Spyware troubles

[speedyink]

I am having troubles with some very annoying spyware programs. It started when I was surfing the net, and I exited out and there were a ton of icons on my desktop. Then a program called "spysheriff" installed on my comp and caused the background to change and some weird stuff happened. This happened because I was stupidly running the computer with no protection (just put internet on). I got rid of spy sheriff and installed a firewall and did various virus and spyware scans, and now all of it is gone except for a couple things. One of them is a popup that opens every time I open internet explorer and about every 30 minutes Im on IE, and it says something about how my computer could be infected with spyware, and when it opens up an annoying buzzing sound comes out of the speakers until its closed. Another are a couple advertisments that pop up now and then. Also, my Firewall is blocking TONS of attacks. Within 30 minutes of the computer being turned on it has blocked about 200 attemps. If I turn off the firewall for longer than 20 minutes my screen fills up with icons again. Has anyone had this before? If so, how can I remove it for good?

 

[Buzz1927]

If you haven't already done them, do the scans in the sticky then post the hijackthis log.

 

[speedyink]

Oh, I didnt see that thread. I'll do that

 

[randruff]

Yup, sounds like you have a trojan on there trying to open up some back doors for the spyware spartans to get in. Also, immediatly stop using internet explorer. get mozilla firefox or another alternative browser.

 

[speedyink]

Alright, I followed the sticky thread, and here is my Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:28:33 PM, on 7/3/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\BUFFALO\Client Manager 2\bwsvc.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\stchost.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Documents and Settings\Sean\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Shaw High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - D:\WINDOWS\System32\zolker001.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] D:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\xp program files\office 2000\Office\OSA9.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 195.95.218.173
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120086929189
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O23 - Service: Buffalo Wireless Service (BWSVC) - BUFFALO INC. - D:\Program Files\BUFFALO\Client Manager 2\bwsvc.exe
O23 - Service: stchost.exe (moto) - Unknown owner - D:\WINDOWS\stchost.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe

 

[PuddleJumper]

Don't forget to try control panel>add/remove programs and manually uninstall any suspicious-looking software.

 

[speedyink]

I have already done that. I got hijackthis to delete some things which I think are dangerous. Here is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 2:56:42 AM, on 7/4/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\BUFFALO\Client Manager 2\bwsvc.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\stchost.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Sean\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Shaw High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - D:\WINDOWS\System32\zolker001.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] D:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\xp program files\office 2000\Office\OSA9.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 195.95.218.173
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120086929189
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O23 - Service: Buffalo Wireless Service (BWSVC) - BUFFALO INC. - D:\Program Files\BUFFALO\Client Manager 2\bwsvc.exe
O23 - Service: stchost.exe (moto) - Unknown owner - D:\WINDOWS\stchost.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe

 

[speedyink]

I know the IP 195.95.218.173 is bad, and I know stchost is bad. When I try to get hijackthis to fix stchost it just comes right back.

D:\WINDOWS\System32\zolker001.dll

^^^^^^^^
This concerns me. Is this safe?

 

[elmarcorulz]

it doesnt look safe, id delete it

 

[Buzz1927]

Yep, it's a trojan. Download these programs.
Killbox.
Deldomains.
Unzip them to the desktop, but don't run them yet.
Copy the text in the quotebox to notepad. Save it to your desktop as type "all files" and name it remove.bat. Don't run it yet.

@ECHO OFF
sc delete moto
exit

Boot into safemode. Hit Start>run, type "services.msc" (without the quotes).
Find the service called stchost.exe (moto). Double-click it and press "stop". Then hit Properties>General and change the startup type to Disabled. Hit Apply and Ok. Then close all windows and scan with Hijackthis. Put a check next to these entries and hit "Fix Checked".

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - D:\WINDOWS\System32\zolker001.dll
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 195.95.218.173
O23 - Service: stchost.exe (moto) - Unknown owner - D:\WINDOWS\stchost.exe
Now run the remove.bat file. It should just flash up then disappear.
Open the Killbox. Hit Tools>Delete Temp files.
Check the "Delete on reboot" box and "Unregister.dll before deleting (don't worry if its greyed-out). Then, one at a time, copy and paste these lines into the "Full path of file to delete" box. Say no to restart now until you do the second one.
D:\WINDOWS\stchost.exe
D:\WINDOWS\System32\zolker001.dll
When back in normal mode, run the deldomains you downloaded earlier. Run Hijackthis and post the new log.

Edit: You posted the new log while I was replying, so not all the entries in Hijackthis are there.

 

[elmarcorulz]

did you get that quote from a different forum? perhaps with a quick google search?

 

[Buzz1927]

Edit : with you now, yes I checked if the file could just be killed or if something else was needed, in this case what was in the quote.

 

[speedyink]

thanks for that reply, Im gonna do that now.

 

[speedyink]

Alright, did it all, And I think its finally gone away! I opened up my browser and no stupid popups! Heres the log:

Logfile of HijackThis v1.99.1
Scan saved at 11:15:48 AM, on 7/4/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\BUFFALO\Client Manager 2\bwsvc.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Documents and Settings\Sean\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Shaw High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] D:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O14 - IERESET.INF: START_PAGE_URL=http://www
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120086929189
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O23 - Service: Buffalo Wireless Service (BWSVC) - BUFFALO INC. - D:\Program Files\BUFFALO\Client Manager 2\bwsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe

 

[Buzz1927]

Yeah, looks like that did it. Couple of things, tho. Try using Firefox as suggested earlier, and you need to update Windows to at least sp1, if you can, then try sp2, if you get problems with it , remove it via Add\Remove programs. This'll close a load of security holes in windows. And you need to run an Anti-virus, AVG, Avast and AntiVir all do good, free programs.
Buzz.