Need help SpySheriff virus

Please download the attach GetRunKey120.zip to your PC someplace you can locate it. Then extract the files from the ZIP. Locate the getrunkey.bat file and double click on it to run it. It will create a file named runkeys.txt in the root of drive C: (C:\runkeys.txt) . This log will also popup in a notepad window which your can just close. Upload the runkeys.txt file here as an attachment.

Please upload the above runkeys.txt file now before continuing with below and then continue. If you do not do this, you will overwrite the runkeys.txt later thus losing this info.

Now follow the steps in the below and then attach the requested smitfiles.txt log:

SpywareStrike, Smitfraud, SpySheriff, SpyAxe & PSGuard Removal

After doing the above, run GetRunkey.bat a second time and upload the new runkeys.txt file. You may need to rename it to runkeys2.txt (maybe not if you are posting in a second message than the first upload).

 

Make sure you have viewing of hidden and system files enabled per the READ ME.

Use Windows Explorer and look for the below file:
C:\WINDOWS\system32\wiatwain.dll.dll

Does it exist? If so, please delete it. Let me know what you find.

How are things working now?

 

Also on more cleanup and recheck step.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

No attach a new log from GetRunKey.bat

 

That's the same file. Delete it.

My previous message had a typo in the first line. It said:

But it should have said:

I wanted you to do one more thing ( the registry patch).

Also at the end:

should be

 

Run the SpywareStrike, Smitfraud, SpySheriff, SpyAxe & PSGuard Removal steps again but while in safe mode try to delete the file after running SmitRem (you will see that file list with many others after the HJT fix step).

Save and attach the smitfiles.txt log again. Also run the Panda scan as indicated and attach the log.

 

The file is named C:\WINDOWS\system32\wiatwain.dll not C:\WINDOWS\system32\wiatwain.dll.dll (that was a typo on my part and in the original GetRunKeys program you ran). The file you need to delete does still show in your PandaScan. So you must not have enabled viewing of hidden files, system files, and extensions enabled, otherwise you would see it. Or you just did not notice it because you were looking for wiatwain.dll.dll

Are you using manually procedures in Windows Explorer to find it. Or are you using search? Search will not work because you did not enable options in search to look for hidden and system files. You only enable them for Windows Explorer when you manually click to expand folders and navigate by hand to the proper location.

Do the procedure in the below again (delete the old version of GetRunKeys that you have first):

Using GetRunKey

Attach the runkeys.txt log but also look at it yourself and see if down toward the bottom you see the below line:

Spyware Strike file C:\WINDOWS\system32\wiatwain.dll found

If you do, the file is there and you are not looking for it properly.

You also have other items (some of which you should have removed when following the thread for SpywareStrike etc removel. Delete all of the below
C:\WINDOWS\SYSTEM32\cd_clint.dll
C:\WINDOWS\SYSTEM32\search.html
C:\WINDOWS\dict.dat
C:\PROGRAM FILES\MyWay <---- the whole folder
C:\PROGRAM FILES\SpywareStrike <---- the whole folder
C:\WINDOWS\system32\P2P Networking v123.cpl