Technician Request, possible Virus on Forum.

[Sky Rider]

We have had complaints of a Virus called SpySherriff on our site and need a technician to make sure everythings ok, the site is http://www.chat-around.darkbb.com

[Darren1]

Hello,

we need additional information before we go to the technician's.
Where on your forum is it (ie an add on your index/home page in a thread, ifso, please specify ect)

[Sky Rider]

Well it does alot of things and pop-ups appear in random parts of the Forum, it does a ot of things, 1, it will bring three sites up, xxx.com, adultplay.com, and viagra.com, it has 4 popups, it lso has a thing called "AVscanner" that tries to get ppl to buy their antispyware to remove the stuff they made.

These were the users reg keys:

HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random characters]“
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “[random characters]“
HKEY_CURRENT_USER\Software\avsoft
HKEY_CURRENT_USER\Software\avsuite
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite
HKEY_CURRENT_USER\Software\Microsoft\Internet Explore
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" ="1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = "<local>"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:5555"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "Low
%Documents and Settings%\[UserName]\Local Settings\Application Data\[random characters ]\[random characters]tssd.exe

And

File Name File Size MD5
anr0129.exe 16896 eb790be93afb8481cfc43515b00976ab
anr10077.exe 16896 5353b1a6165776cd500f1ceb8080e4fe
us10049[1].exe 16896 4c636e4d39efb85c84831973f8134bc9
hcafnqkc.exe 20992 564aabe45a3f7e71483a1ad2b1d31722
heur002.dll 119808 ee21fd7fa9a45453ed55ccb7ce7b9aaa
winstall.exe 29184 b917ffe96edb3ae8cac14d4a19787706
winstall.exe 16896 eb790be93afb8481cfc43515b00976ab
Tempwn10077.exe 16896 5353b1a6165776cd500f1ceb8080e4fe
winstall.exe 31232 615a2cb4237176ca8438137e5f62cfeb
SpySheriff.exe 415744 0a75149998278734106f2a6f59ba965a
heur003.dll 120832 bb06f2c0d34812d455aecc790aab74d4
z16.exe 393 2c66bd64d7780183a36da8e3e8394712
us0129[1].exe 16896 eb790be93afb8481cfc43515b00976ab
Tempwn10049.exe 16896 4c636e4d39efb85c84831973f8134bc9
Installer.exe 578560 242a20bae9cf9cb816a447150378c02d
heur001.dll 127488 840c8e9d2aaccc87d6dad1d409e45a10
webinstall[1].exe 122880 e3e03c8bdfd1f9c7dc9f2103689c5018
wn0129.exe 16896 eb790be93afb8481cfc43515b00976ab
anr10049.exe 16896 4c636e4d39efb85c84831973f8134bc9
wancp.dll 44516 aa86aa134fbfdc57ceda90d506315ea8
heur000.dll 127488 ca4822789da674e2ae4658ee4250adb5
winstall.exe 122880 e3e03c8bdfd1f9c7dc9f2103689c5018

[Darren1]

Because the registry keys that are affected, it appears that those computer are infected.
I would suggest that you inform the users who are getting these malicious warning to run a virus & spyware scam immediately, and to also download a free Avast!5.0 scanner, to detect & remove any viruses' that are picked up by their current protection.
Also, do not in any circumstance purchase or download these called free anti-spy were ... .I can almost guarantee it is a spyware or virus it's self.
I'll ask our Lesion to the company to pop in and see what he can do as far as the techs.