Spyware Sheriff Blues

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

wee-us

Thread Starter
Joined
Jul 11, 2006
Messages
12
Hello,

I had some problems with Spyware Quake a couple of days ago, and I thought that I got it cleared up, but I was obviously fooling myself. Now it is back as "Spyware Sheriff" - pardner (well at least I still can laugh about it). I have read some of the threads and did a hijack which I will send with this. Any help is greatly appreciated.

Wee-us
 

Attachments

Joined
Jul 8, 2002
Messages
14,681
Please save or print these instructions before beginning

Extract SmitfraudFix to your Desktop

Start your computer in Safe Mode

From the SmitfraudFix folder on your Desktop, run smitfraudfix.cmd
Select Option #2 - Clean by typing the number 2 then pressing Enter
Type Y and press Enter when asked if you would like to clean the registry
Type Y and press Enter if you are asked if you would like to replace wininet.dll

Restart your computer and post the the contents of the SmitfraudFix log that pops up
If the log does not appear, you can find it at C:\rapport.txt

Run HijackThis and click Do a system scan and save a log file
Your HijackThis log will open in Notepad. Post the contents of the log here
 

wee-us

Thread Starter
Joined
Jul 11, 2006
Messages
12
I ran Smitfraudfx, but it didn't ask about the registry or replacing wininet.dll. I don't think that I mentioned in the first post (and I don't know if it matters), but I am doing everything from safe mode. I can't hardly do anything in windows. So, here are the smitfraudfx and the hijack this logs. Once again, I appreciate all your help!

Wee-us
 

Attachments

Joined
Jul 8, 2002
Messages
14,681
Save KillBox to your Desktop

Download and run VundoFix: http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK.
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt

Run HijackThis and click Do a system scan only
Put a checkmark next to each of the following entries that appear:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\byxxwur.dll
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll (file missing)
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [defender] C:\\dfndre_5.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrde_5.exe
O4 - HKLM\..\Run: [newname] C:\\nwnme_5.exe
O4 - HKLM\..\Run: [MODE MEDIA HIDE ONCE] C:\Documents and Settings\All Users\Application Data\CREATIVEIDLEMODEMEDIA\Hope Build.exe
O4 - HKLM\..\Run: [ÿ_zskgcmlkaxyazgnoje]niwmdksz_] c:\windows\system32\_zskdmwin]ejongzayxaklmcg.exe
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\RunServices: [ÿ_zskgcmlkaxyazgnoje]niwmdksz_] c:\windows\system32\_zskdmwin]ejongzayxaklmcg.exe
O4 - HKCU\..\Run: [Option gram] C:\DOCUME~1\JIM&BE~1\APPLIC~1\BIASTH~1\DvdTime.exe
O4 - HKCU\..\Run: [Ubua] "C:\WINDOWS\ICROSO~1\wuauclt.exe" -vt yazb
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [ÿ_zskgcmlkaxyazgnoje]niwmdksz_] c:\windows\system32\_zskdmwin]ejongzayxaklmcg.exe
O20 - Winlogon Notify: byxxwur - C:\WINDOWS\SYSTEM32\byxxwur.dll
O20 - Winlogon Notify: SensSrv - C:\WINDOWS\SYSTEM32\senssrv.dll
O20 - Winlogon Notify: winrvc32 - C:\WINDOWS\SYSTEM32\winrvc32.dll
O21 - SSODL: altmannsberger - {210b4043-35ca-4aa0-8796-191f9663dfb3} - (no file)

Click Fix Checked and exit HijackThis


Run KillBox and select Delete on Reboot
Copy this list of file locations to your clipboard:

C:\WINDOWS\system32\byxxwur.dll
C:\Program Files\ToolBar888\MyToolBar.dll
C:\Program Files\ToolBar888\
C:\Program Files\Security Toolbar\
C:\dfndre_5.exe
C:\kybrde_5.exe
C:\nwnme_5.exe
C:\Documents and Settings\All Users\Application Data\CREATIVEIDLEMODEMEDIA\Hope Build.exe
C:\Documents and Settings\All Users\Application Data\CREATIVEIDLEMODEMEDIA\
c:\windows\system32\_zskdmwin]ejongzayxaklmcg.exe
C:\DOCUME~1\JIM&BE~1\APPLIC~1\BIASTH~1\DvdTime.exe
C:\DOCUME~1\JIM&BE~1\APPLIC~1\BIASTH~1\
C:\WINDOWS\ICROSO~1\wuauclt.exe
C:\WINDOWS\ICROSO~1\
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\winstall.exe
c:\windows\system32\_zskdmwin]ejongzayxaklmcg.exe
C:\WINDOWS\SYSTEM32\senssrv.dll
winrvc32 - C:\WINDOWS\SYSTEM32\winrvc32.dll
Go to File>>Paste from clipboard. Click All Files
Press the button with a red circle with an X in it, then Yes when prompted to restart your computer
WARNING: Your computer will be restarted. Any unsaved work in open applications will be lost.​
Run HijackThis and click Do a system scan and save a log file
Your HijackThis log will open in Notepad. Post the contents of the log here
 

wee-us

Thread Starter
Joined
Jul 11, 2006
Messages
12
I ran the VundoFix & Hijack This, and here are the logs. When I went to do a "system scan only" in Hijack I could not find this string "O20 - Winlogon Notify: byxxwur - C:\WINDOWS\SYSTEM32\byxxwur.dll", but I was able to run a fix on the others. Then I did Killbox and another Hijack. The computer is at least starting up easier.

Wee-us
 

Attachments

Joined
Jul 8, 2002
Messages
14,681
Save The Avenger to your Desktop

Copy the contents of the following box to your clipboard:
Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winrvc32

Files to delete:
c:\windows\system32\_zskdmwin]ejongzayxaklmcg.exe
C:\WINDOWS\SYSTEM32\winrvc32.dll
Run The Avenger and click OK
Select Input script manually and click the magnifying glass icon
In the View/edit script box, right-click and choose Paste
Click Done. Press the button with a picture of a green light
Choose Yes when prompted to execute the script and click Yes when asked to reboot your computer
Post the contents of the file C:\Avenger.txt

Run HijackThis and click Do a system scan only
Put a checkmark next to each of the following entries that appear:

O4 - HKLM\..\Run: [ÿ_zskgcmlkaxyazgnoje]niwmdksz_] c:\windows\system32\_zskdmwin]ejongzayxaklmcg.exe
O4 - HKLM\..\RunServices: [ÿ_zskgcmlkaxyazgnoje]niwmdksz_] c:\windows\system32\_zskdmwin]ejongzayxaklmcg.exe
O4 - HKCU\..\Run: [ÿ_zskgcmlkaxyazgnoje]niwmdksz_] c:\windows\system32\_zskdmwin]ejongzayxaklmcg.exe
O20 - Winlogon Notify: winrvc32 - C:\WINDOWS\SYSTEM32\winrvc32.dll

Click Fix Checked and exit HijackThis

Post a new HijackThis log and we'll see if they're gone
 

wee-us

Thread Starter
Joined
Jul 11, 2006
Messages
12
I got Avenger and Hijack done, and here are the logs. Once again, one of the scripts for the hijack fix was not in there: "O20 - Winlogon Notify: winrvc32 - C:\WINDOWS\SYSTEM32\winrvc32.dll". I don't know how I could get through this without your help!
 

Attachments

Joined
Jul 8, 2002
Messages
14,681
One of the files still isn't going away, let's try this


  • Download WinPFind
  • Right Click the Zip Folder and Select "Extract All"
  • Extract it somewhere you will remember like the Desktop
Doubleclick WinPFind.exe
  • Click " Configure Scan Options"
  • Select " Run Add ONs" and then select ALL the options in the box below it, Press Apply
  • Now Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
    • Go to the WinPFind folder
    • Locate WinPFind.txt
    • Place those results in the next post!. It will be too big to post so you will need to attach it to your reply

go to here and download 'Startup list V2.

Save it to the desktop or other suitable place.

Double click it to start it and when it has finished scanning press file/save as and save it's report

post that report back here for us to analyse

You will need to attach the file as contains too much to post in the thread
 
Joined
Jul 8, 2002
Messages
14,681
Save these instructions before beginning then boot into Safe Mode

Copy the contents of this box to your clipboard:
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v ÿ_zskgcmlkaxyazgnoje]niwmdksz_
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices /f /v ÿ_zskgcmlkaxyazgnoje]niwmdksz_
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v ÿ_zskgcmlkaxyazgnoje]niwmdksz_
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run /f /v kernel32.dll
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run /f /v ishost.exe
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run /f /v {F4393819-0BC6-1033-1101-040503140001}
Go to Start>>Run>>Notepad and click Edit>>Paste
Save the file to your Desktop as "fix.bat" including the "quotes".
Find fix.bat on your Desktop and double-click it

Copy the contents of the following box to your clipboard:
Files to delete:
C:\Windows\system32\ishost.exe
C:\WINDOWS\system32\atmclk.exe
c:\windows\system32\_zskdmwin]ejongzayxaklmcg.exe
C:\WINDOWS\SYSTEM32\_zskdmwin]EJONGZAYXAKLMCG.dll
C:\Program Files\Common Files\{F4393819-0BC6-1033-1101-040503140001}\Update.exe
Run The Avenger and click OK
Select Input script manually and click the magnifying glass icon
In the View/edit script box, right-click and choose Paste
Click Done. Press the button with a picture of a green light
Choose Yes when prompted to execute the script and click Yes when asked to reboot your computer
Post the contents of the file C:\Avenger.txt

Run HijackThis and click Do a system scan only
Put a checkmark next to each of the following entries that appear:

O4 - HKLM\..\Run: [ÿ_zskgcmlkaxyazgnoje]niwmdksz_] c:\windows\system32\_zskdmwin]ejongzayxaklmcg.exe
O4 - HKLM\..\RunServices: [ÿ_zskgcmlkaxyazgnoje]niwmdksz_] c:\windows\system32\_zskdmwin]ejongzayxaklmcg.exe
O4 - HKCU\..\Run: [ÿ_zskgcmlkaxyazgnoje]niwmdksz_] c:\windows\system32\_zskdmwin]ejongzayxaklmcg.exe

Click Fix Checked and exit HijackThis

Post a new HijackThis log and we'll see if they're gone
 
Joined
Jul 8, 2002
Messages
14,681
Avenger says the file is gone so try fixing these in HijackThis again:

O4 - HKLM\..\Run: [ÿ_zskgcmlkaxyazgnoje]niwmdksz_] c:\windows\system32\_zskdmwin]ejongzayxaklmcg.exe
O4 - HKLM\..\RunServices: [ÿ_zskgcmlkaxyazgnoje]niwmdksz_] c:\windows\system32\_zskdmwin]ejongzayxaklmcg.exe
O4 - HKCU\..\Run: [ÿ_zskgcmlkaxyazgnoje]niwmdksz_] c:\windows\system32\_zskdmwin]ejongzayxaklmcg.exe

If they still come back after that, go to C:\Windows\system32 and see if there is a file calledc:\windows\system32\_zskdmwin]ejongzayxaklmcg.exe
 

wee-us

Thread Starter
Joined
Jul 11, 2006
Messages
12
Here is the Hijack log, but the files are still there. I went to C:\Windows\system32 and there was no file by that name. I noticed that Hijack gave the option of adding files to an "ignore list". I didn't know if that was an option.
 

Attachments

Joined
Jul 8, 2002
Messages
14,681
You could add them to the ignore list to hide the entries, I'm still looking into a way to remove them permanently.

Are you having any other problems with your computer?
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top