Spy Sheriff got me! Please help - Free Antivirus Forum

Spy Sheriff got me! Please help

BullGuard Antivirus Forum > General Security > Spyware > Spy Sheriff got me! Please help

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

Gromu
New Member

Date Joined Dec 2005
Total Posts : 2

Posted 12-16-2005 9:32 (GMT +1)

Hi please help. I followed the following instructions now I'm posting my logs from hijackthis and Ewido. Please tell me what I need to do now to getcontrol of my background again? The hijackthis log was created after the Ewido log.

Please download free Ewido: Ewido

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
From the main Ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes, the status bar at the bottom will display "Update successful"

Exit Ewido. DO NOT run a scan yet.

Download Free Trial of Spysweeper

Spysweeper

Install it, update definitons.

Download, install and run Cleanup

Check 'options' to customize your settings, and then make sure only the following are checked:
Cleanup all user profiles
Delete prefetch files
Empty the recycle bins.
Push CleanUp button
When Cleanup! is finished, it will ask you if want to log off and reboot. Answer NO.

Reboot into Safe Mode by tapping F8 after the BIOS has loaded.
The Windows Advanced Options Menu appears.
If you begin tapping the F8 key too soon, some computers display a "keyboard error" message.
To resolve this, restart the computer and try again.
Ensure that the Safe mode option is selected.
Press Enter. The computer then begins to start in Safe mode.

Run the mwav scanner:
Put a checkmark in:
Memory, Startup folders, drive, Registry, System folders and Services.
And:
All local drives og Scan all files
Push: Scan Button
This scan can take quite a while to run with many applications installed.

Run Spysweeper:
Click on "Options > Sweep Options" and check "Sweep all Folders on Selected drives". Check "Local Disc C".
Under "What to Sweep", check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click "Remove". Click "Select All" and then "Next".

Run full scan with Ewido

Click on scanner
Click on Complete System Scan and the scan will begin.
While the scan is in progress you will be prompted to clean files, click OK
When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.

Now close ewido security suite.

Then reboot normally. Run this scanner: run this scanner: X-Clean

______________________________________________________________________________________________________________

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:26:23 PM, 12/16/2005
+ Report-Checksum: 61F22A7

+ Scan result:

C:\WINDOWS\NDNuninstall6_30.exe -> Spyware.NewDotNet : Cleaned with backup
C:\Documents and Settings\TEST\Cookies\test@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\System Volume Information\_restore{00BD212A-7894-460F-9357-1386ADD948C2}\RP2\A0000637.DLL -> Adware.Softomate : Cleaned with backup
C:\System Volume Information\_restore{00BD212A-7894-460F-9357-1386ADD948C2}\RP9\A0003377.dll -> Not-A-Virus.Downloader.Win32.Spax.a : Cleaned with backup
C:\System Volume Information\_restore{00BD212A-7894-460F-9357-1386ADD948C2}\RP12\A0005019.exe -> Downloader.Delf.og : Cleaned with backup
C:\System Volume Information\_restore{00BD212A-7894-460F-9357-1386ADD948C2}\RP12\A0005020.exe -> Adware.SpySheriff : Cleaned with backup
C:\System Volume Information\_restore{00BD212A-7894-460F-9357-1386ADD948C2}\RP12\A0005022.dll -> Adware.SpySheriff : Cleaned with backup
C:\System Volume Information\_restore{00BD212A-7894-460F-9357-1386ADD948C2}\RP12\A0005023.dll -> Spyware.SpywareNo : Cleaned with backup
C:\System Volume Information\_restore{00BD212A-7894-460F-9357-1386ADD948C2}\RP12\A0005025.dll -> Adware.SpySheriff : Cleaned with backup
C:\System Volume Information\_restore{00BD212A-7894-460F-9357-1386ADD948C2}\RP12\A0005030.exe.mwt -> Hijacker.Spywad.l : Cleaned with backup
C:\System Volume Information\_restore{00BD212A-7894-460F-9357-1386ADD948C2}\RP12\A0005033.exe.mwt -> Hijacker.Spywad.l : Cleaned with backup
C:\System Volume Information\_restore{00BD212A-7894-460F-9357-1386ADD948C2}\RP13\A0005071.exe -> Downloader.Delf.og : Cleaned with backup
C:\System Volume Information\_restore{00BD212A-7894-460F-9357-1386ADD948C2}\RP13\A0005072.exe -> Adware.SpySheriff : Cleaned with backup
C:\System Volume Information\_restore{00BD212A-7894-460F-9357-1386ADD948C2}\RP13\A0005074.dll -> Adware.SpySheriff : Cleaned with backup
C:\System Volume Information\_restore{00BD212A-7894-460F-9357-1386ADD948C2}\RP13\A0005075.dll -> Spyware.SpywareNo : Cleaned with backup
C:\System Volume Information\_restore{00BD212A-7894-460F-9357-1386ADD948C2}\RP13\A0005077.dll -> Adware.SpySheriff : Cleaned with backup
C:\System Volume Information\_restore{00BD212A-7894-460F-9357-1386ADD948C2}\RP13\A0005082.exe.mwt -> Hijacker.Spywad.l : Cleaned with backup
C:\System Volume Information\_restore{00BD212A-7894-460F-9357-1386ADD948C2}\RP13\A0005085.exe.mwt -> Hijacker.Spywad.l : Cleaned with backup
C:\System Volume Information\_restore{00BD212A-7894-460F-9357-1386ADD948C2}\RP14\A0005366.exe -> Adware.SpySheriff : Cleaned with backup
C:\System Volume Information\_restore{00BD212A-7894-460F-9357-1386ADD948C2}\RP14\A0005368.dll -> Adware.SpySheriff : Cleaned with backup
C:\System Volume Information\_restore{00BD212A-7894-460F-9357-1386ADD948C2}\RP14\A0005369.dll -> Spyware.SpywareNo : Cleaned with backup
C:\System Volume Information\_restore{00BD212A-7894-460F-9357-1386ADD948C2}\RP14\A0005371.dll -> Adware.SpySheriff : Cleaned with backup
C:\System Volume Information\_restore{00BD212A-7894-460F-9357-1386ADD948C2}\RP14\A0005451.exe.mwt -> Hijacker.Spywad.l : Cleaned with backup
C:\System Volume Information\_restore{00BD212A-7894-460F-9357-1386ADD948C2}\RP14\A0005452.exe.mwt -> Hijacker.Spywad.l : Cleaned with backup
C:\System Volume Information\_restore{00BD212A-7894-460F-9357-1386ADD948C2}\RP14\A0005523.exe -> Downloader.Delf.og : Cleaned with backup
C:\boot.inx -> Downloader.Delf.og : Cleaned with backup

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 3:11:49 PM, on 12/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Canopus Shared\ProCoder 2\Kernel\PNXSERVR.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\TEST\LOCALS~1\Temp\Rar$EX01.609\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Canopus Shared\ProCoder 2\Kernel\PNXSERVR.exe" -SelfLaunch
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120787723046
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

babygr710
New Member

Date Joined Dec 2005
Total Posts : 5

Posted 12-17-2005 5:03 (GMT +1)

OK first of all dont panic all you got to do is:

1.Download Xoftspy from www.download.com and scan your computer it will need a serial if you want the stuff to be removed so go to www.serials.ws and look for xoftspy(all versions).

2.The next thing you do is download tuneup utilities 2006 from www.download.com and scan your computer with tuneup registry cleaner and then tuneup registrydefrag(this one doesn't need a serial or anything you have 30 day trail).

I had the same problem and thats how I rid of it !!!

Gromu
New Member

Date Joined Dec 2005
Total Posts : 2

Posted 12-17-2005 8:58 (GMT +1)

I would like to thank you very much for your help. IT WORKED! I now have total control of my background again. Have a Happy Holidays

wonger47
New Member

Date Joined Dec 2005
Total Posts : 1

Posted 12-29-2005 8:10 (GMT +1)

I have uninstalled this program and have gained control of my desktop...but I can not control my !!!! internet home page...it always goes to "C:\secure32.html" and then its a blue screen advertising for spysheriff....plz help...thanks

gheck911
New Member

Date Joined Dec 2005
Total Posts : 1

Posted 12-30-2005 5:22 (GMT +1)

I had this chain of events happen to me a few days ago. To regain control over your internet:

1. Delete the file "C:\secure32.html"

2. Go into your options and reset your home page as it will be set for the above file.

3. Search your computer for all instances of "C:\secure32.html" and remove them. I've also seen this happen but with the filename "C:\default32.html"

gheck911

www.nhbradio.com

The Annihilation Principle

Thursdays 8 - 10 PM EST FUD

Dinochick
New Member

Date Joined Jan 2006
Total Posts : 1

Posted 1-2-2006 6:17 (GMT +1)

I am having the same problem, but it does not want to let me download anything or have access to the net. Advice. Please help!!

jjsmdg
New Member

Date Joined Jan 2006
Total Posts : 1

Posted 1-11-2006 9:13 (GMT +1)

babygr710, I to have gotten gunned by the Spy Sheriff. Do I have do everything htat gromu did or can I just go your way with Xoftspy?

guangong
New Member

Date Joined Dec 2006
Total Posts : 1

Posted 12-29-2006 4:46 (GMT +1)

I download a keygen from www.seriall.com. After I tried to open the program, nothing happen and the file which I downloaded just disappear. Later when I tried using internet(Internet explorer 7), I was given an error message"Cannot find file:///c:/secure32.html, make sure path or internet address is correct. When I tried using mozilla fire fox, I can't access the internet too. I keep getting disconnected when using internet(Mine is broadband). I tried changing the hompage to other websites, but after I change, I stiill got the same error msg. I went to internet options and check, the hompage was set back to file://c:/secure32.html . My antivirus program(norton antivirus 2007 trialware) detected adware.spysheriff and Backdoor.Rustock.B and adware.zangosearch. I tried following the steps shown in this forum to resolve the issue, but I cant find the files on my windows registry at all. Can somebody help me?

Forum Information

Currently it is Thursday, November 20, 2008 1:22 PM (GMT +1)
There are a total of 63.930 posts in 15.821 threads.
In the last 3 days there were 34 new threads and 157 reply posts. View Active Threads