-
December 14th, 2005, 11:39 AM
#1
SpySheriff
My irritating myspace junkie of a sister has been using one of my computers for the last month and ended up installing kazaa. Well, she also picked up SpySheriff and now I'm having trouble removing this thing. So far I went into safemode and ran adaware; SBS&D and AVG. Didn't kill it. Do people on this site help out with Malware? If I download hijackthis or some other program like it, will someone help me get rid of this thing? So far, got rid of the background and all that stuff, but the SpySheriff is still there.
-
December 14th, 2005, 11:45 AM
#2
http://www.spywareinfo.com/~merijn/downloads.html
http://labs.paretologic.com/spyware....ove=SpySheriff
The first link is for HijackThis, the 2nd is how to removed spysheriff.... took me about 10 seconds to find on google. if you have anymore probs let me know.
-
December 14th, 2005, 11:48 AM
#3
Thanks, I googled it too and found hijackthis. In fact, I already had it. There were some other sites that people post their logs on and people help them find the exploits. I just figured that people do that here too.
-
December 14th, 2005, 11:51 AM
#4
http://www.delphifaq.com/faq/windows_user/f850.shtml - try this link to remove spysheriff if the link i gave you doesnt work. if you post ur hijack this log i will take a look at it for u
-
December 14th, 2005, 11:59 AM
#5
Thanks. I ran it and got rid of the exploits that were told to be bad. Still there though. Man, it's one in the morning here. I'll give that link a crack and see if I can get this thing out before I sleep. Thanks for the help.
-
December 14th, 2005, 12:12 PM
#6
Got it. Thanks the link worked. Also, went to this Coyote site that went over all the fields for hijackthis for me.
Here is a copy of what I have now:
Anything else you think I should kill?
Logfile of HijackThis v1.99.1
Scan saved at 12:53:55 AM, on 12/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\RMClient\PMClient.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Avant Browser\avant.exe
D:\Documents and Settings\liz\My Documents\HiJackThis\hijackthis\HijackThis.exe
D:\WINDOWS\system32\NOTEPAD.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AnyDVD] D:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SmartNetMonitor for Client.lnk = D:\Program Files\RMClient\PMClient.exe
O8 - Extra context menu item: Add to AD Black List - D:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - D:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Highlight - D:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - D:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - D:\Program Files\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - D:\Program Files\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{A84AD514-EC6A-414A-911F-5C4F7AD6229E}: NameServer = 192.168.1.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
-
December 14th, 2005, 12:45 PM
#7
hmm well i checked sophos for SpySheriff and it seems it has diff variants.
but sophos gives u a good analysis of the rogue, like which keys it inserted, files, and behaviour of the malware.
http://www.sophos.com/search/search-...rch=spysheriff
check that link out.
-
December 14th, 2005, 12:48 PM
#8
IMO, i would kill: O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
because those are BHO ( browser hijack objects) and those arent good..... The only toolbar I have is the Google Toolbar so if i were you i would uninstall the msn and yahoo toolbars. The google toolbar is a BHO also but to my knowledge it doesnt do any harm to your system. and you also dont need the Adobe BHO because really how often do you use Adobe? you dont need it to run on your system all the time, just open adobe when you need it and close it when your done. when u get into Hijack This just put a checkmark next to the things i listed then click "Fix this" but, just in case make sure to make a System Restore Point before you do anything. goodluck.
-
December 14th, 2005, 12:57 PM
#9
hmm no offense but id like to correct a minor missconception here..
BHO stands for Browser Helper Object...
Its just an add-on installed by programs to make u access their features easily via the browzer.. i.e. with Yahoo, u can check ur mail with a click of a button..
but The Texan is correct, if u dont really NEED them, then dont keep them. coz one of em might be exploitable. As far as i remember, there WAS an exploit that uses Google Toolbar.
-
December 14th, 2005, 01:06 PM
#10
ok my bad, thanx for the corrections Sonic.... To Err is human
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|