Hijackthis log attachment. bluescreen spyware! help please!

Status
Not open for further replies.
L

lilfinger

Posts: 6   +0
HI! my desktop screen was now blue with a sign in red letters over a balck background sayying SPYWARE INFECTION. Since then, i cant access internet explorer. I had to download firefox just to go here and search for help. i tried ad-aware, spyware doctor but the signs is still threr...Any advice on how to get rid of it??? please...help me...i'll post the log and by the way... i made a folder for hijackthis. it's on D:\My Downloads\hijackthis

any help will be very much appreciated! pleasee help!!!!
 
End these processes with Task Manager (or similar tool):

C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\winupdates\winupdates.exe
C:\winstall.exe

Then fix these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [bxproxy] C:\WINDOWS\bxproxy.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
 
hi

thanks for your time and help! but i cant open the taskmanager... any idea??
and oh?!? can i fix the others without ending the processes???

thanks in advance!
 
hi!

Mictlantecuhtli said:
End these processes with Task Manager (or similar tool):

C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\winupdates\winupdates.exe
C:\winstall.exe

Then fix these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [bxproxy] C:\WINDOWS\bxproxy.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
Click to expand...


please help me! nothing happened to my computer after i fixed it.. can you look at my new hijackthis log! please! thanks in advance!!!
 
you have the spysheriff virus.

removal:

Spysheriff is malware and should not be used to clean a PC from spyware/ adware/ malware. It's pretty bad e.g. if you try to use System Restore you will find that Spysheriff erased your restore points, so that won't work.

Instead follow these steps:

1. Open task manager by pressing Ctrl-Alt-Del, and click on the "Processes" tab. Look for Spysheriff there and kill the process if you see it. If you see a process named "winstall" (winstall.exe) then delete this one also.
2. In the control panel goto "Add/ Remove Programs" and remove the "SpySheriff" program. If it says that it cannot uninstall, then you still have it running. It will uninstall once it's not running.
3. Your desktop background will not be restored by that uninstall. Go into the registry by starting RegEdit.exe from the start button
4. Look for this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
It will have about 6 values stored that disable certain things. Delete this whole branch ActiveDesktop - the system will work with default values afterwards.
Also delete this branch in your registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
5. Look in your root directory for a file named winstall.exe. Mine was in c:\ and 24064 Bytes in size.
This file is scheduled to execute each time you boot and it will re-install Spysheriff.
Delete that file.
Update:
There may also be additional executable files that were created at the same time as winstall.exe. Those files may be named 'winstall.exe' and 'ibm00001.exe'. You should delete those files as well. If you have this file ibm0001.exe please see the other article regarding ibm0001.exe.
6. Restart your system.
Done.
 
Tedster said:
you have the spysheriff virus.

removal:

Spysheriff is malware and should not be used to clean a PC from spyware/ adware/ malware. It's pretty bad e.g. if you try to use System Restore you will find that Spysheriff erased your restore points, so that won't work.

Instead follow these steps:

1. Open task manager by pressing Ctrl-Alt-Del, and click on the "Processes" tab. Look for Spysheriff there and kill the process if you see it. If you see a process named "winstall" (winstall.exe) then delete this one also.
2. In the control panel goto "Add/ Remove Programs" and remove the "SpySheriff" program. If it says that it cannot uninstall, then you still have it running. It will uninstall once it's not running.
3. Your desktop background will not be restored by that uninstall. Go into the registry by starting RegEdit.exe from the start button
4. Look for this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
It will have about 6 values stored that disable certain things. Delete this whole branch ActiveDesktop - the system will work with default values afterwards.
Also delete this branch in your registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
5. Look in your root directory for a file named winstall.exe. Mine was in c:\ and 24064 Bytes in size.
This file is scheduled to execute each time you boot and it will re-install Spysheriff.
Delete that file.
Update:
There may also be additional executable files that were created at the same time as winstall.exe. Those files may be named 'winstall.exe' and 'ibm00001.exe'. You should delete those files as well. If you have this file ibm0001.exe please see the other article regarding ibm0001.exe.
6. Restart your system.
Done.
Click to expand...



THANK YOU SO MUCH!!!! i think its gone now! i just followed what you said... but i just want to make sure that its gone now... heres what i did...

i open tha task manager and i didnt find any process named "winstall" (winstall.exe) or spysherriff so im assuming that spysheriff is not running... so i then went to "add/remove programs" and again, was not able to find spysheriff so again im assuming that spysherrif is uninstalled already *that i uninstall it already.

all i did is went to regedit.exe and did what you told me.. i also look at my root directry for a file named winstall.exe. it was in c:/ and about 32 bytes...or somthing. restart! and my desktop is back to normal! my internet explorer is now working! so thank you very much!! it is really a huge help!

*** do you have any advice so i can check if i still have any spyware on my pc?!? and also what programs do you suggest so i can protect my pc from spywarez in the future...

THANKS AGAIN!!! :wave:
 
Spyware detectors are best used in combination. No single spyware detector can find them all.

I use 4 all the time. I don't keep them resident in memory though.

1. Spybot search and destroy
2. Ad-aware
3. microsoft anti spyware
4. edwido

keep all the updates handy and run them once a week or so.

If you watch porn or download crap like screensavers, keep them in residency.
 
Status
Not open for further replies.

Similar threads

IIEleven11
  • Locked
Inactive-A Help with FRST Log Please
2
Replies
27
Views
6K
Broni
Broni
A
  • Locked
Inactive I was the victim of a targeted spyware attack
Replies
3
Views
1K
Broni
Broni
ravisunny2
Solved Need help with possible infection
Replies
11
Views
3K
Broni
Broni

Latest posts

Back