Spy Sheriff and Others?

Hello, last Spy Sheriff suddenly arrived on my laptop and made my day!

Also: I cannot download (the download dialogue box just disappears), so I have not downloaded Hijack This. I have had a friend send me CleanUp and Ewido over AIM. I could potentially have someone send me Hijack This too. I have used the most update to date version of SpyBot, which no longer finds any Spy Sheriff. Internet explorer still starts at "about:blank", however. And I am not sure that Spy Sheriff is completely removed, or that it's content is completely removed, even it's been disabled.

I am going to boot again in safe mode and run some online scans so I can post.

Any help is very appreciated.

 

Quick update: I disabled System Restore, and now in Safe Mode it is letting me download. There is no sign of Spy Sheriff. I have downloaded all of the tools you recommend here:

http://forums.majorgeeks.com/showthread.php?t=35407

And I am now running the online scans. After that I will close all programs and browsers and run the other scans. Thanks again.

 

Here is the BitDefender report:

BitDefender Online Scanner
Scan report generated at: Tue, Aug 09, 2005 - 12:59:09

Scan path: C:\;D:\;

Statistics:

Time 00:55:14
Files 249019
Folders 3159
Boot Sectors 2
Archives 1214
Packed Files 20409


Results:

Identified Viruses 9
Infected Files 12
Suspect Files 0
Warnings 0
Disinfected 0
Deleted Files 11


Engines Info:

Virus Definitions 199025
Engine build AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)
Scan plugins 13
Archive plugins 39
Unpack plugins 4
E-mail plugins 6
System plugins 1


Scan Settings:

First Action: Disinfect
Second Action: Delete
Heuristics: Yes
Enable Warnings: Yes
Scanned Extensions:
exe;com;dll;ocx;scr;bin;dat;386;vxd;sys;wdm;cla;class;ovl;ole;hlp;doc;dot;xls;ppt;
wbk;wiz;pot;ppa;xla;xlt;vbs;vbe;mdb;rtf;htm;hta;html;xml;xtp;php;asp;js;shs;chm;
lnk;pif;prc;url;smm;pfd;msi;ini;csc;cmd;bas;

Exclude Extensions

Scan Emails: Yes
Scan Archives: Yes
Scan Packed: Yes
Scan Files: Yes
Scan Boot: Yes


Scanned File Status:

C:\Program Files\AIM\Sysfiles\WxBug.EXE=>wise0008 Detected with: Adware.Wheaterbug.A

C:\Program Files\AIM\Sysfiles\WxBug.EXE=>wise0008 Disinfection failed

C:\Program Files\AIM\Sysfiles\WxBug.EXE=>wise0008 Deleted

C:\Program Files\AIM\Sysfiles\WxBug.EXE Update failed

C:\WINDOWS\system32\cz.dll Infected with: Backdoor.Haxdoor.CN

C:\WINDOWS\system32\cz.dll Disinfection failed

C:\WINDOWS\system32\cz.dll Deleted

C:\WINDOWS\system32\gbajlfbf.exe Infected with: BehavesLike:Win32.SiteHijack

C:\WINDOWS\system32\gbajlfbf.exe Disinfection failed

C:\WINDOWS\system32\gbajlfbf.exe Deleted

C:\WINDOWS\system32\hz.sys Infected with: Backdoor.Haxdoor.AF

C:\WINDOWS\system32\hz.sys Deleted

C:\WINDOWS\system32\msnethlp32.dll Infected with: Trojan.Proxy.Mitglieder.DQ

C:\WINDOWS\system32\msnethlp32.dll Disinfection failed

C:\WINDOWS\system32\msnethlp32.dll Delete failed

C:\WINDOWS\system32\msnethlp32.exe Infected with: Dropped:Trojan.Proxy.Mitglieder.DQ

C:\WINDOWS\system32\msnethlp32.exe Disinfection failed

C:\WINDOWS\system32\msnethlp32.exe Deleted

C:\WINDOWS\system32\vdmt16.sys Infected with: Backdoor.Haxdoor.AF

C:\WINDOWS\system32\vdmt16.sys Deleted

C:\WINDOWS\system32\winlow.sys Infected with: Backdoor.Haxdoor.CG

C:\WINDOWS\system32\winlow.sys Disinfection failed

C:\WINDOWS\system32\winlow.sys Deleted

C:\WINDOWS\system32\wz.sys Infected with: Backdoor.Haxdoor.CG

C:\WINDOWS\system32\wz.sys Disinfection failed

C:\WINDOWS\system32\wz.sys Deleted

C:\WINDOWS\tool3.exe Infected with: Dropped:Trojan.Proxy.Mitglieder.DQ

C:\WINDOWS\tool3.exe Disinfection failed

C:\WINDOWS\tool3.exe Deleted

C:\WINDOWS\wmplayer1.exe Infected with: BehavesLike:Win32.ExplorerHijack

C:\WINDOWS\wmplayer1.exe Disinfection failed

C:\WINDOWS\wmplayer1.exe Deleted

C:\winld32.dll Infected with: Trojan.Downloader.Small.ANU

C:\winld32.dll Disinfection failed

C:\winld32.dll Deleted

 

I have not tried the steps in the Spy Sheriff guide yet (they look pretty complicated), I'm trying the steps in the Basic Guide first. Sorry, I won't post any more logs. If you or anyone needs to see them, just let me know.

On the Basic Guide, I have:

1. Turned off System Restore (this let me download again in Safe mode)
2. Run the rad and bitdefender scands (I have the logs).
3. The rad and bitdefenders scans (or something else, while they were scanning) did something so that now my computer will not run .exe's directly. Nor will it let me right click and use "open" or "run" for the .exe's. The only way I am able to post this is to open an .htm file in IE, and then use IE normally.
4. Because of the above problem, I cannot run the MacAfree install.

At this point I don't know what to do. I am seriously considering buying some memory, backing up my files, and reformatting. I am also considering taking the computer to a shop, where professionals might be able to fix it.

Any advice is very appreciated, especially how do I get XP to run .exe's again (this wasn't a problem after the spyware, just after the online scans.)

 

The .exe fix worked just fine (should I just assume that everything is ok with that now? or is there some more testing I should do?).

Now that the .exe was fixed, I ran MacAfee, SpyBot, Ad-aware (plus the plug-in), and also the about:buster, cwshredder, hsremove, and kill2me. The latter few may not have been necessary b/c I haven't heard anything about HS or kill2me. My browser does originally point to about:buster but...

SpyBot found SpySheriff again, so it had not completely wiped it (the fact that it had removed the further, and last listed, SpySheriff parts after a reboot suggested that it had wiped our SpySheriff, but I was too optimistic). It also continues to find three other things, I am guessing that SpySheriff (or whatever causes it) keeps reinstalling them.

When I try to fix SpySheriff in SpyBot, I get the following error:

"The Application or DLL C:\WINDOWS\system32\klogini.dll is not a valid Windows image. Please check this against your installation diskette."

After this error, the fixing continues, and finally SpyBot tells me I have only fixed some of the SpySheriff stuff. The following are fixed:

Settings
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vdmt16

Data
C:\WINDOWS\system32\p2.ini

and (after listing non-fixed things)

Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\drct16

The following could not be fixed however:

Executable:
C:\WINDOWS\system32\mszx23.exe

Library
C:\WINDOWS\system32\drct16.dll

Settings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vdmt16

ALSO, I got this error report during HSRemove (the program had gotten to the last step, and stopped after this error):

I/O error 33

FINALLY, I get this random error popping up, every 15 minutes or so.

16 bit MS-DOS Subsystem
______________________
C:\Documents and Settings\Kip\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
The NTVDM has encountered an illegal instruction.
CS:0dbc IP:01d1 OP:63 68 65 2f 31 Choose 'Close' to terminate the application
[Close] [Ignore]

I am going to try the SpySheriff removal suggestions now, and hopefully they can eliminate all of these problems. Any advices is, again, very much appreciated.

 

OK I ran both in safe mode (I'm using XP btw) and I'm attaching the logs. XP seems to bluescreen/shutdown every 15 minutes of so.

 

Here you go.

 

I could not find C:\windows\system32\mdms.exe on the list.

Here is the list of processes running in normal mode (I'm back in safe mode now):

Process list saved on 6:39:15 PM, on 8/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)

[pid] [full path to filename] [file version] [company name]
1116 C:\WINDOWS\System32\smss.exe 5.1.2600.1106 Microsoft Corporation
1288 C:\WINDOWS\system32\winlogon.exe 5.1.2600.1557 Microsoft Corporation
1344 C:\WINDOWS\system32\services.exe 5.1.2600.0 Microsoft Corporation
1356 C:\WINDOWS\system32\lsass.exe 5.1.2600.1106 Microsoft Corporation
1544 C:\WINDOWS\System32\ibmpmsvc.exe
1612 C:\WINDOWS\System32\Ati2evxx.exe 6.14.10.4083
1648 C:\WINDOWS\system32\svchost.exe 5.1.2600.0 Microsoft Corporation
1984 C:\WINDOWS\System32\svchost.exe 5.1.2600.0 Microsoft Corporation
888 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.0 Microsoft Corporation
1496 C:\WINDOWS\system32\Ati2evxx.exe 6.14.10.4083
1720 C:\WINDOWS\Explorer.EXE 6.0.2800.1106 Microsoft Corporation
1820 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe 7.5.17.6 Synaptics, Inc.
1828 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe 7.5.17.6 Synaptics, Inc.
1840 C:\WINDOWS\System32\rundll32.exe 5.1.2600.0 Microsoft Corporation
1872 C:\WINDOWS\System32\TpShocks.exe 1.0.0.1 IBM Corp.
1892 C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
144 C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe 1.0.0.0 IBM Corp.
228 C:\WINDOWS\AGRSMMSG.exe 2.1.31.0 Agere Systems
292 C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE 6.14.10.5043 ATI Technologies, Inc.
304 C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
312 C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe 1.0.0.1 IBM Corporation
376 C:\Program Files\IBM\Messages By IBM\ibmmessages.exe 1.1.0.3 IBM
408 C:\WINDOWS\system32\dla\tfswctrl.exe 1.4.7.0 Sonic Solutions
436 C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE 2.7.2.0 IBM Corp.
456 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe 2.0.0.42 Viewpoint Corporation
464 C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe 1.0.25.0 Google Inc.
496 C:\Program Files\ewido\security suite\ewidoctrl.exe 3.0.0.1 ewido networks
504 C:\WINDOWS\tool2.exe
540 C:\Program Files\iPodder\iPodder.exe 1.0.0.0
1176 C:\WINDOWS\System32\QCONSVC.EXE 2.7.2.0 IBM Corp.
1168 C:\WINDOWS\System32\svchost.exe 5.1.2600.0 Microsoft Corporation
1812 C:\WINDOWS\system32\TpKmpSVC.exe
3364 C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE 11.0.5604.0 Microsoft Corporation
1072 C:\WINDOWS\System32\wuauclt.exe 5.4.3790.2182 Microsoft Corporation
1160 C:\Program Files\HJT\HijackThis.exe 1.99.0.1 Soeperman Enterprises Ltd.

 

Just to be clear: the list I posted was from normal mode. So, would like me to skip that step and complete the others? Or would you like me to do something else? Again, your help is greatly appreciated.

 

OK I followed all of those steps.

mdms.exe *was* there after I rebooted in normal mode again, so I killed it. I think tool2.exe was there too, so I killed it.

I used HJT to fix all of the elements/processes you listed.

I could not delete all of these files:
C:\WINDOWS\system32\appwiz.dll CPL
C:\WINDOWS\SYSTEM32\tcpG4T.dll NO
C:\WINDOWS\System32\hlmadcmk.dll NONE
C:\WINDOWS\System32\Gqaogjaf.dll YES
C:\windows\system32\mdms.exe YES
C:\WINDOWS\tool2.exe YES

I could not find the .dll of appwiz. There was a .cpl (or something similar) which I did delete. TcpG4T would not let me delete. It was not read only. I did not know which, if any, process to kill so I could delete it. Mdms would not let me delete it at first, but I killed it in HJT. Whenever I killed it, it would always seem to come back. But by killing it and then deleting it soon afterwards, I got it to delete. I also deleted Tool2.exe.

hsfix seemed to work, and my browser was not pointed to black when I got back to safe mode. I did a HJT log in normal. Both logs are attached.

Spy Sheriff and allergies/flu on the same day.

 

Also, it would help me if I could know about how long I should wait before expecting a reply, and what time tonight you guys stop replying, and what time you start (if any). This would just help me avoid checking every five minutes or so.

 

Sorry, I won't delete anything anymore unless it's exactly what you say. I don't have an XP disc lying around, is there anywhere I could download appwiz.cpl?

I've already done all of the steps for removing Spy Sheriff, as you mentioned in post 4.

I cannot delete the tcp file. I tried hsfix, but hsfix closes all open windows, so that after it runs, I have to find the tcp file again. Changing the file extension doesn't let me delete it.

I can't believe it, but I actually have a horrible sinus infection the same day this happened. It all seems like too much. If I take this to a shop, like Comp USA, can they help me out? What are my other options?

 

Sorry, I could not find either of those files (in safe mode).

I'll follow the Spy Sheriff steps again.

Again, I have a sinus infection, my left eye won't stop crying, and my head feels like it's in a vice, so I may be a little out of it/slow, but I'm trying as best I can. Also, I don't mind dropping 100$ to get my computer fixed once every four years or so. I'm certainly going to download Windows Updates and switch to Firefox from now on.

 

I did the post 21 steps (reg patch).

I am going to go back to normal mode now, since you seem to prefer that (I thought working in safe mode might prevent/resist re-infection). I haven't redone the Spy Sheriff steps yet. I can't tell you how much I hate that malware.

 

Here is the HJT log.

There seems to be program, I don't see the sights/sounds of Spy Sheriff anymore. But the address bar is still annoyingly shortened/different. And the most drastic thing I can notice is that the bookmarks have disappeared (I can see them in safe mode).

UPDATE: I can't get into the select-file dialogue box to attach the HJT log. I press the attach button, but nothing happens. So I am pasting (I get this is the lesser evil between this and rebooting in safe mode).

Inline log attached!

 

I'm going to watch Heathers and go to sleep.

I'll be back tomorrow. Thx for all of the help and patience.

 

OK, sorry for not replying. My ISP cut my service because they noticed virus activity.

While it was down: I bought a 120$ external hard drive and copied my essential files. It turns out that my IBM thinpad has a neat auto-reformat feature (the factory software is kept on a partition of the hard drive), so that I can reformat my hard drive and reload all of the original software just by running the IBM software before Windows loads and clicking my mouse. So I saved my old files, reformatted, and now Spy Sheriff is gone. Everything seems to be working ok so far. I'm having my dad priority mail me Microsoft Office.

I also turned on auto-update for Microsoft Updates, downloaded 30+ security related updates, and switched browsers to Firefox.

I am curious, though: How does one get Spy Sheriff? The ISP thought it was email. But I did not open any suspicious advertisements. I had thought that Spy Sheriff, like so much else, exploited IE vulnerabilities. Am I wrong? Perhaps it exploited a vulnerability in AIM (which I always use?). I would like to know. Anyway, thx for the help.