Member Panel

It started with UnSpyPC which I've already uninstalled the program and deleted registry entries associated with UnSpyPC. I can run a scan with AVG, and it finds no viruses. However when I run either Microsoft Anti-Spyware or SpyBot, AVG pops up a message indicating that a virus has been found in C:\Windows\system32\sphlp32.exe. AVG cannot delete or move the file to the virus vault. I checked the box to show all hidden files and folders, but I cannot find this file manually by looking in that drive.

I am being redirected via Google searches when the URL is longer than a certain parameter it seems.

Edit: As this thread was split from another users thread, for clarification, here is the original information Spyware-won't-go-away

Hi Pete the Toad,

Welcome to PCHF. As you've seen we have a wonderful team of Security Techs here on site, and I am sure that we will be able to help you rid yourself of the rlm (rotton little monsters).

Let me have a look at your HijackThis log, in the mean time, can you please follow the instructions in PreWork in my signature, ignoring the HijackThis part for now. Thanks,

Look forward to your reply,

TTFN

LGW

I also went ahead (using HJT) and deleted:

bhoserv.exe
xterminit.exe
porka.exe
slamm.exe
vxdman.exe

But the problem with the Trojan Horse Clicker.FR showing up in c:\windows\system32\sphlp32.exe is still happening when I run Microsoft Anti-Spyware. It's not showing up in that search, but it's kicking in the AVG everytime I run the Anti-spyware.

Thanks LGW

Hey Pete,

You need to make sure that you are completely removing the Ware out infection, however, good for you finding those entriesO0 . Here is some information about that infection
http://www.doxdesk.com/parasite/WareOut.html

Chances are you got ahead of yourself when you started removing the other infection and that's why you have traces of it left that you cannot find.

Try this; Download Killbox, then Counterspy and RegSupremePro from my signature.
Edit: Also download Housecall from my signature, run it before going forward with the other instructions. LGW

Make sure that you have System Restore disabled. Boot into Safe Mode, run CCleaner again, as in the orignal instructions I had you follow.

Install and run CounterSpy. Have it run a complete system scan, and fix anything that it finds.

Follow the instructions for removing Wareout in the link above.

Run HJT, and fix any of these items that are still there, and then delete the bold item, if you can find it, from your computer;

Double click on Killbox.exe and then check the delete on reboot button.

Enter the following filepath and filename into the Full path of file to delete box

C:\WINDOWS\system32\sphlp32.exe

Click the red circle with the white x and allow your computer to reboot.

Also, do you recognize this entry?
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://centra.svccorp.com/SiteRoots/...Downloader.cab

and can you identify these IPs as your ISP provided IP addresses?
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1FB0EDD-9DC6-46C0-8827-67F5E6C2126D}: NameServer = 85.255.116.73,85.255.112.221
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4490288-3FF0-4DE9-8FF7-615603D0CB7B}: NameServer = 85.255.116.73,85.255.112.221

If you answer is now to all or any of the three, fix the ones you do not recognize.
Run CCleaner again, and reboot into regular mode.

Now install and run RegSupremePro, it will want to create a back up of your registry, let it. Once it has finished, click on the Registry Cleaner tab, select Aggressive, let it run. When it is done, click on Select, and choose All. Click on Fix and let it fix everything that it has found.

Now run another HJT log and post your ewido log,

Look forward to your reply,

TTFN

LGW

Killbox did not reboot on its own. I did have to manually reboot. CounterSpy found the sphlp32.exe file and, I think, deleted it. It referred to that file as a password stealer.

looks like you didn't run the Wareout fix yet , run that now and safe the log from it , then fix this one with hjt in safemode:

Then delete the file in bold.

After that post the fixwareout log and a new hjt log please.

I am not sure what you mean with the "fixwareout log." I did everything it said to do in the Wareout fix although I had already uninstalled UnSpyPC (like one minute after it loaded itself onto my PC):
Removal

Use the entry in the Control Panel’s Add/Remove Programs list to remove the software, then restart the computer, open the Windows folder and delete the file wotmp.tmp or wotmp11.tmp, then open the System32 folder (inside the Windows folder, called just ‘System’ on Windows 95/98/Me) and delete the file wosys.dll or wosysdll.dll.
To clean up the fake spyware traces WareOut installs, open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and select the keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run. For each, look at the entry list on the right and delete entries using the names/filenames above. Then select the key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks and delete the randomly-numbered entries on the right except the default search hook {CFBFAE00-17A6-11D0-99CB-00C04FD64497}.



However, I didn't find any wosys.dll or wosysdll.dll or wosys.dll or wosysdll.dll files in the registry or in System32 in the folders. I did delete those "randomly-numbered entries" in the HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

Attached is my most recent hjt log.

Edit: Also, I didn't find O4 - HKLM\..\Run: [dmhbx.exe] C:\WINDOWS\system32\dmhbx.exe but I found a very similar entry and deleted it. When I booted up before, the thing was trying to gain access.