Still Held Up By SpySherriff

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by zenbob, Dec 17, 2005.

  1. zenbob

    zenbob Private E-2

    Greetings.

    I have performed the steps indicated in the Read and Run Me First post, as well as the steps indicated in the SpySherriff Removal post, and am now officially annoyed. Previously I was semi-officially annoyed, or maybe officially semi-annoyed. Though I generally agree with the pacifist view of life, a few minutes with a baseball bat and my new friends the authors of SpySherriff would certainly brighten my day.

    If you would be kind enough to guide me toward a better PC situation I would be most grateful. I'm grateful already for the fantastic information and guidance available on this site.

    HJT log attached.
     

    Attached Files:

  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Welcome to MajorGeeks.com, please follow the steps below:

    [​IMG] Run ALL the steps in this Sticky thread SpySheriff (aka SpywareNo) Removal

    • Make sure you check version numbers and get all updates.
    [​IMG] Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

    [​IMG]After doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

    [​IMG] Downloading, Installing, and Running HijackThis
     
  3. zenbob

    zenbob Private E-2

    Thanks for your response. Yes, I can see how having a little more information might help you help me. Apologies for that.

    So here's my situation. I went back and (a little more) carefully worked through the READ & RUN ME FIRST post; somehow missed the online scanning step before. After working through all the steps, I worked through the SpySherriff Removal post step by step.

    My initial symptom was that I had a bogus wallpaper and was unable to change my wallpaper, as well as a systray alert that keeps popping up telling me I'm infected. After working through all the steps, and logging back in I find that my wallpaper is released but I still have the systray alert. I also have something trying to get out to the internet when I boot up (which of course I cannot recall now - black dos window type thing pops up). AVG catches it and I deny it, but it keeps happening. Also, I get two dialog boxes at boot up: 1) "windows cannot find C:\WINDOWS\inet20099\winlogin.exe" and 2) "Could not load or run C:\WINDOWS\inet20099\winlogin.exe specified in the registry."

    HJT log attached. Let me know if there are other details that will help. Many thanks for looking at this.

     

    Attached Files:

  4. zenbob

    zenbob Private E-2

    OK, just rebooted to be clear on what's happening. Three items are reaching out to the internet: 1) C:\winstall.exe; 2) C:\WINDOWS\System32\z11.exe; 3) C:\WINDOWS\system32\cmd32.exe

    Hope this helps.
     
  5. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

  6. zenbob

    zenbob Private E-2

    Greetings. In terms of SpySherriff, your advice to run SpySweeper seems to have done the trick. Many, many thanks.

    I still, however, get two dialog boxes at boot up: 1) "windows cannot find C:\WINDOWS\inet20099\winlogin.exe" and 2) "Could not load or run C:\WINDOWS\inet20099\winlogin.exe specified in the registry." Is this SpySherriff related? Any guidance as to how to solve this?

    Thanks again.
     
  7. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Let's run one more scan then we will clean your HJT log up, please see the below thread on how to install and run Ewido Security Suite.

    Running Ewido Security Suite ...
     
  8. zenbob

    zenbob Private E-2

    Once more, thanks again for all your time.

    Ewido found several objects and zapped them. However, restarting into Normal mode I found that the two dialog boxes --

    1) "windows cannot find C:\WINDOWS\inet20099\winlogin.exe"
    2) "Could not load or run C:\WINDOWS\inet20099\winlogin.exe specified in the registry."

    -- still show up.

    Attached is the Ewido report and the latest HJT log.
     

    Attached Files:

  9. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Please look in Add or Remove Programs for the following and Uninstall them if found:

    Ewido

    Spy Sweeper


    Now scan with HijackThis and Check the Boxes for the following:

    Make sure All Browser Windows are Closed when you Click FIX.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)

    F3 - REG:win.ini: run=C:\WINDOWS\inet20099\winlogon.exe

    O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)

    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    Again, make sure All Browser Windows are Closed when you Click FIX.

    NEXT:
    Run CCleaner to clean up cookies and temp files.

    Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
    Note: Remember to get all updates before doing the scans.

    Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin


    And Click OK.


    After you complete the above, reboot and let me know how things are running.
     
  10. zenbob

    zenbob Private E-2

    Nice. Seems to be running on all cylinders.

    I have a last question. In this last round you had me uninstall Spy Sweeper, which you had me use to rout out the SpySherriff. It did a great job, too. I was impressed that it found stuff that the other anti-malware programs I had did not find. Is Spy Sweeper not something to have running all the time? Does it pose problems or anything? Why remove it?

    Thanks again for guiding me through to PC cleanliness. Because of this event I have upgraded my AVG and promised myself to be more diligent in scanning and checking for nasties.
     
  11. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    The reason I had you remove Spy Sweeper is because unless you purchase it you can't update it, it's a 14 day trial. The last trial version of Spy Sweeper does not allow to clean infections so we can no longer use this as it does us no good.

    If you purchase it, yes it does run all the time protecting your system and yes it's in my opinion the best antispyware program available. I use it as well as many of my customers.
     
  12. zenbob

    zenbob Private E-2

    Cool. I actually did purchase it based on its stellar performance helping to kill the SpySherriff. But I was too wimpy to ask the question before I finished the directions. But now you have confirmed that I made a good purchase, so I will reinstall!

    Thank you copious numbers of times for your help.
     
  13. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Your Welcome!

    I didnt know you had purchased it, otherwise I would not have requested you uninstall it. Yes, it is a great purchase, I've been using it for a while now and I love it.

    Surf Safely!:)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds