SpySheriff cleaned by problems remain

I sent this information as an email to Jim@majorgeeks.com before I received access to the tread posting so Jim, please disregard.

My system was infected by SpySheriff and I experienced the desktop and browser hijacking and popups that I seen described on related posts. I followed the READ & RUN ME FIRST steps. SpySheriff appears to be gone (Thank You). The various scans also cleaned the likes of ibm00001.exe and Kill2me. Popups and browser windows while much less frequent, continue. Since running BitDefender, I have gotten several Symantic Realtime Protection Scan notices. I am including samples of the popups and browser hijacks as well as the Symantic Notifications below. I am also including the BitDefender log, Panda log and HJT log.

My system is a Gateway P4 200GHz 256 MB Ram Operating system is XP Home Edition version 2002 Service Pack 2.

Thank you in advance for any addition help you can provide.

Regards, Ron

 

Download L2MeFix Tool and save it where you will be able to find it.

Please print out these instructions now or save locally so that you can operate with All Browser Windows CLOSED.

Exit Browsers now before continuing

Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log. Save this log. You will need to post this log back here later when you come back.

Next DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.

Your computer will go crazy for a bit, but just let it run. It should eventually spit out a log in Notepad. Please also attach this log to your next message.

Now open your browser and come back here and post the above two logs as attachments to your message. Also indicate your current status.


NOTE: Please do not run any other options or files in the l2mfix Folder!

 

Downloaded and ran the L2MeFix Tool. Attached are the resulting log files.

Thanks

 

Please see the below thread on how to install and run Ewido Security Suite.

Running Ewido Security Suite ...

 

Downloaded and ran Ewido as instructed. I have attached the resulting scan as well as an updated HJT scan.

Also, I have been scanning some of the related posts on the site and recognize that I share some common symptoms/problems that I didn't specifically mention before, such as oinadserver and Qoologic. (Just in case you are not seeing these in the scan results)

One additional note, when I rebooted in normal mode I got the Rundll error message:

Error loading OwsoOxOs.dll
The specified module could not be found

Thanks for your help and Happy New Year!!!

Ron

 

Before we start the fix, please download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

 

Here are the WinPfind results....

Thanks again, Ron

 

Download Pocket KillBox
(Don't run it yet)


Please look in Add or Remove Programs for the following and Uninstall them if found:

Viewpoint

sder

Ewido

Microsoft AntiSpyware

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.co m
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.co m
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R3 - URLSearchHook: (no name) - {AE68FDFC-6A4E-13CB-3AC0-63F3CA4F36C6} - C:\WINNT\system32\laahgzs.dll

F3 - REG:win.ini: load=

O4 - HKLM\..\Run: [0wso0x0s.dll] RUNDLL32.EXE 0wso0x0s.dll,b 318631890
O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe
O4 - HKCU\..\Run: [Ltho] "C:\Program Files\sder\dees.exe" -vt yazr
O4 - HKCU\..\Run: [Onhfq] C:\WINNT\system32\r?gedit.exe

O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} (WildTangent Active Launcher) - http://install.wildtangent.com/cda/islandrally/ActiveLauncher/ActiveLauncherSetu p.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -

O20 - Winlogon Notify: MediaContentIndex - C:\WINNT\system32\mbjdbc10.dll (file missing)
O20 - Winlogon Notify: Run - C:\WINNT\system32\gp26l3fs1.dll (file missing)
O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\Program Files\Yahoo!\YPSR\Quarantine ←–– Delete everything in this folder!

C:\Program Files\sder ←–– Delete this whole folder if it exist!

C:\Program Files\Viewpoint ←–– Delete this whole folder if it exist!

C:\WINNT\system32\r?gedit.exe ←–– With the viewing of hidden files and folders enabled, manually locate this file. It will be different because of the "?" which represents an unprintable charatcer. Once you have located this file delete it!


Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, please follow the below steps...

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Nextm I would like you to Flush your System Restore Points. Please follow the instructions in this link --->Disable and Re-enable System Restore

• First, turn OFF System Restore to flush any bad Restore Points.
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

I know this is a lot, after you complete this entire fix, reboot about 3 times then attach a fresh HJT log with a fresh WinPFind log.

Good Luck!

 

Thanks, it looks like I might need the luck

Started your recommendations and just want to be sure I am doing the right thing with the instruction...

C:\WINNT\system32\r?gedit.exe ←–– With the viewing of hidden files and folders enabled, manually locate this file. It will be different because of the "?" which represents an unprintable charatcer. Once you have located this file delete it!

The only file in the folder that I could find that is close to "C:\WINNT\system32\r?gedit.exe" is "C:\WINNT\system32\regedt32". is this the file that needs to be deleted?

Thanks, Ron

 

No, the file you looking for will most likely be at the bottom of the list. It will not look like the others due to the unprintable character. Be sure you have the viewing of hidden files and folders enabled and the viewing of system files unchecked.

 

Whew that sure was something Well I made it through all the instructions!!! The only thing unexpected to report was when I ran Spybot it could not fix two found items...

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

Other than that I have attached the updated HJT and AinPFind logs.

Thanks so much...your instructions were very clear and easy to follow!!!!

 

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Click Start > Run > type services.msc and Click OK

Locate cmdService and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply


Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

cmdService

You may be told to reboot at this point. Reboot and let me know how things are running.

 

I could not find cmdService in the Service Properties Window. I exported the list of services and attached for your review. I tried running the HJT instructions anyway but got the message...

The service 'cmdService' is enabled and/or running. Disable it first, using HijackThis itself...

I stopped there to await your futher instructions!!!

Thanks again, Ron

 

Click Start > Run > type in regedit

Manually navigate to the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

Right click on cmdService and select "Permissions". In the list click on "Everyone" and at the bottom, check the box next to "Full Control. Click OK to exit.

Now right click on "cmdService" and delete it. If you get any errors let me know!

Now do the same for the key below:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

Right click on cmdService and select "Permissions". In the list click on "Everyone" and at the bottom, check the box next to "Full Control. Click OK to exit.

Now right click on "cmdService" and delete it.

After you complete this, reboot and see if Spybot still detects these entries.

 

Looks like we got it licked!!! The Spybot scan was clean and I ran Adaware for goo measure and ir ran clean also!!! You're good man, scary good!!! Thank you sooo much for all your help. I have read your "How to Protect yourself from malware!" post and will follow any recommendations I hadn't been doing. (Just have to get the rest of the family in line too!!!). So I hope to not have to bother you again...no promises though .

Thanks Again, Ron

 

Your Welcome!

Surf Safely!