TechSpot

Help: Had Spy Sheriff, now stuck with trojans

By yisroelsch
Dec 29, 2005
Topic Status:
Not open for further replies.
  1. My computer was infected with the Spy Sheriff virus, now norton keeps reporting some trojans are still there but access is denied when it tries to delete them.
    Logfile of HijackThis v1.98.2
    Scan saved at 12:24:53 PM, on 12/29/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\WinPortrait\wpctrl.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\kmw_run.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\system32\KMW_SHOW.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\AOL\1131628510\ee\AOLHostManager.exe
    C:\Program Files\Common Files\AOL\1131628510\ee\AOLServiceHost.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\WinPortrait\floater.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    c:\program files\common files\aol\1131628510\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
    C:\Program Files\Common Files\AOL\1131628510\ee\AOLServiceHost.exe
    C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Sunbelt Software\CounterSpy\Consumer\CounterSpy.exe
    C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
    C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunServer.exe
    C:\Documents and Settings\Sruli\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Sruli\Application Data\Mozilla\Profiles\default\tmjtqhg9.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
    O4 - HKLM\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe /s
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131628510\ee\AOLHostManager.exe
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
    O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
  2. Tedster

    Tedster Techspot old timer..... Posts: 10,074   +13

    did you TURN OFF system restore when removing spysherriff?

    Did norton quaranteen the virus? If so, you have to delete it as it is still in quaranteen.

    Follow the instructions posted for removing spysherriff.
  3. yisroelsch

    yisroelsch TS Rookie Topic Starter

    I followed the instructions, but alt.exe keeps showing up in my processes
  4. Tedster

    Tedster Techspot old timer..... Posts: 10,074   +13

    then you didn't turn off system restore before removal
    turn off system restore. boot in safe mode when removing.
    remove virus references in registry
    run anti-virus
    reboot in normal mode
    run anti-virus
    if nothing comes up then turn on system restore
  5. yisroelsch

    yisroelsch TS Rookie Topic Starter

    thanks, i'll try again
  6. yisroelsch

    yisroelsch TS Rookie Topic Starter

    i tried again, there were no references left to spy sheriff, and the antivirus scan came up clean, yet alt.exe keeps on reinstalling itself
  7. Tedster

    Tedster Techspot old timer..... Posts: 10,074   +13

    it is still in your registry and therefore also in your system restore files.
    remove it MANUALLY!
  8. yisroelsch

    yisroelsch TS Rookie Topic Starter

    sorry for being such a newbie, but i'm not sure how to remove it manually.
  9. vhunter

    vhunter TS Rookie Posts: 89

    Disable System Restore
    Go to Start>Run, and type "regedit" (no quotes). In the Registry Editor, go to the Edit menu and click "Find". In the box, type "alt.exe" (no quotes). Delete all references to the file, close the Editor, and turn System Restore back on.
  10. Tedster

    Tedster Techspot old timer..... Posts: 10,074   +13

    follow the instructions on how to edit your registry

    you have to use regedit or system management tools

    if you don't - you'll never get rid of it.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.