Major Hijack! I Have Spysherrif Problem!

[Assassin X]

Oddly enough, the little things I seen were all like "Download this this and this" clean this, edit registtry this...blah blah.

 

I simply searched my PC for the files like Z11.EXE, Winstall.exe and deleted them and then went through the reg and deleted ANY entries (within reason obviously) that were related!

 

Now it went away ,although I haven't restarted because I am scanning for virsuses just to be safe! But I did see someone else say If you just delete some Reg entry and then Winstall file it stops it. Hopefully this will work what do you guys think? Your the gurus, I am but a low level geek.

 

--------------------------ADDED ABOVE--------------

Ok, somehow a crappy spyware program still got though into my system and I was going to do a backup tommorow too :angry2: . Its called "SpySheriff". Its also put something called "Winstall.exe" in my C: folder.

 

I tried rebooting and having S&D Spybot remove it but that didn't do anything. I tried researching this but found little answers, it seems I'll have to get help step by step! So can someone please help me remove this nasty spyware.

 

Here is a pic of it telling me "I'm infected". Me being stupid clicked it and it installed the program the first time:

http://img215.imageshack.us/img215/5488/10ac.jpg

 

BTW here is a report from my "Hijack This" scan (which this is my first time using):

Logfile of HijackThis v1.99.1

Scan saved at 3:50:14 AM, on 12/13/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\UAService7.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\World News Screensaver\WorldNewsService.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\2Wire\Gateway\2PortalMon.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\system32\cmd32.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\WINDOWS\system32\z11.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\AdPopupKiller\PopupZeroTray.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC05.EXE

C:\WINDOWS\System32\HPZipm12.exe

D:\Hijack This\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Mario Forever Toolbar Helper - {8036D4D7-AAD3-4793-AB49-329E437155A8} - C:\Program Files\Mario Forever Toolbar\v2.0.0.3\Mario_Forever_Toolbar.dll

O2 - BHO: PopupZeroIEDLL.CPopupZeroIEDLL - {A94EDD52-85B3-472F-8BC0-D651D760FBF8} - C:\Program Files\AdPopupKiller\PopupZeroIEDLL.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll

O3 - Toolbar: Mario Forever Toolbar - {463DF6D5-BEC1-4d67-B217-59DB692DFC53} - C:\Program Files\Mario Forever Toolbar\v2.0.0.3\Mario_Forever_Toolbar.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\cmd32.exe internat.dll,LoadKeyboardProfile

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - Startup: LyricsAMP Auto-Update!.lnk = C:\Program Files\Windows Media Player\plugins\LyricsAMP\WiseUpdt.EXE

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing

O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab

O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlr.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=3924

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSuptl.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/PDC_2.1.1.74.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/125bf93c8d909...ip/RdxIE601.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: Groove Games Licensing Service - Groove Games - C:\Program Files\Common Files\Groove Games Shared\Service\ggameslicsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

O23 - Service: World News Service - Unknown owner - C:\Program Files\World News Screensaver\WorldNewsService.exe

Edited December 13, 2005 by Assassin X

[Hushplz]

http://forums.majorgeeks.com/showthread.php?t=65945

 

From the pic you added it looks like the same virus i had on another pc a while back called spyaxe.

 

If you decide to go into the registry please make sure you backup up the registry 1st :thumbs-up:

[Assassin X]

Well I restarted my pc and it came back, turns out I missed the file "netsh.exe" (which opens a DOS window). That opened Z11 too and reinstalled everything. Now I also have a Z12.exe through Z16.exe. It also added a DIALER32.exe which started to dial that I quickly stopped.

 

I hope someone can help me get rid of this.

Edited December 13, 2005 by Assassin X

[ClayMeow]

this is exactly why you saw all this stuff with a "long process" to remove spyware. It's not as simple of just deleting everything you THINK is there because stuff can be hidden and/or embedded. Spyware is very sophisticated and when you try and delete it, it'll recreate it with an entirely new name, usually completely random (which is why there's no clear-cut instructions on what to do in case you're infected, because everyone's different).

 

here's a great scanning utility: http://www.ewido.net/en/download/

it found a bunch of stuff on the systems i installed it on at work.

[Assassin X]

Yeah, I guess SPybot and Ad Popup Killer (and NAV) aren't cutting it.

 

Well, I went through and got rid of everything again including the new stuff and restarted and my pc is fine. I also did a NAV and Spybot scan to be sure (I had some viruses thanks to the spyware). I'll back up my pc today!

 

The only downside is I may have deleted my DIAL32.exe that the pcs needs to dial out in general though. Is there anyway to reinstall that?

[ClayMeow]

anything that has "dialer" in it is malware, so don't fret if that's what you're talking about having deleted.

 

Also, besides just running hijackthis, did you do the removal thru that as well? cause that's what it's there for. but hopefully you caught everything. good luck

[Cookieman123]

http://hijackthis.de/logfiles/d22f4aabfa05...8ebfff6b75.html

[Assassin X]

Hey cookie how did you that to show whats bad and whats not!! Thats great!

[Mr.Who?]

I've had the same exact problem like a month ago. It's not a virus it's an "annoyance" trojan.

[Phil]

Hey cookie how did you that to show whats bad and whats not!! Thats great!

596740[/snapback]

www.hijackthis.de.

[dean25]

try the mass of freeware i use it may be of use to you.

 

link in sig - soon to be removed if not allowed.

[Mr.Who?]

I used Trojan Remover and it got rid of it.

 

Just do a quik search on google to find it.

Edited December 14, 2005 by Mr.Who?