anti-spyware/ loading pogo games

Spysheriff, what files am i looking for?

Ok, Here is the deal. I got the infamous SpySheriff, so I went to this site and followed the steps on your thread on how to remove it. So far everything looks good, with the exception of on boot up I get the window that says can't find "inet20099" message. Also my windows keep popping up dosshell of z11, z12 etc.. netsh .exe. I know that this can't be good but, I'm scared to delete these without some sort of guidence. Plus I want to make sure I get it all. Here is a copy of my Hijack This Log.

• Edit by bjgarrick: Unrequested, Inline HJT log removed!

 

Re: Spysheriff, what files am i looking for?

Please see the below thread on how to install and run Spy Sweeper.

Running Spy Sweeper...

 

after running the steps in "read and run me first" thread i've noticed that i can't load pogo games. is this do to some anti-spyware software i downloaded?

 

Please remain in one thread, I have merged your threads together so please post in here from now on.

Did you run SS as previously requested?

 

yes i am currently running spysweeper.

 

Okay! After you complete the sweep attach the log and procede with the below...

Running Ewido Security Suite ...

After you have completed both scans, attach the both logs with a fresh HJT log.

 

okay, appearantly i have to pay for spy sweeper to get the log, is there anything else you reccomend in its place?

 

I am just now finding out this about the newest Spy Sweeper build, please see my previous post on running Ewido.

 

ok, just woke up, Ewido is finally finished so here is my attached HJT and Ewido files.

 

Now I need a fresh HJT log from normal mode.

 

hey im tryin to attach my HJT log but im having trouble getting the attachment page to load so it might be a few min

 

If you can attach it, post it inline and I will attach it for you.

 

here is the HJT log im posting it inline

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

MyWebSearch

Ewido

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yah oo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yah oo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pogo.com/home/home-pogop.jsp?site=pogop&lkey=Q56zqxGqJVT4zinRCmb 30QAAKDw.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...*http://www .yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\System32\search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yah oo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www-306.ibm.com/pc/support/site.wss/MIGR-44175.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

F3 - REG:win.ini: run=C:\WINDOWS\inet20099\services.exe

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSihp123YYUS

O9 - Extra button: (no name) - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm (file missing) (HKCU)

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\MyWebSearch ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\search.html

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

ok ran everything, but, still having trouble with the attachment page loading so can i send you the HJT log inline and you attach it for me?

 

hey still having problems loading the "manage attachments" page, so is it ok to post my HJT log inline and have you attach it for me?

 

When attaching your log, try the other buttons to attach your log. If you still cant just paste it inline.

Also let me know what problems if any remain.

 

ok still having problems attaching HJT log so i will post inline, i appreaiate if you can attach it for me. Also everything seems fine, but, I still have the z11-z16.exe files...are these harmful to my system, because when the spyware was on my pc it would pull up dosshell with that trying to acess the web? Thanks

 

Inline log attached!

 

also i forgot to mention the reason i couldnt get into pogo was because my ISP had me quaratined because of the spyware, they thought my computer was sending auto-spam, but that is cleared up now, so if you could let other users know that their ISp might block certain ports if this happens to them.

 

Only certain ISP's do this, our local cable company does that to customers and for that they have lost many of them.

 

Click Start > Run > type services.msc and Click OK

Locate PLSRemote Service (PLSRemoteSvc) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Scan with HJT and have it fix this entry:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\System32\search.html

Now navigate to and delete the file below...

C:\WINDOWS\System32\search.html

After you complete the above, reboot and let me know how things are running.

 

well eveything seems to be back to normal, if you need me to send an fresh HJT log let me know. My ISP has unblocked the blocked ports. I would just like to say thank you for your help, you guys rule!!

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

Surf Safely!

 

hey its me again! i took your advice on your article " How to protect yourself from malware". i downloaded Sygate which seems to be working great, but i also downloaded avast home edition. well after that my system crashed 4 times. i uninstalled it and it seems to be ok now. is there some sort of negativity between the 2 programs or is this the result of something else?

 

If you had more than one firewall/antivirus that could be the reason but if you only have one of each then I'm not really sure because I havn't heard of anything out of those programs.

I personally recommend AVG AntiVirus + ZoneAlarm Firewall, both free and both do a great job.