClient.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\rundll32.exe
    D:\Program Files\Avant Browser\avant.exe
    D:\Documents and Settings\liz\My Documents\HiJackThis\hijackthis\HijackThis.exe
    D:\WINDOWS\system32\NOTEPAD.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
    O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [AnyDVD] D:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
    O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: SmartNetMonitor for Client.lnk = D:\Program Files\RMClient\PMClient.exe
    O8 - Extra context menu item: Add to AD Black List - D:\Program Files\Avant Browser\AddToADBlackList.htm
    O8 - Extra context menu item: Block All Images from the Same Server - D:\Program Files\Avant Browser\AddAllToADBlackList.htm
    O8 - Extra context menu item: Highlight - D:\Program Files\Avant Browser\Highlight.htm
    O8 - Extra context menu item: Open All Links in This Page... - D:\Program Files\Avant Browser\OpenAllLinks.htm
    O8 - Extra context menu item: Open In New Avant Browser - D:\Program Files\Avant Browser\OpenInNewBrowser.htm
    O8 - Extra context menu item: Search - D:\Program Files\Avant Browser\Search.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A84AD514-EC6A-414A-911F-5C4F7AD6229E}: NameServer = 192.168.1.1
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

  7. #7
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584
    hmm well i checked sophos for SpySheriff and it seems it has diff variants.
    but sophos gives u a good analysis of the rogue, like which keys it inserted, files, and behaviour of the malware.

    http://www.sophos.com/search/search-...rch=spysheriff

    check that link out.

  8. #8
    AO's Resident Redneck The Texan's Avatar
    Join Date
    Aug 2003
    Location
    Texas
    Posts
    1,539
    IMO, i would kill: O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll

    because those are BHO ( browser hijack objects) and those arent good..... The only toolbar I have is the Google Toolbar so if i were you i would uninstall the msn and yahoo toolbars. The google toolbar is a BHO also but to my knowledge it doesnt do any harm to your system. and you also dont need the Adobe BHO because really how often do you use Adobe? you dont need it to run on your system all the time, just open adobe when you need it and close it when your done. when u get into Hijack This just put a checkmark next to the things i listed then click "Fix this" but, just in case make sure to make a System Restore Point before you do anything. goodluck.
    Git R Dun - Ty
    A tribe is wanted

  9. #9
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584
    hmm no offense but id like to correct a minor missconception here..

    BHO stands for Browser Helper Object...

    Its just an add-on installed by programs to make u access their features easily via the browzer.. i.e. with Yahoo, u can check ur mail with a click of a button..

    but The Texan is correct, if u dont really NEED them, then dont keep them. coz one of em might be exploitable. As far as i remember, there WAS an exploit that uses Google Toolbar.

  10. #10
    AO's Resident Redneck The Texan's Avatar
    Join Date
    Aug 2003
    Location
    Texas
    Posts
    1,539
    ok my bad, thanx for the corrections Sonic.... To Err is human
    Git R Dun - Ty
    A tribe is wanted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •