1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Spyware Sheriff Blues

Discussion in 'Virus & Other Malware Removal' started by wee-us, Jul 11, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. wee-us

    wee-us Thread Starter

    Joined:
    Jul 11, 2006
    Messages:
    12
    Hello,

    I had some problems with Spyware Quake a couple of days ago, and I thought that I got it cleared up, but I was obviously fooling myself. Now it is back as "Spyware Sheriff" - pardner (well at least I still can laugh about it). I have read some of the threads and did a hijack which I will send with this. Any help is greatly appreciated.

    Wee-us
     

    Attached Files:

  2. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    Please save or print these instructions before beginning

    Extract SmitfraudFix to your Desktop

    Start your computer in Safe Mode

    From the SmitfraudFix folder on your Desktop, run smitfraudfix.cmd
    Select Option #2 - Clean by typing the number 2 then pressing Enter
    Type Y and press Enter when asked if you would like to clean the registry
    Type Y and press Enter if you are asked if you would like to replace wininet.dll

    Restart your computer and post the the contents of the SmitfraudFix log that pops up
    If the log does not appear, you can find it at C:\rapport.txt

    Run HijackThis and click Do a system scan and save a log file
    Your HijackThis log will open in Notepad. Post the contents of the log here
     
  3. wee-us

    wee-us Thread Starter

    Joined:
    Jul 11, 2006
    Messages:
    12
    I ran Smitfraudfx, but it didn't ask about the registry or replacing wininet.dll. I don't think that I mentioned in the first post (and I don't know if it matters), but I am doing everything from safe mode. I can't hardly do anything in windows. So, here are the smitfraudfx and the hijack this logs. Once again, I appreciate all your help!

    Wee-us
     

    Attached Files:

  4. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    Save KillBox to your Desktop

    Download and run VundoFix: http://www.atribune.org/ccount/click.php?id=4
    Double-click VundoFix.exe to run it.
    Put a check next to Run VundoFix as a task.
    You will receive a message saying vundofix will close and re-open in a minute or less. Click OK.
    When VundoFix re-opens, click the Scan for Vundo button.
    Once it's done scanning, click the Remove Vundo button.
    You will receive a prompt asking if you want to remove the files, click YES.
    Once you click yes, your desktop will go blank as it starts removing Vundo.
    When completed, it will prompt that it will shutdown your computer, click OK.
    Turn your computer back on.
    Please post the contents of C:\vundofix.txt

    Run HijackThis and click Do a system scan only
    Put a checkmark next to each of the following entries that appear:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\byxxwur.dll
    O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
    O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll (file missing)
    O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
    O4 - HKLM\..\Run: [defender] C:\\dfndre_5.exe
    O4 - HKLM\..\Run: [keyboard] C:\\kybrde_5.exe
    O4 - HKLM\..\Run: [newname] C:\\nwnme_5.exe
    O4 - HKLM\..\Run: [MODE MEDIA HIDE ONCE] C:\Documents and Settings\All Users\Application Data\CREATIVEIDLEMODEMEDIA\Hope Build.exe
    O4 - HKLM\..\Run: [ÿ_zskgcmlkaxyazgnoje]niwmdksz_] c:\windows\system32\_zskdmwin]ejongzayxaklmcg.exe
    O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
    O4 - HKLM\..\RunServices: [ÿ_zskgcmlkaxyazgnoje]niwmdksz_] c:\windows\system32\_zskdmwin]ejongzayxaklmcg.exe
    O4 - HKCU\..\Run: [Option gram] C:\DOCUME~1\JIM&BE~1\APPLIC~1\BIASTH~1\DvdTime.exe
    O4 - HKCU\..\Run: [Ubua] "C:\WINDOWS\ICROSO~1\wuauclt.exe" -vt yazb
    O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O4 - HKCU\..\Run: [ÿ_zskgcmlkaxyazgnoje]niwmdksz_] c:\windows\system32\_zskdmwin]ejongzayxaklmcg.exe
    O20 - Winlogon Notify: byxxwur - C:\WINDOWS\SYSTEM32\byxxwur.dll
    O20 - Winlogon Notify: SensSrv - C:\WINDOWS\SYSTEM32\senssrv.dll
    O20 - Winlogon Notify: winrvc32 - C:\WINDOWS\SYSTEM32\winrvc32.dll
    O21 - SSODL: altmannsberger - {210b4043-35ca-4aa0-8796-191f9663dfb3} - (no file)

    Click Fix Checked and exit HijackThis


    Run KillBox and select Delete on Reboot
    Copy this list of file locations to your clipboard:

    C:\WINDOWS\system32\byxxwur.dll
    C:\Program Files\ToolBar888\MyToolBar.dll
    C:\Program Files\ToolBar888\
    C:\Program Files\Security Toolbar\
    C:\dfndre_5.exe
    C:\kybrde_5.exe
    C:\nwnme_5.exe
    C:\Documents and Settings\All Users\Application Data\CREATIVEIDLEMODEMEDIA\Hope Build.exe
    C:\Documents and Settings\All Users\Application Data\CREATIVEIDLEMODEMEDIA\
    c:\windows\system32\_zskdmwin]ejongzayxaklmcg.exe
    C:\DOCUME~1\JIM&BE~1\APPLIC~1\BIASTH~1\DvdTime.exe
    C:\DOCUME~1\JIM&BE~1\APPLIC~1\BIASTH~1\
    C:\WINDOWS\ICROSO~1\wuauclt.exe
    C:\WINDOWS\ICROSO~1\
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
    C:\winstall.exe
    c:\windows\system32\_zskdmwin]ejongzayxaklmcg.exe
    C:\WINDOWS\SYSTEM32\senssrv.dll
    winrvc32 - C:\WINDOWS\SYSTEM32\winrvc32.dll
    Go to File>>Paste from clipboard. Click All Files
    Press the button with a red circle with an X in it, then Yes when prompted to restart your computer
    WARNING: Your computer will be restarted. Any unsaved work in open applications will be lost.​
    Run HijackThis and click Do a system scan and save a log file
    Your HijackThis log will open in Notepad. Post the contents of the log here
     
  5. wee-us

    wee-us Thread Starter

    Joined:
    Jul 11, 2006
    Messages:
    12
    I ran the VundoFix & Hijack This, and here are the logs. When I went to do a "system scan only" in Hijack I could not find this string "O20 - Winlogon Notify: byxxwur - C:\WINDOWS\SYSTEM32\byxxwur.dll", but I was able to run a fix on the others. Then I did Killbox and another Hijack. The computer is at least starting up easier.

    Wee-us
     

    Attached Files:

  6. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    Save The Avenger to your Desktop

    Copy the contents of the following box to your clipboard:
    Run The Avenger and click OK
    Select Input script manually and click the magnifying glass icon
    In the View/edit script box, right-click and choose Paste
    Click Done. Press the button with a picture of a green light
    Choose Yes when prompted to execute the script and click Yes when asked to reboot your computer
    Post the contents of the file C:\Avenger.txt

    Run HijackThis and click Do a system scan only
    Put a checkmark next to each of the following entries that appear:

    O4 - HKLM\..\Run: [ÿ_zskgcmlkaxyazgnoje]niwmdksz_] c:\windows\system32\_zskdmwin]ejongzayxaklmcg.exe
    O4 - HKLM\..\RunServices: [ÿ_zskgcmlkaxyazgnoje]niwmdksz_] c:\windows\system32\_zskdmwin]ejongzayxaklmcg.exe
    O4 - HKCU\..\Run: [ÿ_zskgcmlkaxyazgnoje]niwmdksz_] c:\windows\system32\_zskdmwin]ejongzayxaklmcg.exe
    O20 - Winlogon Notify: winrvc32 - C:\WINDOWS\SYSTEM32\winrvc32.dll

    Click Fix Checked and exit HijackThis

    Post a new HijackThis log and we'll see if they're gone
     
  7. wee-us

    wee-us Thread Starter

    Joined:
    Jul 11, 2006
    Messages:
    12
    I got Avenger and Hijack done, and here are the logs. Once again, one of the scripts for the hijack fix was not in there: "O20 - Winlogon Notify: winrvc32 - C:\WINDOWS\SYSTEM32\winrvc32.dll". I don't know how I could get through this without your help!
     

    Attached Files:

  8. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    One of the files still isn't going away, let's try this


    • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    Doubleclick WinPFind.exe
    • Click " Configure Scan Options"
    • Select " Run Add ONs" and then select ALL the options in the box below it, Press Apply
    • Now Click "Start Scan"
    • It will scan the entire System, so please be patient!
    • Once the Scan is Complete
      • Go to the WinPFind folder
      • Locate WinPFind.txt
      • Place those results in the next post!. It will be too big to post so you will need to attach it to your reply

    go to here and download 'Startup list V2.

    Save it to the desktop or other suitable place.

    Double click it to start it and when it has finished scanning press file/save as and save it's report

    post that report back here for us to analyse

    You will need to attach the file as contains too much to post in the thread
     
  9. wee-us

    wee-us Thread Starter

    Joined:
    Jul 11, 2006
    Messages:
    12
    Here is the WinPFind, and I will send the Startup List next. Thanks!
     

    Attached Files:

  10. wee-us

    wee-us Thread Starter

    Joined:
    Jul 11, 2006
    Messages:
    12
    Here is the Startup List.
     

    Attached Files:

  11. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    Save these instructions before beginning then boot into Safe Mode

    Copy the contents of this box to your clipboard:
    Go to Start>>Run>>Notepad and click Edit>>Paste
    Save the file to your Desktop as "fix.bat" including the "quotes".
    Find fix.bat on your Desktop and double-click it

    Copy the contents of the following box to your clipboard:
    Run The Avenger and click OK
    Select Input script manually and click the magnifying glass icon
    In the View/edit script box, right-click and choose Paste
    Click Done. Press the button with a picture of a green light
    Choose Yes when prompted to execute the script and click Yes when asked to reboot your computer
    Post the contents of the file C:\Avenger.txt

    Run HijackThis and click Do a system scan only
    Put a checkmark next to each of the following entries that appear:

    O4 - HKLM\..\Run: [ÿ_zskgcmlkaxyazgnoje]niwmdksz_] c:\windows\system32\_zskdmwin]ejongzayxaklmcg.exe
    O4 - HKLM\..\RunServices: [ÿ_zskgcmlkaxyazgnoje]niwmdksz_] c:\windows\system32\_zskdmwin]ejongzayxaklmcg.exe
    O4 - HKCU\..\Run: [ÿ_zskgcmlkaxyazgnoje]niwmdksz_] c:\windows\system32\_zskdmwin]ejongzayxaklmcg.exe

    Click Fix Checked and exit HijackThis

    Post a new HijackThis log and we'll see if they're gone
     
  12. wee-us

    wee-us Thread Starter

    Joined:
    Jul 11, 2006
    Messages:
    12
    Here are the logs, but I checked and the files were still there in Hijack. Got any more tricks up your sleeve?

    Wee-us
     

    Attached Files:

  13. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    Avenger says the file is gone so try fixing these in HijackThis again:

    O4 - HKLM\..\Run: [ÿ_zskgcmlkaxyazgnoje]niwmdksz_] c:\windows\system32\_zskdmwin]ejongzayxaklmcg.exe
    O4 - HKLM\..\RunServices: [ÿ_zskgcmlkaxyazgnoje]niwmdksz_] c:\windows\system32\_zskdmwin]ejongzayxaklmcg.exe
    O4 - HKCU\..\Run: [ÿ_zskgcmlkaxyazgnoje]niwmdksz_] c:\windows\system32\_zskdmwin]ejongzayxaklmcg.exe

    If they still come back after that, go to C:\Windows\system32 and see if there is a file calledc:\windows\system32\_zskdmwin]ejongzayxaklmcg.exe
     
  14. wee-us

    wee-us Thread Starter

    Joined:
    Jul 11, 2006
    Messages:
    12
    Here is the Hijack log, but the files are still there. I went to C:\Windows\system32 and there was no file by that name. I noticed that Hijack gave the option of adding files to an "ignore list". I didn't know if that was an option.
     

    Attached Files:

  15. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    You could add them to the ignore list to hide the entries, I'm still looking into a way to remove them permanently.

    Are you having any other problems with your computer?
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Spyware Sheriff Blues
  1. jennys95
    Replies:
    1
    Views:
    710
  2. rjay13
    Replies:
    0
    Views:
    314
  3. dano_61
    Replies:
    14
    Views:
    947
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/482386

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice