Connection trashed by malware?

Hi all

My little brother got the Spyware Sherrif infection on one of our PCs. My brother in law ran HijackThis and deleted what he thought was the faulty files. The SS infection seems to be gone, but when we opened the browser we got a message that said the URL cannot be reached. It was some page found in system32. He deleted what he thought was resposible but now we are just getting a "Page can not be displayed". The LAN connection says its working, and the repair operation completes right. Maybe it got busted by Hijack this? Help would be great.

Thanks in advance

 

One more thing I have found. MY IP adress for this machine was origanlly set to Auto assign. It was 192.168.2.108, and the gateway was 192.168.2.1. Now its changed to 169.254.171.58, and it hasnt worked since. I don't like the looks of that so I am cutting the connection till one of you fills me in.

Just thought that might be of importance.

 

Welcome to MajorGeeks.com, please follow the steps below:

- Smitfraud, SpySheriff, SpyAxe & PSGuard Removal

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

Downloading, Installing, and Running HijackThis

 

Alright thats all done. Still can't get to the internet, but the Blue screen saying "PC is infected" that came up instead of IE is gone. Now its just the page cannot be displayed message. The Spyware Sheriff seems to be gone, or at least crippled. Hopefully this won't come back with a restart. I will wait on you guys. Here is the HJT log file

Two problems. I cant get to internet, so I can't run Panda on that machine. Also, what type of file did you want from smite? I need to know where to get that txt file. Ty

Let me know.

 

You are strongly advised to do the following immediately:

1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.

2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

You have HijackThis installed incorrectly. Download and run this script to move HijackThis to the proper folder. Move_HijackThis

Your version of Windows is out of date. You should update the OS to SP2 and run Windows Update once the system is verified to be clean.

I need the Smitfiles.txt from when you ran SmitRem.

Download LSP-Fix

After download is complete, Run LSP-Fix

Check the Box labeled "I know what I'm doing" and then click on the newdotnet6_38.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move newdotnet6_38.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.
(Note: If the file newdotnet6_38.dll is already in the remove section, then just click FINISH.)

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to cmdService ... right-click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HijackThis, but instead of scanning, click on the 'None of the above, just start the program' button at the bottom of the choices. At the lower right, click on the 'Config' button, and then the 'Misc tools' button ... select 'Delete an NT Service' ... copy/paste the following into the box that opens, and press 'OK':

cmdService

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Now scan and have HJT Fix the following:

Download
- Pocket Killbox
- ExplorerXP

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Using teh Search Function in the Start Menu; search for the following and delete every instance of the file:

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Now let's reset your web settings: How to Reset Web Settings

REBOOT to Normal Mode.

Follow the directions for Running WinPfind by OldTimer. Post the WinPfind.txt file.

Post the Smitfiles.txt from from when you ran SmitRem.

Post a fresh HijackThis log.

Can the computer to connect to the Internet now?