Problem (surprise?)

Hello fellow forumites.

I'm sure this is going to feel like an awful clone of a message but since I don't fit into the "experienced" category I'd rather tread the road of caution than march forward blind as a mole.

I'm having problems with the oh-so virulent Spyware Sheriff. I'm also having these files startup every time I reboot:

own.exe
eres.exe
sefer.exe OR sefe.exe
protect.exe

they come back no matter how often I delete them (because, ya know, delete something enough it HAS to go away, right? )

Appearing around the same time these did is a DAT in my C:\Documents and Settings\<username> file called ntuser. I've never noticed it before, and it was created at the same time as the irritants above.

I've already extracted Hijackthis into C:\Program files\HJT.

Thanks for any possible help!

-Da Mose

 

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

After doing ALL of the above if you still have a problem:


Download HijackThis 1.99.1

Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

Run HijackThis and save your log file.

Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

Need help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Did all the above but had some problems.

Ran Trend Micro's online virus scanner but couldn't clean anything. Couldn't figure out why.

Tried Symantec scanner in safe mode but got locked out by Zone Labs. Tried in normal but keep getting message:

Redirection limit for this URL exceeded. Unable to load the requested page. This may be caused by cookies that are blocked.

Can't get updates for about:Buster. I keep getting "error while updating" or something similar and can't figure out why. Unzipped it into my C:\Spyware stuff folder.

Everything else worked alright.

Turned System Restore back on to try to start all over again but all my checkpoints are gone (CCleaner?).

It's back off now.

-Da Mose

 

Sorry, it's getting late, I forgot to post the log.

-Da Mose

 

I also seem to be having a problem with winpipe. It refuses to die even worse than before.

How does secmon.exe relate to this?

-Da Mose

 

Ok, my dad fiddled with my comp so I had to repeat all the steps in the basic malware protection guide just to be safe.

Seems as if SpySheriff is gone but I can't change my desktop still, and I fear it might come back next time I start up (didn't come back this time).

Still have an odd DAT file I've never seen before.

Please, Chaslang, save me!

New Hijackthis log.

-Da Mose

 

Attach a fresh HJT log from normal mode.

 

New log

 

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.wow-access.com/search/main.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wow-access.com/search/main.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wow-access.com/search/main.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.wow-access.com/search/main.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.wow-access.com/search/main.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.wow-access.com/search/main.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.wow-access.com/search/main.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.wow-access.com/search/main.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.wow-access.com/search/main.html

R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)

O4 - HKLM\..\Run: [Software] C:\WINDOWS\System32\Software\software.exe
O4 - HKLM\..\Run: [yijvhhdw] c:\windows\system32\yijvhhdw.exe
O4 - HKLM\..\Run: [s7sX3Fi] nwcfat.exe
O4 - HKLM\..\Run: [FastStart] C:\WINDOWS\system32\svcnut.exe home
O4 - HKLM\..\Run: [winpipe] C:\windows\system32\winpipe.exe
O4 - HKCU\..\Run: [dw37RPGqT] nklmxs.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Global Startup: secmon.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O13 - DefaultPrefix: http://www.microsoet.com/start.php?url=
O13 - WWW Prefix: http://www.microsoet.com/start.php?url=

O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.finefind.net
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone

O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {379ED9F7-513C-11D1-840F-832E59556609} (SiteMenuCtrl Class) - http://www.grand-marnier.com/gmv2/download/sitemenu.dll
O16 - DPF: {5A2E9289-9F0D-5C78-07A8-38D734E3E5B8} - http://82.179.166.72/1/rdgUS208.exe
O16 - DPF: {7A1710C5-12FD-6DEC-111B-5A7362FB7E07} - http://82.179.166.72/1/rdgUS208.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{2EF25D36-BF4C-4D6A-AB24-CF1C0F2B14E9}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS1\Services\Tcpip\..\{2EF25D36-BF4C-4D6A-AB24-CF1C0F2B14E9}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS2\Services\Tcpip\..\{2EF25D36-BF4C-4D6A-AB24-CF1C0F2B14E9}: NameServer = 69.50.184.84,195.225.176.37

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINDOWS\System32\Software ←–– Delete this whole folder if it exist!

C:\Program Files\SpySheriff ←–– Delete this whole folder if it exist!

C:\Program Files\AWS ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\svcnut.exe

C:\WINDOWS\System32\winpipe.exe

C:\WINDOWS\System32\yijvhhdw.exe

C:\WINDOWS\notepade.exe

C:\winstall.exe

C:\counter.cab

nwcfat.exe <-- Search for this file and delete when found!

secmon.exe <-- Search for this file and delete when found!

nklmxs.exe <-- Search for this file and delete when found!

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Just found out that my System Restore was on as I did all this. Dad must have turned it on, or something.

It's off again, now, but I guess some of what has been done is moot, sorry.

Followed your instructions, though, and here's the new log, anyway.

-Da Mose

 

Ok, turned off system restore and rebooted into safe mode and followed your instructions for whatever was regenerated.

Sorry biggarrick! Don't give up on me yet!

New log posted.

-Da Mose

 

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.wow-access.com/search/main.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wow-access.com/search/main.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wow-access.com/search/main.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.wow-access.com/search/main.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.wow-access.com/search/main.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.wow-access.com/search/main.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.wow-access.com/search/main.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.wow-access.com/search/main.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.wow-access.com/search/main.html

O4 - HKLM\..\Run: [winpipe] c:\windows\system32\winpipe.exe
O4 - Global Startup: secmon.exe

O13 - DefaultPrefix: http://www.microsoet.com/start.php?url=
O13 - WWW Prefix: http://www.microsoet.com/start.php?url=

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\secmon.exe

c:\windows\system32\winpipe.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows

FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


After you complete ALL of the above, Scan with HijackThis and attach the new log.

 

bjgarrick,

Followed your instructions to a "T".

New log.

-Da Mose

 

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.wow-access.com/search/main.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wow-access.com/search/main.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.wow-access.com/search/main.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.wow-access.com/search/main.html

O13 - DefaultPrefix: http://www.microsoet.com/start.php?url=
O13 - WWW Prefix: http://www.microsoet.com/start.php?url=

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows and procede with the following:

Download Spy Sweeper 4.0.3.363 and install it.

After you install make sure you get the updated spyware definitions. Then do a full sweep removing all infections. After you remove the infections with SpySweeper, reboot and attach a fresh HJT log.

 

Did as you said.

New log.

-Da Mose

 

Scan with HJT and have it fix the below entry:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm


After you fix the above entry your HJT log will be clean. Are you having any further problems?

 

Thanks so much, bjgarrick.

I do actually have one more problem. Even though spysheriff is gone, my desktop background is still locked up (I just have a colored background) and I can't select any pictures to use. I tried right-clicking on my desktop and properties and "set as background" on an internet picture file, but still no luck.

Any idea on how to fix this?

-Da Mose

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file desktopfix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the desktopfix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!


Click Start > Run > type regedit

Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Look for a DWORD value called "NoViewContextMenu"

When located right click and delete it!


Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Look for a DWORD value called "NoViewContextMenu"

When located right click and delete it!


Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

Look for a DWORD value called "NoChangingWallPaper"

When located right click and delete it!



Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Only Should have "NoDriveTypeAutoRun"

Remove This Value "NoActiveDesktop"
Remove This Value "ForceActiveDesktopOn"

Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

There should on be the (default) string here

Remove This Value NoComponents
Remove This Value NoAddingComponents
Remove This Value NoDeletingComponents
Remove This Value NoEditingComponents
Remove This Value NoHTMLWallpaper


Now, Navigate to and delete the following file:

C:\WINDOWS\Web\wallpaper.html


Final Step:

Right Click on your desktop, click properties, click the Desktop Tab, click Customize Desktop, click the Web Tab. Now, uncheck everything in this tab.

After you have completed ALL of the above, reboot and see if problem remains!

 

Did as you said.

I did not find this value:

NoViewContextMenu in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Did not find these:

NoComponents
NoAddingComponents
NoDeletingComponents
NoEditingComponents
NoHTMLWallpaper

in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

There were other values than default here:

Classicshell
NoDriveTypeAutoRun

Did not find wallpaper.html

I did everything else, though, and I don't seem to have any more problems.

-Da Mose

 

Thanks for all your help, bjgarrick! You're truly an unsung internet Alabamian hero!

Just out of curiousity, since you live fairly close to this state, what do you call someone from Arkansas?

-Da Mose

 

Never really thought about it..LOL!

No further desktop problems?

 

Nope, I don't seem to have any more desktop issues.

Does this mean I'm system restore-safe now?

My friend Sean and I spent some time trying to figure out what people from Arkansas are called.

Arkansasians?
Arkansians?
Arkansisinnians?
Arkansicans?
Arkandos?

Meh, whatever

-Da Mose

 

LOL! I dont have a clue about that one.

Yes, you can now enable System Restore.