Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


I've Killed Spy-sheriff, May Have More Malware

  • Please log in to reply
3 replies to this topic

#1 D.W.Allen1


  • Members
  • 3 posts
  • Local time:02:56 PM

Posted 02 January 2006 - 06:34 PM

:thumbsup: Hello, like most others, my reason for going to your site in the first place was to try to find help in eliminating a trojan/worm on my computer. I've been reviewing pasts forums and instructions, and by doing so, have found success in getting rid of the Spy-Sheriff advertisement screen that would pop up upon opening my browser(IE).
I'm running Zone Alarm pro and noticed upon my first reboot that Zone Alarm warned me of an application called LEXPPS.EXE was trying to act as a server. When I denied this and saved the setting to keep it denied, everything seems fine. I can access my home page, under both identities on my PC, and never get redirected to the blue Spy-Sheriff screen. This all came after following instructions I found in the forum (Downloading Hijackthis, Ewido, etc...)

My computer seems to access the internet properly, but a copy of the Hijack log identifies the LEXPPS.EXE command as still being there among a few others I'm leary of.
I have alread zapped the two lines noted for Spy-Sheriff removal.
I'm still a little leary about a couple of others including this LEXPPS.EXE.
When you have the time, I'd love to hear from you to see if I'm just being a little paranoid.
Thanks, you guys have really helped!!! :flowers:

P.S. I was running BHO Demon a long time ago but have since removed it.

Logfile of HijackThis v1.99.1
Scan saved at 4:11:08 PM, on 1/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\My Downloads\ZoneAlarm\zlclient.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.popupsearches.com/sidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (disabled by BHODemon)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (disabled by BHODemon)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\My Downloads\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

BC AdBot (Login to Remove)


#2 Grinler


    Lawrence Abrams

  • Admin
  • 43,718 posts
  • Gender:Male
  • Location:USA
  • Local time:01:56 PM

Posted 05 January 2006 - 10:40 AM

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

#3 D.W.Allen1

  • Topic Starter

  • Members
  • 3 posts
  • Local time:02:56 PM

Posted 09 January 2006 - 12:00 PM

This is what I got after running the Panda ActiveScan:

Incident Status Location

Adware:adware/ilookup Not disinfected C:\WINDOWS\SYSTEM32\poker112.ico
Adware:adware/comet Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\dm.inf
Adware:adware/secure32 Not disinfected C:\secure32.html
Adware:adware program Not disinfected C:\WINDOWS\ss3unstl.exe
Adware:adware/beginto Not disinfected C:\WINDOWS\SYSTEM32\cache32_dsktptr
Spyware:spyware/searchcentrix Not disinfected Windows Registry
Potentially unwanted tool:application/regclean32 Not disinfected HKEY_CURRENT_USER\SOFTWARE\REGISTRYOPTIMIZER.COM
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\larry\Cookies\larry@atdmt[1].txt
Possible Virus. Not disinfected C:\Program Files\Common Files\aolshare\Coach\ACHtmfu.dll
Possible Virus. Not disinfected C:\WINDOWS\SYSTEM32\ZoneLabs\srescan.dll
Possible Virus. Not disinfected C:\WINDOWS\SYSTEM32\ZoneLabs\zlsreupd.zip[srescan.dll]

#4 Grinler


    Lawrence Abrams

  • Admin
  • 43,718 posts
  • Gender:Male
  • Location:USA
  • Local time:01:56 PM

Posted 09 January 2006 - 12:09 PM

Delete these files:

C:\Documents and Settings\larry\Cookies\larry@atdmt[1].txt

Then download the attached file and save it to your desktop. Double-click and allow the data to be merged.

Attached Files

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users