Browser jacked...spysheriff won't stop

[Vic]

Spysheriff's on my comp and can't get it off.  Ran spybot and adaware (updated both before running) and I still have clicksearch on my browser plus spysheriff.  Here's my logfile, I appreciate any help I can get!!

Logfile of HijackThis v1.99.1
Scan saved at 9:54:23 AM, on 6/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
C:\WINDOWS\System32\Services\{2DA7A9ED-6806-46F2-B60E-00BD34B4E38F}\SVCHOST.EXE
C:\WINDOWS\System32\win32.exe
C:\Program Files\SpySheriff\SpySheriff.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\devldr32.exe
C:\sys.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=19
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\zolk.dll
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P32 "EPSON Stylus C42 Series (Copy 1)" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe zolk.dll, DllRegisterServer
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{58E1A6E3-7447-4C06-B2C6-BF61B1F27EAF}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{3BB40ACB-5209-4ED7-8F84-799E55BF954F}\SECURITY.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C:oo.mht!http://195.225.177.33//vx//targ.chm::/win32.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/027360aaea8a53...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1115078061453
O16 - DPF: {6D63C97A-4C9D-4B6E-AF86-E11E631AD4AA} (xLoan2List Control) - https://www.sharperlending.com/xLoan2ListProj.cab
O16 - DPF: {7EA90EB3-366D-4270-AB3B-05C4EE9CD966} (xLoan2 Control) - https://www.sharperlending.com/xLoan2Proj.cab
O21 - SSODL: System - {CC4BB2E7-BA35-4BFA-9D1D-6D7CC2C7D272} - vr_sys.dll (file missing)
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe

[Vic]

Bump

[Cretemonster]

Hi Vic and Welcome!!

I need you to send me 3 files please!

Make a folder on the Desktop called Files!

Make sure Windows is Showing Hidden Files
http://www.bleepingcomputer.com/forums/ind...torial=62#winxp

Locate these 3 Files please

C:\sys.exe

C:\WINDOWS\vr_sys.dll

C:\WINDOWS\System32\zolk.dll

Right Click each File and Select Copy>>Go to the New Folder on the Desktop and open it>>Place the pointer inside it and right click and Select Paste!

Once all three are in there>>Close the folder and then Right Click on it and Select Send to>>Compressed(Zipped)Folder!

Send that Zipped folder to [email protected]

Once I confirm I recieved it,please delete both folders we just created and empty the Recycle bin!

Download Pocket KillBox from here:
http://www.bleepingcomputer.com/files/killbox.php
There is a Direct Download and a description of what the Program does inside this link.

Download Ewido Security Suite, install then from within the program check for updates BUT dont scan yet
Ewido Security Suite:
http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
We will fix this in a moment.

From the main Ewido screen, Click on Update in the left menu, then click the Start Update button.

After the Update finishes (the status bar at the bottom will display "Update successful"), Now close the program.

If you have problems updating see here
http://www.ewido.net/en/download/updates/

Be sure Ad Aware is configured as shown in this link
http://www.bleepingcomputer.com/forums/ind...showtutorial=48

Download CleanUp! 4.0
http://downloads.stevengould.org/cleanup/CleanUp40.exe


Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done again after restarting in Safe Mode!!

Here is a link to help with that
http://www.bleepingcomputer.com/forums/ind...torial=62#winxp

Right Click the Taskbar near the clock and Select Task Manager

Click Processes and any instances of RunDll32.exe>>Please Right Click or Highlight and Select "End Process"
Exit Task Manager

[color=\"red\"]Remove these Files with Pocket Killbox[/color]


C:\sys.exe
C:\winstall.exe
C:\WINDOWS\vr_sys.dll
C:\Windows\Desktop.html
C:\WINDOWS\System32\Services
C:\WINDOWS\System32\zolk.dll
C:\WINDOWS\System32\win32.exe
C:\Program Files\SpySheriff\SpySheriff.exe
C:\Program Files\SpySheriff


From the Above list,Copy&Paste each entry into Killboxes "Full Path of File to Delete"

As each is pasted in,place a tick by any of these selections available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"

[color=\"red\"]Click the Red Circle with the White X in the Middle to Delete!![/color]

If any of the entries refuse to delete,keep track of the names,we will remove them before restarting!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=19

O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\zolk.dll

O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe zolk.dll, DllRegisterServer

O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{58E1A6E3-7447-4C06-B2C6-BF61B1F27EAF}\SVCHOST.EXE

O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{3BB40ACB-5209-4ED7-8F84-799E55BF954F}\SECURITY.EXE

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe

O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe

O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C:oo.mht!http://195.225.177.33//vx//targ.chm::/win32.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/027360aaea8a53...ip/RdxIE601.cab

O21 - SSODL: System - {CC4BB2E7-BA35-4BFA-9D1D-6D7CC2C7D272} - vr_sys.dll (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Scan the System with Ewido>>If it detects an Infection>>Select "Clean" and place a check in the box to "Always use this Action"

Once the Scan is Complete>>Click the tab to Save the Report and place it on your Desktop for easy access!

Now Scan the System with Ad Aware and remove all it finds and delete the Quaratine Files!

Run CleanUp!

Click "Cleanup" and it will Scan and Remove all available Temp files>Click "Close">Click "No" to Logoff!

If you have any entries that Killbox couldnt delete,please paste them into Killbox and plac a tick by these selections

"[color=\"red\"]Delete on Reboot[/color]"

If more than 1 file

Click "[color=\"green\"]Yes[/color]" to Confirm

Click "[color=\"red\"]No[/color]" to Reboot

Once at the last file

Click "[color=\"green\"]Yes[/color]" to Confirm

Click "[color=\"green\"]Yes[/color]" to Reboot


[color=\"blue\"]If you get a PendingFileRenameOperations Registry Data has been Removed by External Process! message then just restart manually.[/color]

Restart Normal and have the PC Scanned here
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates!

Go to Start > Control Panel > Add or Remove Programs and remove the following:

SpySheriff

[color=\"red\"]RIGHT-CLICK HERE[/color] and go to Save As (in IE it's "Save Target As") in order to download the smitfraud reg to your desktop.

Double-click smitfraud.reg on your desktop. When asked if you want to merge with the registry click YES.  After the merged successfully prompt, please reboot your computer.

You should be able to change your desktop back to normal now.

Post back with the Reports from Ewido and Panda along with a fresh HijackThis log!

Once all that is Completed,Please Install one of these Free Antivirus Softwares

AVG
http://www.grisoft.com/doc/1

Antivir
http://www.free-av.com/

avast! 4 Home Edition
http://www.avast.com/eng/avast_4_home.html

a-squared Free
http://www.emsisoft.com/en/software/free/

BitDefender Free Edition v7
http://www.bitdefender.com/bd/site/products.php?p_id=24

ClamAV
http://www.clamwin.com/

[Guest]

I just read your guide, and got all the components needed. One thing though. I can't seem to find sys.exe, vr_sys.dll and zolk.dll.

Help please. I am kind of stuck.
Thanks

[Cretemonster]

Thats because those files are associated with a different Infection!

Create your own thread and post a HijackThis log in it and then let me know you posted

[guestolo]

As the original poster has not responded, I'll lock this thread
All others please start your own topic