TechSpot

Hijackthis log attachment. bluescreen spyware! help please!

By lilfinger
Dec 11, 2005
  1. HI! my desktop screen was now blue with a sign in red letters over a balck background sayying SPYWARE INFECTION. Since then, i cant access internet explorer. I had to download firefox just to go here and search for help. i tried ad-aware, spyware doctor but the signs is still threr...Any advice on how to get rid of it??? please...help me...i'll post the log and by the way... i made a folder for hijackthis. it's on D:\My Downloads\hijackthis

    any help will be very much appreciated! pleasee help!!!!
     
  2. Mictlantecuhtli

    Mictlantecuhtli TS Evangelist Posts: 4,919   +9

    End these processes with Task Manager (or similar tool):

    C:\WINDOWS\System32\ScsiAccess.EXE
    C:\Program Files\winupdates\winupdates.exe
    C:\winstall.exe

    Then fix these:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
    O4 - HKLM\..\Run: [bxproxy] C:\WINDOWS\bxproxy.exe
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O15 - Trusted Zone: *.musicmatch.com (HKLM)
    O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
     
  3. lilfinger

    lilfinger TS Rookie Topic Starter

    hi

    thanks for your time and help! but i cant open the taskmanager... any idea??
    and oh?!? can i fix the others without ending the processes???

    thanks in advance!
     
  4. lilfinger

    lilfinger TS Rookie Topic Starter

    hi!


    please help me! nothing happened to my computer after i fixed it.. can you look at my new hijackthis log! please! thanks in advance!!!
     
  5. Tedster

    Tedster Techspot old timer..... Posts: 10,074   +13

    you have the spysheriff virus.

    removal:

    Spysheriff is malware and should not be used to clean a PC from spyware/ adware/ malware. It's pretty bad e.g. if you try to use System Restore you will find that Spysheriff erased your restore points, so that won't work.

    Instead follow these steps:

    1. Open task manager by pressing Ctrl-Alt-Del, and click on the "Processes" tab. Look for Spysheriff there and kill the process if you see it. If you see a process named "winstall" (winstall.exe) then delete this one also.
    2. In the control panel goto "Add/ Remove Programs" and remove the "SpySheriff" program. If it says that it cannot uninstall, then you still have it running. It will uninstall once it's not running.
    3. Your desktop background will not be restored by that uninstall. Go into the registry by starting RegEdit.exe from the start button
    4. Look for this key:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
    It will have about 6 values stored that disable certain things. Delete this whole branch ActiveDesktop - the system will work with default values afterwards.
    Also delete this branch in your registry:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    5. Look in your root directory for a file named winstall.exe. Mine was in c:\ and 24064 Bytes in size.
    This file is scheduled to execute each time you boot and it will re-install Spysheriff.
    Delete that file.
    Update:
    There may also be additional executable files that were created at the same time as winstall.exe. Those files may be named 'winstall.exe' and 'ibm00001.exe'. You should delete those files as well. If you have this file ibm0001.exe please see the other article regarding ibm0001.exe.
    6. Restart your system.
    Done.
     
  6. lilfinger

    lilfinger TS Rookie Topic Starter



    THANK YOU SO MUCH!!!! i think its gone now! i just followed what you said... but i just want to make sure that its gone now... heres what i did...

    i open tha task manager and i didnt find any process named "winstall" (winstall.exe) or spysherriff so im assuming that spysheriff is not running... so i then went to "add/remove programs" and again, was not able to find spysheriff so again im assuming that spysherrif is uninstalled already *that i uninstall it already.

    all i did is went to regedit.exe and did what you told me.. i also look at my root directry for a file named winstall.exe. it was in c:/ and about 32 bytes...or somthing. restart! and my desktop is back to normal! my internet explorer is now working! so thank you very much!! it is really a huge help!

    *** do you have any advice so i can check if i still have any spyware on my pc?!? and also what programs do you suggest so i can protect my pc from spywarez in the future...

    THANKS AGAIN!!! :wave:
     
  7. Tedster

    Tedster Techspot old timer..... Posts: 10,074   +13

    Spyware detectors are best used in combination. No single spyware detector can find them all.

    I use 4 all the time. I don't keep them resident in memory though.

    1. Spybot search and destroy
    2. Ad-aware
    3. microsoft anti spyware
    4. edwido

    keep all the updates handy and run them once a week or so.

    If you watch porn or download crap like screensavers, keep them in residency.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.