bad side-effects after SpySheriff attack--ex. random shutting down

My computer was recently the target of the SpySheriff fake spyware removal virus. While SpySheriff seems to be gone, Some bad side-effects aren't. I've gone through everything in the "Read & Run me First..." and the SpySheriff removal threads. The bad side-effects include: Norton Antivirus starts out with auto-protect disabled; The computer turns off at random (and its doing it more and more often); The internet at one time was not working, though now it is fine (I believe that this had something to do with the message I would get when restarting--End Program--XPCom: Event Receiver This Program is not responding. This error message no longer occurs, and the internet works, so it is possible this side-effect is fixed.)

I have attached the Activescan.txt, bdscan, and Hijackthislog.txt.

My computer is a Windows XP Home edition Service Pack 2. Pentium 4HT 2.6 MHz. 512 Mb RAM. 74 Gb of Harddrive. I have At&t High Speed DSL, a gateway with a firewall. I also got the Outpost Firewall after the SpySheriff. I have Norton Antivirus 2004, but am thinking of scrapping it for the AVG (that might solve one of those bad side-effects).

 

This is Yakub again. I was adding more info, when the comp shut down again. So the Norton Antivirus found a few viruses back when this all started. It was the Backdoor.Tofger Virus--a Win32.Trojan. This was found in C:\pdhmuss.exe and C:\qhfdbobb.exe. Also the Hijackthis found the 04-HKCU\Run:[SpySheriff] C:\Program Files\SpySheriff\Spysheriff.exe. I fixed it.

Some more info on the side-effects. The computer shuts down even if the browser is not open. I use Mozilla Firefox too.

Thanks for the help

Yakub

 

Please post the logs from GetRunKey and ShowNew.

 

I need help with the XPHomeFix, it didn't run, in order to get the runkeys.txt file to be anything but blank. The newfiles.bat file ran fine.

 

Here is the new newfiles.txt. I have also done a little experimenting with the problem. When the Outpost Firewall is set to stop all mode, the random shutting down has not happened. I'm not sure if this is a coincidence, but for now I think its safe to assume that the internet has something to do with the random shutting down problem. Might it be possible that someone is shutting down my computer through the internet?

Thanks,

Yakub

 

Please post the log from GetRunKey. Newfiles is still empty for the most part. Your HijackThis log shows you still have SpySheriff.

Follow the directions for Running Spy Sweeper and Smitfraud, SpySheriff, SpyAxe & PSGuard Removal.

In addition to your GetRunKey log post the session log from Spy Sweeper, smitfiles.txt and a fresh HijackThis log.

 

Sorry about the not following directions--just going too fast, not being too careful (unless when I'm in the System32 folder )

So I redid the newfiles, and the getrunkey. The XPproFix worked this time. Before it wasn't unzipping to the correct folder.

I couldn't download Spy Sweeper. The link doesn't bring me to the download page. You may need to go without a Spy Sweeper log

I did the SmitFraud, Spy Sheriff, Spy Axe & PSGuard Removal.

Interestingly, I got a message asking if I wanted to allow someone to see if I'm on the internet through Windows Messenger. I've never used Windows Messenger, though it does connect at startup (maybe I should just turn it off). And I've never gotten a message like this before. I'm just wondering if this has something to do with the person? turning off my computer.

That should be it, Thanks

 

And here is the smitfiles.txt.

 

You are strongly advised to do the following immediately:

1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.

2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

Using Add or Remove Programs in the Control Panel; uninstall the following:

You are using MsConfig to prevent several items from loading at Windows start. MsConfig is a diagnostic tool, and not intended to be used in the manner you are using MsConfig. Enable everthing you used MsConfig to disable. If you are recieving error messages, related to these items, at system start; we can fix this without using MsConfig.

Download
- Pocket Killbox
- ExplorerXP

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop. DO NOT run it as this time we will do that later in Safe Mode.

Close Notepad.

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files

Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Using Search in the Start Menu search for ibm000?.*. Delete every file found.

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis log.

 

Alright, I went through the steps you outlined. Here is a new HijackThisLog.

Also, I did not get the PendingFileRenameOperations prompt, so that is good.

If you have a little extra time I'd like to know a bit about how you figured there was a Key Logger, and how you figured out which files were bad in the HijackThisLog. I did read the HijackThis tutorial, so I was spending some extra time just looking. I didn't know the updwebmin was bad, but I thought the BHO no name no file was suspicious. I would like to get to know some more about my PC, maybe you can just start me off.

Thanks,

Yakub

 

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to Task Manager Message Service or TSKMS (Whichever is present) ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the 'None of the above, just start the program' button at the bottom of the choices. At the lower right, click on the 'Config' button, and then the 'Misc tools' button ... select 'Delete an NT Service' ... copy/paste the following into the box that opens, and press 'OK':

Task Manager Message Service or TSKMS (Whichever you found above)

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files

Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis log.

This is the keylogger, ibm00001.exe, we see this particular logger quite often. Knowing which files are bad, comes from experience. We look for files with seemingly random file names, files with names that are misspellings of legit MS files, or files spelled correctly but wih a different file extension then that of the Legit MS file. Files that are correct in all aspects but are in a different folder then where the legit file resides.

 

I finished the steps; here's how it went:

• This went fine, it was called Task Manager Message Service.
• Deleting the NT Service went well. It did actually delete it.
• I couldn't find this line, so maybe the step above handled it.
• The Pocket Killbox did not find C:\WINNT\taskms.exe
• ExplorerXP could not find C:\WINNT\taskms.exe either. Maybe HijackThis or services.msc deleted it.
• Once during this process the computer shut down again. I think it was towards the beginning. Is there a way to configure the firewall to stop this? I know that when Outpost Firewall is on Stop All Mode the computer does not shut off. Also, normally it shuts off when the browser - Mozilla Firefox - is up. It may have shut down when it's not been up, I can't be sure.

I would like to know how to correctly stop programs from starting up. I'm not getting Errors, it just takes longer. For one program I was able to change the setting so that it doesn't startup, but not for another.

 

There is a bit of redundancy built into the instructions. That's just to make sure that what we want to eliminate gets eliminated. When ever an entry shows file missing that isn't necessarily true, especially with the O23 entries. Hence the manual file deletion in the instructions. In your case it actually wasn't present.

Startup programs can be controls throught the options menu item of the program, add/delete shortcuts in the Startup folder, under "All Users" profile and the current user profile. Many programs have registry entries that cause it load at Windows start. These would be shown in the Run Keys, the O4 lines in your HijackThis log.

In the case of regisrty entries, we simply delete the registry entry responsible for loading the program when Windows starts.

 

Thank you very much for the help. I hope that this keylogger and anything else is gone.

Unfortunately, the computer continues to shut down when Outpost firewall is not on stop all mode. Oh, and it did shut down when the browser was not up. Maybe this lingering problem could be fixed by configuring the firewall. Should I start a new thread?

Some short questions I have are--how did you see what programs I had installed on my computer?

Also, if you have the time, I would very much appreciate if you would do a quick check for bad stuff on my other computer. It is a Windows 98 first edition. 64mb Ram. Intel Celeron 333 mHz processor. I did what I could with the "Read & Run Before Asking..." Not everything could be done--Windows Defender. Also, the Bitdefender did not find anything, so I accidently closed the window before saving the log. I hope that doesn't mean I have to go through the 3 and a half hour scan again, but if it does I will. It would be really helpful if you can show me how you figure out if there is anything bad on the comp. Could you run through the steps on how you look at the logs and find the malware?. Thank you for your help. I really appreciate you doing this for me.

Yakub

 

You are welcome.

Yes, this type of wuestion is better off in the Software Forum.

From the GetRunKeys log. When you ran teh batch file it dumped the contents of the Unistall Registry Key.

Boot to Safe Mode and delete these two files, then empty the Recycle Bin.

There are several forms of malware that have well documented signatures, and are easliy spotted by the experienced eye. Then there are the unclassified threats, these take time to research. I look for files that seem out of place and files that I don't recognize. Once I have pin-pointed those I do a simple Internet search on the file; if information exists on the file I read what is said and make a determination as to the threat. There are very few sites I trust when it comes to information.

 

Here is the HijackThislog.txt from my old computer; should I be saving it as .log or .txt?

 

In Safe Mode delete the following files:
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll
C:\WINDOWS\temp\a5ba8cf.mst

Empty the Recycle Bin

Reboot.

Everything else looks good.