entrails of spysheriff still squirming

i was infected by spysheriff yesterday, had no clue what it was, actually thought it was a good thing until i started getting suspicious. followed the instructions on this website, thank god for you guys, and got rid of it...i thought. but today i'm randomly getting popups that look like spysheriff, saying i'm infected and whatnot, and my symantic anti-virus has popped up 3 or 4 times warning me of trojans, which is usually never happened before. i think it actualy tried to install itself back, but i brought up the system processes, found a couple processes that i'd never seen before called like aa2 and aa3 etc, i ended those and the popup went away. i snooped around for a bit, found that winstall.exe was still in my c: drive, i deleted it right away. i'm a little paranoid now, could you guys check my hijack log for me, make sure i'm clean? thanks!

• Edit by bjgarrick: Unrequested, Inline HJT log removed!

 

Welcome to MajorGeeks.com!

Please follow forum guidelines and perform cleaning steps in the sticky thread before posting HijackThis logs.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

http://www.majorgeeks.com/images/grenade.gif Run ALL the steps in this Sticky thread SpySheriff (aka SpywareNo) Removal

• Make sure you check version numbers and get all updates.

http://www.majorgeeks.com/images/grenade.gif Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

http://www.majorgeeks.com/images/grenade.gifAfter doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

http://www.majorgeeks.com/images/grenade.gif Downloading, Installing, and Running HijackThis

 

sorry about that.

not sure how to save as .log, hijack automatically saves it as .txt for me.

 

Click Start > Run > type services.msc and Click OK

Locate Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Download Pocket KillBox
(Don't run it yet)

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\exfhp.dll/sp.html#10001%
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\exfhp.dll/sp.html#10001%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\exfhp.dll/sp.html#10001%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\exfhp.dll/sp.html#10001%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\exfhp.dll/sp.html#10001%
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\exfhp.dll/sp.html#10001%
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\exfhp.dll/sp.html#10001%
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =


R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [crlj.exe] C:\WINDOWS\system32\crlj.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner to clean up cookies and temp files.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\crns.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\exfhp.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\crlj.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you computer has rebooted and windows has loaded procede with the below...

Now we need to Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

After you complete the above, reboot once more and attach a fresh HJT log.

 

thanks for the quick replies.

all is done. except the last parts, i dont use IE i use firefox, but i did the equivilent with firefox, is that ok?

here is the new log file

 

No, you need to do this for IE! Go back and do that for IE.

After you complete the above, please see the below thread on how to install and run Spy Sweeper.

Running Spy Sweeper...

 

done. spysweeper did catch a bunch of htings. hopefully thats the end of it?

 

Please see the below thread on how to install and run Ewido Security Suite.

Running Ewido Security Suite ...

 

hello again!
ran the ewido, i had to cut it short the first time because of time, ran it again later in full. unfortunately, stupid me, i was stupid and overwrote the first log with teh second log. the attached is the log for the second, full scan. as for the first, i remember it found 52 threats, most of which were cookies, 6-7 of them were actual spywares.

whats next?

 

Now please attach a fresh HJT log.

 

here it is

 

Scan with HijackThis and Check the Boxes for the following:

O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)

O11 - Options group: [JAVA_IBM] Java (IBM)

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\crns.exe (file missing)

Make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

After you complete the above, reboot and let me know how things are running.

 

after rebooting back to normal mode, a popup warning me that my firewall was turned off came up from windows security center, its never happened before.

but here's my hijacklog

 

Go into Control Panel and open up the Security Center and enable it and it should go away.

Your HJT log is clean, are you having any further problems?

 

so far my computer's performance has been excellent, thank you so much bjgarrick! you really saved me a lot of hassle. keep up the wonderful work!

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

Surf Safely!