SpySheriff Removal help!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by erykh, Nov 8, 2005.

  1. erykh

    erykh Private E-2

    Hello guys,

    I unfortunately got the Spy Sheriff virus in my computer, or so I think as I found a file called winstall.exe on my c:/ drive. Also my desktop displayed a virus alert along with a constant message on the bottom right part of my monitor warning me that my computer is infected and inviting me to click on it so windows can get rid of it. I haven´t done so cause I distrust of those messages. Also, my explorer always opens on c://secure.32.html as default.

    I have followed all the steps in the SpySheriff Removal sticky and so far, only the desktop image disapeared. The winstall file keeps reapearing along with another file called log.txt which I´m unable to delete.

    Hope you guys can help me get rid of this annoying spyware!!!
     

    Attached Files:

    erykh, Nov 8, 2005
    #1
  2. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    Shadow_Puter_Dude, Nov 8, 2005
    #2
  3. erykh

    erykh Private E-2

    Hello Shadow_Puter_Dude,

    I have already followed all the steps indicated in SpySheriff (aka SpywareNo) Removal and so far I have only got rid of the desktop image. I keep getting messages that my system is infected. I´m unable to delete a file C:log.txt and c:winstall.exe keeps reapearing after erasing it. During the process with the different removal tools at least 8 malign files were found and deleted. I´ve done the steps once again and this time no files were detected though the winstall file is still there and so as the message. Here is my hijackthislog:

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    c:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
    C:\Archivos de programa\Alias\Maya6.0\docs\Wrapper.exe
    C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
    c:\Archivos de programa\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\DRIVERS\WtSrv.exe
    C:\Archivos de programa\Alias\Maya6.0\docs\jre\bin\java.exe
    C:\windows\system\hpsysdrv.exe
    C:\Archivos de programa\USB Storage RW\shwicon.exe
    C:\Windows\system32\HpSrvUI.exe
    C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Archivos de programa\VERITAS Software\Update Manager\sgtray.exe
    C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\ps2.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\WINDOWS\System32\paytime.exe
    C:\WINDOWS\System32\WService.EXE
    C:\windows\system32\mdms.exe
    C:\WINDOWS\tool2.exe
    C:\WINDOWS\System32\rtf32.exe
    C:\WINDOWS\System32\paytime.exe
    C:\winstall.exe
    C:\WINDOWS\tool2.exe
    c:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Archivos de programa\Trend Micro\Tmas\Tmas.exe
    C:\Archivos de programa\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Archivos de programa\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [KYE_Showicon] "C:\Archivos de programa\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
    O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Archivos de programa\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Archivos de programa\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
    O4 - HKLM\..\Run: [WCOLOREAL] "C:\Archivos de programa\Coloreal\coloreal.exe"
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ccApp] "c:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [WService] WService.EXE
    O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
    O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
    O4 - HKLM\..\Run: [rtf32.exe] rtf32.exe
    O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Archivos de programa\Trend Micro\Tmas\Tmas.exe
    O8 - Extra context menu item: &Download with &DAP - G:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - G:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~4\Office10\EXCEL.EXE/3000
    O16 - DPF: {044123B5-35DF-4C4E-BAED-26B8ED964342} (HLiveRobotWeb Control) - https://update3.globalhauri.com/Custom/LiveSuite/BANAMEX/web/HLiveRobotWeb.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Archivos de programa\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - C:\Archivos de programa\Alias\Maya6.0\docs\Wrapper.exe" -s "C:\Archivos de programa\Alias\Maya6.0\docs/Wrapper.conf (file missing)
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - c:\Archivos de programa\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
    O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\DRIVERS\WtSrv.exe

    Thanks in advance
     
    erykh, Nov 9, 2005
    #3
  4. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    You did not do the READ ME FIRST.

    Please follow the steps below:

    - Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

    Make sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

    Follow the instructions in teh below thread in addition to the above:
    Running Ewido Security Suite

    After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

    Downloading, Installing, and Running HijackThis
     
    Shadow_Puter_Dude, Nov 9, 2005
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds