Hijack problem

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Mine's a quick question. I ran Ad-Aware current version, my SBC Yahoo spyware
scan (actually quite an effective scan, usually...), Panda virus scan and SBC
Yahoo virus scan. My desktop has been jijacked and I'm unable to change the
pic back. When I go into Control Panel/Display/Desktop tab, it will not allow
me to do ANYTHING! Here's my quick question: I cannot quite remember what to
do with the updated Trend Micro Pattern File once it's been extracted from
the zip file? I know you drag it into a certain file, but I just don't recall
what to do with it and what file to put it into.
Thank you.
Tom
 
From: "Tom B." <[email protected]>

| Mine's a quick question. I ran Ad-Aware current version, my SBC Yahoo spyware
| scan (actually quite an effective scan, usually...), Panda virus scan and SBC
| Yahoo virus scan. My desktop has been jijacked and I'm unable to change the
| pic back. When I go into Control Panel/Display/Desktop tab, it will not allow
| me to do ANYTHING! Here's my quick question: I cannot quite remember what to
| do with the updated Trend Micro Pattern File once it's been extracted from
| the zip file? I know you drag it into a certain file, but I just don't recall
| what to do with it and what file to put it into.
| Thank you.
| Tom



Two part reply..

Perform Part 1 then perform Part 2.

It is suggested that you execute each tool in Normal Mode then in Safe Mode.

If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE
Version 5.0. There are vulnerabilities in them and they are actively being exploited.
It is possible that is how you got infected with malware.

Therefore, it is highly suggested that if there are any prior versions of Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE Version 5.0 Update 6
be installed ASAP.

http://www.java.com/en/download/manual.jsp




Use the alternate if the first two parts are ineffective...
Note: Alternate only for Win2K, WinXP and Win2003 Server

Part 1
-----------

Use noahdfear's SmitFraud and SpyAxe removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic36868.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.

Alternate:

Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.

http://secured2k.home.comcast.net/tools/AntiPuper.exe

http://forums.mcafeehelp.com/viewtopic.php?t=65072


Please Copy and Paste the contents of the HTML Log file; C:\mcafee\ScanReport.HTML in your
reply.

* * * Please report back your results * * *
 
Mr. Lipman,
You rock. I followed your instructions to the letter, including deleting my
old Sun Java version and downloading the updated one. I ran the
c:\mcafee\clean.bat and it was surely the greatest scan I've ever used. I had
a self-repeating virus inside System32 and various other spyware, mostly in
the Yahoo Program File. After scan, I restarted and reinserted my desktop pic
and changed the style back to Windows XP in Appearance tab. Everything
appears to be fine now. Before I paste the results in here, could you please
tell me for future reference what I do with the updated Trend Micro Pattern
File once I extract it? I'm a little confused on that one point.
Thank you for all your great help. I'm going to refer back to this thread
always when needed. I'll also copy and paste it and save it for a backup.
Thanks again.
Tom B.
Also, how do I remove that virus from the Restore file?
Here's the mcafee\clean.bat scan results:

Virus Scan Report File

--------------------------------------------------------------------------------
Virus Scan Information
--------------------------------------------------------------------------------

McAfee VirusScan for Win32 v4.40.0
Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights
reserved.
(408) 988-3832 LICENSED COPY - Sep 23 2004

Scan engine v4.4.00 for Win32.
Virus data file v4665 created Jan 02 2006
Scanning for 168430 viruses, trojans and variants.


--------------------------------------------------------------------------------
Virus Scan Results
--------------------------------------------------------------------------------




01/02/2006 21:19:36


Options:
/ADL /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL
/PROGRAM /EXCLUDE C:\MCAFEE\EXCLIST.TXT /HTML "C:\MCAFEE\SCANREPORT.HTML"

Scanning C: []
Scanning C:\*.*
C:\My Downloads\backup-20041128-214700-612.dll ... Found potentially
unwanted program Adware-Beginto.dll.
The file or process has been deleted.
C:\Program Files\SideStep\SbCIe0261.dll ... Found potentially unwanted
program Adware-SideStep.
The file or process has been deleted.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1A.tmp\heur000.dll ... Found
potentially unwanted program Adware-SpySheriff.
The file or process has been deleted.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1A.tmp\heur001.dll ... Found
potentially unwanted program Adware-SpySheriff.
The file or process has been deleted.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1A.tmp\heur002.dll ... Found
potentially unwanted program Adware-SpySheriff.
The file or process has been deleted.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1A.tmp\heur003.dll ... Found
potentially unwanted program Adware-SpySheriff.
The file or process has been deleted.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1A.tmp\IESecurity.dll ... Found
potentially unwanted program Adware-SpySheriff.
The file or process has been deleted.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1A.tmp\ProcMon.dll ... Found
potentially unwanted program Adware-SpySheriff.
The file or process has been deleted.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1A.tmp\Uninstall.exe ... Found
potentially unwanted program Adware-SpySheriff.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP134\A0027419.dll
.... Found potentially unwanted program Adware-Beginto.dll.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP141\A0027696.lnk
.... Found potentially unwanted program Adware-GAIN.lnk.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP141\A0027698.lnk
.... Found potentially unwanted program Adware-GAIN.lnk.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP141\A0027700.lnk
.... Found potentially unwanted program Adware-GAIN.lnk.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP203\A0033202.exe
.... Found the Downloader-AFH trojan !!!
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP203\A0033251.dll
.... Found potentially unwanted program Adware-Beginto.dll.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP203\A0033252.dll
.... Found potentially unwanted program Adware-SideStep.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP203\A0033253.dll
.... Found potentially unwanted program Adware-SpySheriff.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP203\A0033254.dll
.... Found potentially unwanted program Adware-SpySheriff.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP203\A0033255.dll
.... Found potentially unwanted program Adware-SpySheriff.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP203\A0033256.dll
.... Found potentially unwanted program Adware-SpySheriff.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP203\A0033257.dll
.... Found potentially unwanted program Adware-SpySheriff.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP203\A0033258.dll
.... Found potentially unwanted program Adware-SpySheriff.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP203\A0033259.exe
.... Found potentially unwanted program Adware-SpySheriff.
The file or process has been deleted.
C:\WINDOWS\Downloaded Program Files\turbo.inf ... Found potentially unwanted
program Adware-abetterintrnt.inf.
The file or process has been deleted.
C:\WINDOWS\Downloaded Program Files\VbouncerOuter1123030505.exe ... Found
potentially unwanted program Virtual Bouncer.
The file or process has been deleted.
C:\WINDOWS\Downloaded Program Files\WinFormX.dll ... Found potentially
unwanted program Generic PUP.a.
The file or process has been deleted.
C:\WINDOWS\ExeDialer.exe\ExeDialer.exe ... Found potentially unwanted
program Dialer-RAS.bd.gen.
The file or process has been deleted.
C:\WINDOWS\hosts ... Found potentially unwanted program Redirected HOSTS.
The virus has been removed from the file.
Checking for another virus in the file ...
C:\WINDOWS\pss\Date Manager.lnkCommon Startup ... Found potentially unwanted
program Adware-GAIN.lnk.
The file or process has been deleted.
C:\WINDOWS\pss\GStartup.lnkCommon Startup ... Found potentially unwanted
program Adware-GAIN.lnk.
The file or process has been deleted.
C:\WINDOWS\pss\PrecisionTime.lnkCommon Startup ... Found potentially
unwanted program Adware-GAIN.lnk.
The file or process has been deleted.
C:\WINDOWS\SYSTEM\Update_Hosts.DLL ... Found potentially unwanted program
IGetNet.
The file or process has been deleted.
C:\WINDOWS\SYSTEM32\40kd34fg.exe\40kd34fg.exe ... Found potentially unwanted
program Adware-NetPals.dr.
The file or process has been deleted.
C:\WINDOWS\SYSTEM32\Agent.dll ... Found the Generic MultiDropper.f trojan !!!
The file or process has been deleted.
C:\WINDOWS\SYSTEM32\cm1.dll ... Found the Generic MultiDropper.f trojan !!!
The file or process has been deleted.
C:\WINDOWS\SYSTEM32\CometTB.dll ... Found the Generic MultiDropper.f trojan
!!!
The file or process has been deleted.
C:\WINDOWS\SYSTEM32\ctbv.dll ... Found the Generic MultiDropper.f trojan !!!
The file or process has been deleted.
C:\WINDOWS\SYSTEM32\ctbv2.dll ... Found the Generic MultiDropper.f trojan !!!
The file or process has been deleted.
C:\WINDOWS\SYSTEM32\dlh0st.dll ... Found potentially unwanted program
Adware-Netpals.
The file or process has been deleted.
C:\WINDOWS\SYSTEM32\Freeze.dll ... Found the Generic MultiDropper.f trojan !!!
The file or process has been deleted.
C:\WINDOWS\SYSTEM32\Iftvmk38wbr.dll ... Found the Generic MultiDropper.f
trojan !!!
The file or process has been deleted.
C:\WINDOWS\SYSTEM32\msietn.dll ... Found the Generic MultiDropper.f trojan !!!
The file or process has been deleted.
C:\WINDOWS\SYSTEM32\NLNP13.dll ... Found the Generic MultiDropper.f trojan !!!
The file or process has been deleted.
C:\WINDOWS\SYSTEM32\NLNP131.dll ... Found the Generic MultiDropper.f trojan
!!!
The file or process has been deleted.
C:\WINDOWS\SYSTEM32\nostalgia.dll ... Found the Generic MultiDropper.f
trojan !!!
The file or process has been deleted.
C:\WINDOWS\SYSTEM32\nostalgia1.dll ... Found the Generic MultiDropper.f
trojan !!!
The file or process has been deleted.
C:\WINDOWS\SYSTEM32\wb.dll ... Found the Generic MultiDropper.f trojan !!!
The file or process has been deleted.

Summary report on C:\*.*
File(s)
Total files: ........... 279059
Clean: ................. 276889
Possibly Infected: ..... 14
Cleaned: ............... 1
Deleted: ............... 46
Non-critical Error(s): 2
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0


Time: 01:48.10
 
From: "Tom B." <[email protected]>

| Mr. Lipman,
| You rock. I followed your instructions to the letter, including deleting my
| old Sun Java version and downloading the updated one. I ran the
| c:\mcafee\clean.bat and it was surely the greatest scan I've ever used. I had
| a self-repeating virus inside System32 and various other spyware, mostly in
| the Yahoo Program File. After scan, I restarted and reinserted my desktop pic
| and changed the style back to Windows XP in Appearance tab. Everything
| appears to be fine now. Before I paste the results in here, could you please
| tell me for future reference what I do with the updated Trend Micro Pattern
| File once I extract it? I'm a little confused on that one point.
| Thank you for all your great help. I'm going to refer back to this thread
| always when needed. I'll also copy and paste it and save it for a backup.
| Thanks again.
| Tom B.
| Also, how do I remove that virus from the Restore file?
| Here's the mcafee\clean.bat scan results:
|

Ok that was some report.

It shows you had the SpySheriff Malware and your Yahoo Anti spyware found some of it and
quarantined it. McAfee found some of it in the quarantine.

It also shows some malware was found in the System Restore Cache. You may want to disable
the System Restore cache. Reboot the PC. Then re-enable the System Restore cache and then
create a new restore point.

Other than that you had a bunch of adware and a couple of Downloader Trojans.

About the Trend Micro. I don't uderstand the question. Where does the Trend Micro Pattern
File come into play ?

If you are interested in another tool of mine, I have the Multi AV Scanning Tool which uses
a menu driven front end to provide the AV scanners from; McAfee, Trend Micro, Sophos and
Kaspersky.

The McAfee module you just ran is a subset of this tool but has been specialy built for the
SpyAxe, SpySheriff, SmitFraud Trojan, etc, types of infection. Let me know if you are
interested in my Multi AV Scanning Tool.

Becuase of the amount of adware on your PC I do suggest the following...


Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

* SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon

http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d
 
Thanks for this info.

Was infected by "SpySheriff" yesterday and have been able to remove most of
the problems except for correcting the Desktop Themes/Background hijack
problem. (Desktop is "locked" to "Modified Theme" and will not allow --
options grayed out -- any changes.)

I am attempting to follow D.H. Lipman's instructions now in order to
"un-hijack" my Desktop display.

I also have DL'ed and installed Windows AntiSpyware Beta 1 and will leave
that active and running along with Norton's AntiVirus (my current antivirus
application).

I will update if I can resolve this issue with the posted info.

Thanks.
 
Virus Scan Report File

--------------------------------------------------------------------------------
Virus Scan Informatio
--------------------------------------------------------------------------------

McAfee VirusScan for Win32 v4.40.0
Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights
reserved.
(408) 988-3832 LICENSED COPY - Sep 23 2004

Scan engine v4.4.00 for Win32.
Virus data file v4667 created Jan 04 2006
Scanning for 168923 viruses, trojans and variants.


--------------------------------------------------------------------------------
Virus Scan Result
--------------------------------------------------------------------------------




01/04/2006 14:01:10


Options:
/ADL /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL
/PROGRAM /EXCLUDE C:\MCAFEE\EXCLIST.TXT /HTML "C:\MCAFEE\SCANREPORT.HTML"

Scanning C: []
Scanning C:\*.*

Summary report on C:\*.*
File(s)
Total files: ........... 113172
Clean: ................. 111880
Possibly Infected: ..... 0
Cleaned: ............... 0
Non-critical Error(s): 2
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0
Scanning D: []
Scanning D:\*.*

Summary report on D:\*.*
File(s)
Total files: ........... 330975
Clean: ................. 330922
Possibly Infected: ..... 0
Cleaned: ............... 0
Non-critical Error(s): 1
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0


Time: 00:46.15
 
Yes -- I followed your instructions and my Desktop is "un-hijacked" and
functions normally again.

Thanks very, very much for this excellent corrective info.

"We learn as we go." -- Fred Gywnne, "The Cotton Club"
 
From: "dhewey" <[email protected]>

| Yes -- I followed your instructions and my Desktop is "un-hijacked" and
| functions normally again.
|
| Thanks very, very much for this excellent corrective info.
|
| "We learn as we go." -- Fred Gywnne, "The Cotton Club"

YW -- Glad to help.
 
Back
Top