Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winstall.exe


  • Please log in to reply
5 replies to this topic

#1 littlesnuffyo

littlesnuffyo

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 14 February 2006 - 07:35 PM

About every 3 weeks I get the red spysheriff X on my toolbar. I've become quite familiar with all the removal tools (hijackthis, ewido, smitrem, etc.) and have been successful in removing the spyware each time. Does anyone have any idea why this would keep reoccurring? In my hijackthis log, the only "bad" file I ever find is winstall.exe. As far as I know, I am not doing anything to invite this infection (except, perhaps, visiting msnbc.com). It's just becoming a big pain, as it takes almost 2 hours to remove it every time. I just don't understand why this keeps happening over and over again. I've gotten smarter when the red x shows up and click on nothing near it, so now my background doesn't change to blue or anything. Please help!!! :thumbsup:

BC AdBot (Login to Remove)

 


#2 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:09:09 PM

Posted 14 February 2006 - 08:28 PM

Hello littlesnuffyo and welcome to BC.

Do you have a firewall? A computer with no firewall can be infected quite easily.

Another avenue of entry used by a lot of malware is the Install On Demand feature in Internet Explorer and other browsers. In case you use IE I'll leave my blurb here.

For some reason Install on demand is enabled by default in Internet Explorer causing problems such as unauthorized downloads that install without your knowledge. To protect yourself against this situation do this:

In Internet Explorer go to Tools>Internet Options>Advanced and take the check mark from Enable Install On Demand (Internet Explorer) and Enable Install On Demand (Other). The consequence of this will be that you will begin to see Security Warnings when something tries to install on your computer. Unless it is something you want to install (which happens rarely) always say no.

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#3 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:09 AM

Posted 15 February 2006 - 04:03 AM

Hi littlesnuffyo

Just to add to Leurgy's useful help, Winstall.exe is part of the smit.fraud family of infections. When you try to delete the file the infection just creates another one and shoves it in place. When you reboot you'll see it back and if you try to delete it again it will come back etc etc...
I see you have all the tools alread, and that the desktop isn't hijacked. I recommend you follow the self-help remove guide for Winstall.exe found here.
If you aren't too confident doing it by yourself, just let us know and we can get a helper one on one with you.
Good luck and let us know.
David

#4 littlesnuffyo

littlesnuffyo
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 15 February 2006 - 05:23 PM

Thank you for the advice. I did what D-Trojanater suggested and it seemed to work, so I guess I'll just have to wait and see. I did find the Daily Weather Update folder with weather.exe and am wondering if I never noticed it before in my hijackthis log (which I doubt because I always checked the log very carefully). When I followed this step:
11. # Delete the following, in bold, if found:

C:\Documents and Settings\user account\Start Menu\Programs\SpySheriff <-whole folder
C:\Documents and Settings\user account\Application Data\Install.dat
C:\Program Files\SpySheriff <-whole folder
C:\Windows\Desktop.html
C:\winstall.exe
C:\Program Files\Daily Weather Forecast\

*NOTE* user account is not the actual name of that folder. The name of that folder will be the name of your computer profile.

I was unable to delete C:\Program Files\ Daily Weather Forecast\. It kept saying I was unauthorized or it was forbidden or something to that effect. So in the next step when I used hijackthis I found the daily weather forecast item, I hit fix checked. So I am hoping that it worked.

In response to Leurgy, I do use Windows XP firewall. I do have IE Explorer, but rarely use it since I've found firefox to have much fewer popups and was told that IE explorer is more susceptible to spyware infections. I did go into IE options and unchecked Enable Install On Demand (Other). The Enable Install On Demand (Internet Explorer) was already unchecked.

So anyway, thanks for the advice, and if you think something wrong might have occurred since I was unable to delete the folder in step 11, please let me know!!

#5 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:09 AM

Posted 16 February 2006 - 04:00 AM

Hmmm....we won't know until you tell us whether the entry came back in the HijackThis log. Wait a few days then check again and if it's back hen let us know. Juts to confirm - you did do the deletions and HJT steps in safe mode? If you did it normal mode you would most likely get that error when trying to delete the folder...
David

#6 littlesnuffyo

littlesnuffyo
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 16 February 2006 - 12:40 PM

No, I did not do hijackthis in safe mode because

http://www.bleepingcomputer.com/forums/t/22402/how-to-remove-spysheriff-winstallexe-spysheriffexe/

Step 8 says to reboot back to normal mode after the ewido scan completes. It then goes on in step 13 to say:

# Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HijackThis and press the Scan button. Place a check next to the following items, if found, and click FIX CHECKED:


O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe

# Close HiJackThis.

I was disconnected from the internet and had no programs opened when I ran hijackthis. However, I was probably connected to the internet when I tried to delete Daily Weather Forecast, so maybe that's why it wouldn't delete. My hijackthis log showed daily weather forecast and I fixed it. I'll check the hijackthis log in a couple of days and see how it goes.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users