Spysheriff Turned Into...

[GrayeDog]

Hi everyone, my name is Adam, its my first post here...

Yesterday or the day before, I got Spy Sheriff. Nasty little thing. I searched around everywhere and found some fixes, ran RunThis.bat from smitRem (not sure it did anything, opened a prompt and closed immediately) and then ewido all in safe mode, and restarted and it was gone. That's the good news. Since then I've been working on getting rid of various bad things I have, most recently removing New.net. However, I'm still having some issues.

First, I'm having IE trouble -- normally I use Firefox so I don't know when this started, but usually when I open IE it works (I set home page to about:blank) but when I hit a new website, it crashes. I just restarted, however, and made it to google without a problem. Not sure what causes it to come up like that. Similarly, I'm having the "This window is busy. Closing it may cause problems. Would you like to close it anyway? [Y] / [N]" error, but only occasionally...with no rhyme or reason to it -- I used to get it when closing IE when it redirected me to c:\system32.html but I fixed that with HJT among others.

Next, I've got a few .exe's open that I've read are not good, so I'd like to get rid of them but I don't know how: namely, smss.exe (there's 2 copies of it open, and I know one is necessary for the system but I don't believe the other is), mxPMSPv.exe, and services.exe. All of these are trojans as far as I know, so, I don't like them.

Furthermore, and I don't know if anyone has ANY clue why, but I discovered there were more problems than I thought because a little app I use called iTunesLibraryUpdater just won't open, and for the life of me I can't figure out why. So that tipped me off -- if anyone knows anything about that, that'd be great.

Last, whenever I open My Documents\My Videos, (if the folder is in thumbnail mode), Windows Explorer crashes. if I don't close the crash window I can still surf in the folder, but it's very odd -- I've been looking at things with codecs and such (to no avail) to try and fix that.

NOTE: just now, checking to see if that error still ocurrued, it crashed, and now System Idle Process keeps spawning itself over and over again in my Task Manager!

I've run a HJT log to be posted below (before the Idle Processes started filling up -- ther'e's about 40 running right now).

Any help would be greatly appreciated as to why any of these things are happening.

Thanks!

Adam

Logfile of HijackThis v1.99.1

Scan saved at 5:24:18 AM, on 1/14/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\windows\System32\smss.exe

C:\windows\system32\csrss.exe

C:\windows\system32\services.exe

C:\windows\system32\lsass.exe

C:\windows\system32\svchost.exe

C:\windows\system32\svchost.exe

C:\windows\System32\svchost.exe

C:\windows\System32\svchost.exe

C:\windows\System32\svchost.exe

C:\windows\system32\spoolsv.exe

C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe

C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe

C:\WINDOWS\CDProxyServ.exe

C:\windows\system32\cisvc.exe

C:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

c:\matlab6p5\bin\win32\matlab.exe

C:\Program Files\Network Associates\VirusScan\mcshield.exe

C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Network Monitor\netmon.exe

C:\windows\System32\nvsvc32.exe

C:\windows\System32\svchost.exe

C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

C:\windows\system32\CTHELPER.EXE

C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\windows\smss.exe

C:\Program Files\AIM\aim.exe

C:\windows\system32\ctfmon.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\windows\System32\svchost.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\windows\system32\taskmgr.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\windows\system32\cidaemon.exe

C:\windows\system32\cidaemon.exe

C:\Documents and Settings\Adam\My Documents\download\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: - {1E6CE4CD-161B-4847-B8BF-E2EF72299D69} - C:\WINDOWS\system32\ib6.dll

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"

O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\windows\smss.exe

O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\windows\winlogon.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe

O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe

O4 - HKCU\..\Run: [EQTraffic] "C:\Program Files\EQTraffic\EQTraffic.exe"

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: hp psc 1000 series.lnk = ?

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...64/mcinsctl.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,15/mcgdmgr.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O20 - Winlogon Notify: avpe32 - C:\windows\SYSTEM32\avpe32.dll

O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

O20 - Winlogon Notify: WRNotifier - C:\windows\SYSTEM32\WRLogonNTF.dll

O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe

O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing)

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

[Dragon]

well you certainly have a mess there, lets get you cleaned up shall we.

Next, I've got a few .exe's open that I've read are not good, so I'd like to get rid of them but I don't know how: namely, smss.exe (there's 2 copies of it open, and I know one is necessary for the system but I don't believe the other is), mxPMSPv.exe, and services.exe. All of these are trojans as far as I know, so, I don't like them.

I believe you did a typo as you dont' have mxPMSPv.exe in your log, the file you might have meant to check out is a legit that would be MSPMSPv.exe

You may want to print these out for reference as you are doing the steps since you will lose interenet connectivity during the cleaning stages.

First I noticed you were running two (2) anti-virus programs, McAfee and Network Associates, please choose the one you would prefer to stay with and delete the other one. Having more then One Anti-Virus program can, and often will, lead to non-functioning Anti-virus protection. Most Anti-virus programs don't work well together. They will read each other files and try to quarantine them or delete them.

I noticed you have the DRM program from Sony, with this being the case you very well may have the DRM rootkit that was installed with the software.

please follow the directions on How To Remove The Sony DRM Rootkit

next you still have some remenants of the sherrif on your system, along with other nasties.

Click Here to download TheKillbox. Extract TheKillBox.exe from the zip file and double click it to open it up. Check the radio button next to Delete on Reboot. In the 'Enter Full Path and Filename to Delete' box, copy and paste these entries one by one, clicking the button that has the red circle with a white X in it, after each one, don't reboot until you have finished putting them in:

C:\windows\smss.exe

C:\windows\system32\services.exe

C:\windows\winlogon.exe

C:\windows\SYSTEM32\avpe32.dll

Click 'Exit' when done.

Note: If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run: http://www.javacoolsoftware.net/downloads/...ngfilesetup.exe. Then try TheKillbox again.

Reboot

Next, please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\windows\smss.exe

O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\windows\winlogon.exe

O4 - HKCU\..\Run: [EQTraffic] "C:\Program Files\EQTraffic\EQTraffic.exe"

O4 - Global Startup: hp psc 1000 series.lnk = ?

O4 - Global Startup: hpoddt01.exe.lnk = ?

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll

O20 - Winlogon Notify: avpe32 - C:\windows\SYSTEM32\avpe32.dll

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).

Be sure you're able to view hidden files, and remove the following files in bold (if found):

C:\Program Files\EQTraffi

c:\program files\partypoker

Last but not least, please run a free online virus scan here (tick the "Auto Clean" checkbox):

http://housecall.antivirus.com/

And a free trojan scan here:

http://www.moosoft.com/

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working.

[GrayeDog]

Dragon...not good...I think I accidentally killed instead of Delete after Reboot some of those files...after deleting smss.exe I realized the problem and now my computer won't load windows. I tried burning the c:\windows\smss.exe onto a CD from this computer (another in the house) so I could copy it in, but it won't even let me reload in safe mode (with or without command prompt). I do get options on restart to restart with last known configuration...so I imagine that's the only thing I can do, which is fine, I haven't done anything of consequence in the last few days, I've just been trying to fix this problem.

Is this what I should do? I'm losing my mind here.

Also, of less importance, I couldn't delete the DRM kit, it couldn't locate sc to run it and I tried downloading swsc.exe to run it and it failed.

I'm gonna give this about 10 minutes before I restart in last known good config even if I'm back at square-one virus-wise.

Thanks for your help though

[GrayeDog]

I'd also like to mention, just for my own sake, that I'm leaving without this computer for a few weeks and then leaving the country a few days later for 5 months, so I almost NEED to get this taken care off tonight, if it is possible.

Argh. Sorry. Thank you!

[Besttechie]

Being helped in chat....

B

[Matt]

Inactive topic...

If you still need help on this problem, contact me or one of the Moderators to re-open this up.

Topic closed.