?
Solved

No task manager, control panel or internet access (Spy Sheriff?)

Posted on 2006-05-02
17
Medium Priority
?
1,082 Views
Last Modified: 2013-12-04
Hello.  Hopefully someone will able to revive my very sick pc.  As mentioned in the subject, internet access, control panel & task manger (XP Home, HP)  have all been disabled.  I know Spy Sheriff was present a few days ago when the problem first started & I have not been able to get rid of it following the other threads.  I don't know if any other PC's were restricted from the internet - I am unable to update Ewido & the others so maybe that's why I am still having problem.  I am also afraid I ran Ewido before 'smitRem', not sure if that further complicated things or not.

I have not run HijackThis yet, I was waiting until I had an expert on my side.  Please help!  Thanks.
0
Comment
Question by:greinke
17 Comments
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 2000 total points
ID: 16592625
Hi,
It would help if we can look at your hijackthis log.
go here and paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or copy and paste the log at;
http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Post the link to the saved list here.


2. For your internet connection problem download winsock fix:
http://www.majorgeeks.com/download4372.html


3. Once you have connection download this:( or use another pc with internet access)
Please download SmitfraudFix (by S!Ri)
http://siri.urz.free.fr/Fix/SmitfraudFix.zip 
Extract the content (a folder named SmitfraudFix) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.



0
 

Author Comment

by:greinke
ID: 16592758
Thanks for the quick reply, here is the link to my log http://www.rafb.net/paste/results/pwhqeK48.html

i will now begin working on the other tasks you had for me, thanks again.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16592961
You have a few trojans there.

Run Hijackthis again and put a check next to these entries and click "Fix Checked":
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html G
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html G
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)  
R3 - URLSearchHook: (no name) - ~EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)  
F3 - REG:win.ini: run=,
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll
O4 - HKLM\..\Run: [eventwvr] C:\WINDOWS\system32\eventwvr.exe G
O4 - HKLM\..\RunServices: [eventwvr] C:\WINDOWS\system32\eventwvr.exe
O4 - HKCU\..\Run: [eventwvr] C:\WINDOWS\system32\eventwvr.exe
O4 - Global Startup: OfficeTools.hta
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll
O20 - Winlogon Notify: prtsks - C:\WINDOWS\SYSTEM32\prtsks.dll G
O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - C:\WINDOWS\system32\hhppnika.dll (file missing)
O23 - Service: Windows Logon Process Service (MSWinLogonProcService) - Unknown owner - C:\WINDOWS\winlogon.exe" -service (file missing)
O23 - Service: VH4H - Unknown owner - C:\WINDOWS\vh4h.exe (file missing)

Delete these files:
C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll
C:\WINDOWS\system32\eventwvr.exe
c:\secure32.html
C:\WINDOWS\winlogon.exe <-- not to be confused with the legit winlogon.exe in system32 folder.
C:\WINDOWS\system32\winbrume.dll <-- another trojan, hijackthis will supposedly delete this, just make sure it is gone.

If problem persists:
Also, Download and install the free version of Ewido anti-malware.
http://www.ewido.net/en/download/
Update first then scan in safe mode.



0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16592986
After you've done winsock fix, let us know if you still can't update Ewido, is it because you can't get to their site or something else like an error?
0
 

Author Comment

by:greinke
ID: 16593053
WinSock XP Fix did not correct the internet connection problem.  I was able to ping google though.  Still working on the other items.  i will be back to you for a progress report shortly
0
 

Author Comment

by:greinke
ID: 16593135
Still no luck.  When I ran HijackThis and selected the items requested windows shutdown unexpectedly & rebooted with the serious error message.  here is the new logfile http://www.rafb.net/paste/results/mvBB8J51.html

You posted these lines (see below) for me to fix - they appear to be duplicated, it only appeared once.  Also, the was no 'G' listed at the end as you had pasted.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html G
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html G
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html

Am I doing something wrong?  Where should i go from here?  Internet Explorer, task manager, etc still not working
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16593288
Sorry about that, my fault while copying from my work pad.

Bad entries are still there. I think you also have something that aren't showing in your log.
Did you able to download and run smitfraudfix?

Have you tried, anything to restore your connection? like ipconfig /dns
Or "obtain DNS servers automatically"?
Please go to Start -> Control Panel, and choose Network Connections.  Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties.  Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically.  Click OK twice, and restart your computer.


Please fix these entries again:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html  
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)  
R3 - URLSearchHook: (no name) - ~EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)  
F3 - REG:win.ini: run=,
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll
O4 - HKLM\..\Run: [eventwvr] C:\WINDOWS\system32\eventwvr.exe G
O4 - HKLM\..\RunServices: [eventwvr] C:\WINDOWS\system32\eventwvr.exe
O4 - HKCU\..\Run: [eventwvr] C:\WINDOWS\system32\eventwvr.exe
O4 - Global Startup: OfficeTools.hta
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll
O20 - Winlogon Notify: prtsks - C:\WINDOWS\SYSTEM32\prtsks.dll
O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - blank (file missing)
O23 - Service: Windows Logon Process Service (MSWinLogonProcService) - Unknown owner - C:\WINDOWS\winlogon.exe" -service (file missing)
O23 - Service: VH4H - Unknown owner - C:\WINDOWS\vh4h.exe (file missing)

Also Go to START > RUN > type in
services.msc

In the next window, look on the right hand side for thes services:
Windows Logon Process Service
VH4H

Double click on each and STOP the service
In the drop down menu, change the startup type to "Disabled"

Open Hijackthis > Open Misc Tools Section > Open" Delete an NT Service"
In the new window, copy and paste or type the following services into the Open field and hit OK

MSWinLogonProcService
VH4H


Using another pc, Download Pocket Killbox version 2.0.0.175
http://www.atribune.org/downloads/KillBox.exe
*Select the "Delete on Reboot" option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

c:\secure32.html  
C:\WINDOWS\system32\eventwvr.exe
C:\WINDOWS\system32\winbrume.dll
C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll
C:\WINDOWS\SYSTEM32\prtsks.dll


*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If the computer doesn't restart, just restart manually.


Can you also, Download and save blacklight to your desktop.
http://www.f-secure.com/blacklight/try.shtml
Doubleclick blbeta.exe, accept the agreement, click scan > next.

You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16593297
Is your system Restore console working?
try it and see if it helps.

 Start > All Programs > Accessories > System Tools >System Restore
and select a date prior to all this infections. Date before this happens.

Bear in mind that anything you've installed, updates you've downloaded will have to be reinstalled/re-downloaded.

0
 

Author Comment

by:greinke
ID: 16593416
quick update, I know I am connected to the internet (did renew dns whiich showed my ip address & server ok) but IE is not working.  When I type in google.com i get this popup from windows: microsoft internet explorer-Internet Explorer could not open the search page. It wont go to any pages.

Ran smitfraudfix, here's the logfile:

SmitFraudFix v2.37

Scan done at  1:34:30.98, Wed 05/03/2006
Run from C:\Documents and Settings\Administrator.CARSTENS04\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\country.exe Deleted
C:\exit Deleted
C:\ms1.exe Deleted
C:\tool1.exe Deleted
C:\tool2.exe Deleted
C:\tool3.exe Deleted
C:\tool4.exe Deleted
C:\tool5.exe Deleted
C:\toolbar.exe Deleted
C:\uniq Deleted
C:\WINDOWS\system32\bin29a.log Deleted
C:\WINDOWS\system32\dlh9jkdq?.exe Deleted
C:\WINDOWS\system32\parad.raw.exe Deleted
C:\WINDOWS\system32\qvxgamet?.exe Deleted
C:\WINDOWS\system32\taskdir.dll Deleted
C:\WINDOWS\system32\taskdir~.exe Deleted
C:\WINDOWS\system32\vxgamet?.exe Deleted
C:\Program Files\paytime.exe Deleted
C:\Program Files\secure32.html Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
 
Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End



I am going to try to hijckthis fixes again now.  The last 2 items I think need to be deleted by an older version of hijackthis according to it's description




0
 
LVL 32

Expert Comment

by:r-k
ID: 16593447
For the IE problem, you could try this:
 
 http://windowsxp.mvps.org/IEFIX.htm
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16593534
I'm terribly sorry, I seem to be making errors on this thread, I just saw my other post. ipconfig /dns... lol

Try what r-k suggested to fix IE.
thanks for joining r-k, :)


glad smitfraud found some files that didn't show up in your log.


>>I am going to try to hijckthis fixes again now.  The last 2 items I think need to be deleted by an older version of hijackthis according to it's description<<
sorry don't quite know what you mean?
the 023 entries? I don't think they show up in the older version of hijackthis, they only show up in 1.99.0 and 1.99.1

keep us updated thanks.

0
 

Author Comment

by:greinke
ID: 16593635
Ran the IEFIX but it didn't repair IE.  I did find the problem - Norton Internet Security.  I uninstalled it and presto.

Yes, the 023 entries - they appear to be gone now anyway :)

Some good news: control panel is now working!  (hence the uninstalling of Norton)

I am still unable to use task manager. Here is the Windows pop-up message I am getting:  Task Manager has been disabled by your administrator. (ok)

There is only one user account listed under the user manager (owner) & it is does have administrative rights.

Any thoughts?  

Thanks so much for help so far, it's been a battle.  I will be back at work on this thing in the am.

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16593681
Glad your control panel is working now,

Try this reg file to enable task manager:(you could also manually edit your registry)
http://www.kellys-korner-xp.com/regs_edits/taskmgrenable.reg

When you run "regedit" does it work?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16593697
the reason I asked about regedit is because, if it is also disabled then it might be an alcan worm in there somewhere, and even if you can make your task manager working again it will be disable again if its the worm responsible and if it's still there hiding.
0
 
LVL 23

Expert Comment

by:phototropic
ID: 16597867
Uninstalling Norton is often a good idea, but notoriously difficult to FULLY acheive.
To completely eradicate Norton, use this tool:

http://www.majorgeeks.com/Norton_Removal_Tool_SymNRT_d4749.html

Instructions here:

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039?Open&src=&docid=2001092114452606&nsf=nav.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=&seg=&seg=hm

Good luck!
0
 

Author Comment

by:greinke
ID: 16605213
Thanks all for the help.  The computer is back up and operational.  This http://www.kellys-korner-xp.com/regs_edits/taskmgrenable.reg fix the task manager.  The IE fix did help because it reset IE and cleared up some other issues I was having with it.

I did the uninstall of Norton & re-install and it appears to be moving along fine.

I appreciate everyones help, thanks again.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16605528
Hi greinke,
glad to hear your pc is working okay now.

Was it your intention to give all the points to me, or did you want to split the points?
we can still open this thread if you want to split the points, just let us know, thanks.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question