Hijacked

K

Ken

Hi..new to this forum but desperately looking for help. I have an XP
Professional laptop that has been hijacked in a number of ways. The
desktop shows the 'Your System is Infected' message and looks to be
connected to 'Spy Sherrif'- supposed antispyware but probably isnt. The
browser is hijacked to 'about.blank' and, worse still, the Add/Remove
Programs box in the control panel is showing up about 5 programs when
theres tons more there really.

Things I have tried:
Adware Away
Spybot
McAfee VirusScan 7.1 with Antispyware module (updated also)
CW Shredder
Editing registry - Run keys...

Nothing is working and I'm trying so hard not to have to wipe this and
rebuild as its a Director's laptop.
Please help!

Ken
 
F

Frank Saunders, MS-MVP OE

Ken said:
Hi..new to this forum but desperately looking for help. I have an XP
Professional laptop that has been hijacked in a number of ways. The
desktop shows the 'Your System is Infected' message and looks to be
connected to 'Spy Sherrif'- supposed antispyware but probably isnt.
The browser is hijacked to 'about.blank' and, worse still, the
Add/Remove Programs box in the control panel is showing up about 5
programs when theres tons more there really.

Things I have tried:
Adware Away
Spybot
McAfee VirusScan 7.1 with Antispyware module (updated also)
CW Shredder
Editing registry - Run keys...

Nothing is working and I'm trying so hard not to have to wipe this and
rebuild as its a Director's laptop.
Please help!

Ken

What You Should Know About Spyware
http://www.microsoft.com/athome/security/spyware/devioussoftware.mspx

CAUTION!!!!! Removing some spyware can damage the Winsock stact. Before
you try to remove spyware using any of these programs , download a copy of
LSP-Fix - a free program to repair damaged Winsock 2 stacks (all Windows
versions) so that the program will be available after removing the spyware.
http://www.cexx.org/lspfix.htm
Winsockfix for W95, W98, ME, NT, 2000, XP
http://www.tacktech.com/pub/winsockfix/WinsockFix.zip
Directions here: http://www.tacktech.com/display.cfm?ttid=257
WinXP:
Get WinSockxpFix
http://www.spychecker.com/program/winsockxpfix.html
How to Reset Internet Protocol (TCP/IP) in Windows XP
http://support.microsoft.com/kb/299357
In WinXP SP2: You can fix Winsock by going to Start | Run and typing
CMD
In the command window type
netsh winsock reset

See
Dealing with Unwanted Malware, Parasites, Toolbars and Search Engines
http://mvps.org/winhelp2002/unwanted.htm

Note that AdAware and SpyBot S & D will each catch some things the other
won't. Also, each needs to be updated with the program's update function
before every use, even when just downloaded. There's also a lot more to do
than just those two programs. CWShredder is also available here:
http://www.intermute.com/products/cwshredder
**Post your HijackThis log to
http://forums.spywareinfo.com/
http://forums.tomcoyote.org/
http://castlecops.com/forum67.html
http://www.wilderssecurity.com/ or the Spyware forum at
http://aumha.net/viewforum.php?f=30 for expert analysis, not here.**
Alternative download pages for Ad-Aware, Spybot, HijackThis and CWShredder
may be found on this page:
http://aumha.org/a/parasite.htm.

See this link for information about malware:
http://arstechnica.com/articles/paedia/malware.ars

If nothing there helps, please post back to this thread.

--
Frank Saunders, MS-MVP OE
Please respond in Newsgroup. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com/security/protect/
 
A

AnonPoster

Ken said:
Hi..new to this forum but desperately looking for help. I have an XP
Professional laptop that has been hijacked in a number of ways. The
desktop shows the 'Your System is Infected' message and looks to be
connected to 'Spy Sherrif'- supposed antispyware but probably isnt. The
browser is hijacked to 'about.blank' and, worse still, the Add/Remove
Programs box in the control panel is showing up about 5 programs when
theres tons more there really.

Things I have tried:
Adware Away
Spybot
McAfee VirusScan 7.1 with Antispyware module (updated also)
CW Shredder
Editing registry - Run keys...

Nothing is working and I'm trying so hard not to have to wipe this and
rebuild as its a Director's laptop.
Please help!

Ken
Turn off system restore to delete restore points.
Don't forget to turn it back on when you're done.
Delete temporary internet files and internet history.

Re-run the anti-malware you've already run. Then . . .

Try Adaware SE:
http://www.lavasoftusa.com/software/adaware/

Try a-squared free:
http://www.emsisoft.com/en/software/download/?


Go here and download Hijack This:
http://www.majorgeeks.com/download3155.html

Go here read and to post your log and get help:
http://forums.majorgeeks.com/showthread.php?t=38752

Good luck!
 
D

David H. Lipman

From: "Ken" <[email protected]>

| Hi..new to this forum but desperately looking for help. I have an XP
| Professional laptop that has been hijacked in a number of ways. The
| desktop shows the 'Your System is Infected' message and looks to be
| connected to 'Spy Sherrif'- supposed antispyware but probably isnt. The
| browser is hijacked to 'about.blank' and, worse still, the Add/Remove
| Programs box in the control panel is showing up about 5 programs when
| theres tons more there really.
|
| Things I have tried:
| Adware Away
| Spybot
| McAfee VirusScan 7.1 with Antispyware module (updated also)
| CW Shredder
| Editing registry - Run keys...
|
| Nothing is working and I'm trying so hard not to have to wipe this and
| rebuild as its a Director's laptop.
| Please help!
|
| Ken

The *best* place for a post like this is in; alt.privacy.spyware

To start with SpySheriff is a rogue anti spyware application and is listed on Spyware
Warrior
http://www.spywarewarrior.com/rogue_anti-spyware.htm

The following are the suggested software to use...

I think this may be a Browser Helper Object (BHO).
I suggest downloading, installing and updating BHODemon.

BHODemon
http://www.definitivesolutions.com/bhodemon.htm

You mentioned you have "Spybot". Make sure it is the following version.
If it isn't, remove the old version and install the new version.


Please download, install and update the following software...

Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.
 
M

Malke

Ken said:
Hi..new to this forum but desperately looking for help. I have an XP
Professional laptop that has been hijacked in a number of ways. The
desktop shows the 'Your System is Infected' message and looks to be
connected to 'Spy Sherrif'- supposed antispyware but probably isnt.
The browser is hijacked to 'about.blank' and, worse still, the
Add/Remove Programs box in the control panel is showing up about 5
programs when theres tons more there really.

Things I have tried:
Adware Away
Spybot
McAfee VirusScan 7.1 with Antispyware module (updated also)
CW Shredder
Editing registry - Run keys...

Nothing is working and I'm trying so hard not to have to wipe this and
rebuild as its a Director's laptop.
Please help!

Run HijackThis and post your log to one of the following forums:
http://www.aumha.org/free.htm - to get HijackThis

http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
another tutorial
http://aumha.net/viewforum.php?f=30
http://castlecops.com/forum67.html
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
forum
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/

Make sure you read the posting FAQ on whatever forum you choose.

Malke
 
S

spywareking

You may want to print out or make a copy of these instructions before
starting, because you will not be able to connect to the internet during
most of this fix.

Please download smithrem.zip and save it to your desktop
http://www.pcbutts1.com/downloads/smithrem.zip
Right click on the file and extract it to its own folder on the desktop.

Please download, install, and update the free version of Ewido Security
Suite:
When installing, under "Additional Options" uncheck "Install background
guard" and "Install scan via context menu"
http://www.pcbutts1.com/downloads/ewidosetup.exe .

From the main Ewido screen, click on update in the left menu, then click the
Start update button.
After the update finishes, the status bar at the bottom will display "Update
successful"
Exit Ewido. DO NOT run a scan yet.

If you do not already have Ad-Aware SE 1.06 installed, download
http://www.pcbutts1.com/downloads/aawsepersonal.exe
Again, do NOT run a scan yet.


Next, please reboot your computer in Safe Mode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows
icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.
Now scan with HJT http://www.pcbutts1.com/downloads/HijackThis1.zip and
place a checkmark next to each of the following items if available:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http:://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http:://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http:://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http:://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http:://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http:://www.quicknavigate.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page
=http:://www.quicknavigate.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http:://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http:://www.startsearches.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http:://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http:://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http:://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http:://www.startsearches.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
http:://www.startsearches.net/
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} -
C:\WINDOWS\System32\hp6DD8.tmp
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [WindowsFY] c:\bsw.exe
O4 - HKLM\..\Run: [WindowsFZ] C:\WINDOWS\ZLOADER3.EXE
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security
iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O9 - Extra button: Microsoft AntiSpyware helper -
{D5BC2651-6A61-4542-BF7D-84D42228772C} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -
{D5BC2651-6A61-4542-BF7D-84D42228772C} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper -
{D5BC2651-6A61-4542-BF7D-84D42228772C} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -
{D5BC2651-6A61-4542-BF7D-84D42228772C} - C:\WINDOWS\System32\wldr.dll (HKCU)


Delete any other malware files not associated with the smitfraud variants
and SpySheriff.


Open the smithrem folder, then double click the RunThis.bat file to start
the tool. Follow the prompts on screen. Your desktop and icons will
disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a
while; please be patient.

Next, run Ad-aware and perform a full scan. Remove everything found.

Now open Ewido Security Suite
Click on Scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.
You will need to step through the process of cleaning files one-by-one. If
ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
When the scan is finished, click the Save report button at the bottom of the
screen.
Save the report to your desktop
Close Ewido

Next go to Start -> Control Panel, click Display -> Desktop -> Customize
Desktop -> Web -> Uncheck "Security Info" if present.


Restart your computer in normal mode.

Run Panda's online virus scan and perform a full system scan
http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm .
Make sure the Autoclean box is checked!

Finally, restart your computer once more, and please post a new HijackThis
log as well as the log from the Ewido scan and the log from the smitRem
tool, which will be located at C:\smitfiles.txt.
Let me know if any problems persist.
 
G

Guest

Best bet is to back up the data, wipe the drive and start over. My experience
with these sort of issues over the past several years is that attemtping to
run various utilities or removers is a crap shoot at best. In every instance
where I fixed something instead of doing a rebuild, I ended up being married
to the machine. Not saying that these "fiexes" don't work. But I am saying
that you are never really certain you eliminated the problems if you opt to
fix vice rebuild. And I certainly don't advocate just rebuilding to cure
something. But I think that's your bottom line here.
 
L

Leythos

You may want to print out or make a copy of these instructions before
starting, because you will not be able to connect to the internet during
most of this fix.

Only download software you can validate as uncompromised - in the case
of non-vendor site you have no guarantee that the files are unmodified
or uncompromised. Anyone providing a link to a non-vendors site with a
direct download should not be trusted, the vendors sites are the safest
place to download their application.

Always remember - only download files from Trusted Sites.

After you install any of these applications and update them, run them in
SAFE MODE to allow them to properly clean your system.

These sites are for downloading Anti-Spyware tools, in order that I
would use them myself:

AdAwareSE can be found here:
http://www.lavasoft.de/support/download/

SpyBot Search and Destroy can be found here:
http://www.safer-networking.org/en/download/index.html

HiJack can be found here:
http://www.spywareinfo.com/~merijn/downloads.html

Ewido Security Suite Trial can be found here:
http://www.ewido.net/en/download/

CrapCleaner can be found at the vendors site here:
http://www.ccleaner.com/ccdownload.asp

CleanUp can be found at the vendors site here:
http://www.stevengould.org/software/cleanup/download.html
or from another reputable source:
http://www.tucows.com/get/405276_152071

The following are two links to Antivirus software in order that I would
use them:

You can also download Symantec Trial version of their Antivirus software
from here:
http://www.symantec.com/downloads/

Download AVG Personal Free edition from here:
http://free.grisoft.com/freeweb.php/doc/2/

These are the actual vendors sites, not some unknown or authorized no-
name site. They also don't artificially increase the hits for sites that
get paid for the amount of traffic they can generate like one poster has
admitted to in this group.
Accoding to PCBUTTS1
The authors of the above programs, with the exception of Microsoft has given
the owner of pcbutts1.com express written permission to redistribute their
software FROM HIS WEBSITE DIRECTLY.

Except he can't prove it and none of them validate his statement.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top