Another SpywareSherrif

Re: SpywareSherrif

hi bj,

i just recently was infected with SpySherrif and i cannot get rid of it. I have saved a log from hijack this, i will attach it to my post, i really would appreciate it if you could help me get rid of this. when i reboot spysherrif reappears and i cannot change the desktop

thank you

andrew

 

Re: SpywareSherrif

grantman18,

From now on please create a new thread for your problem instead of posting in someone else's. I have created a new thread for you this time so please post in here from now on.


First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

After doing ALL of the above if you still have a problem:


http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Hi it's andrew again, i completed all of the recommended test and checks, and it successfully removed spysherrif, but i still cannot access my desktop. When windows initially loads i see my normal desktop background, but after a few minutes it reverts back to the blue screen that came with spysherrif and i cannot change it in the display properties. attached is my logfile

thanks a lot,

andrew grant

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

Daily Weather Forecast

PSGuard


Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm (file missing)
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm (file missing)

O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540012} - http://www.funnytaf.com/fun/installer/Install.cab

O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\Program Files\Daily Weather Forecast ←–– Delete this whole folder if it exist!

C:\Program Files\SpySheriff ←–– Delete this whole folder if it exist!

C:\Program Files\PSGuard ←–– Delete this whole folder if it exist!

C:\winstall.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

hi it's andrew again, i did all of the tasks, and it changed my background somewhat for a second when i rebooted, and then the spysherrif desktop came back. also, when i reboot windows, i get a warning message, attached is the new logfile

thanks

 

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixadt.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixadt.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

After you complete the above, reboot and let me know if any problems remain.

 

hi, i merged that text with the registry. i have no problem with spysherrif anymore, but i cannot change my desktop picture. the desktop is always a solid color and it cannot be changed

thanks, attached is a new hjt logfile

 

Some of these steps may not appear, just go thru and remove any you see listed.

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file desktopfix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the desktopfix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!


Click Start > Run > type regedit

Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Look for a DWORD value called "NoViewContextMenu"

When located right click and delete it!


Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Look for a DWORD value called "NoViewContextMenu"

When located right click and delete it!


Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

Look for a DWORD value called "NoChangingWallPaper"

When located right click and delete it!



Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Only Should have "NoDriveTypeAutoRun"

Remove This Value "NoActiveDesktop"
Remove This Value "ForceActiveDesktopOn"

Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

There should on be the (default) string here

Remove This Value NoComponents
Remove This Value NoAddingComponents
Remove This Value NoDeletingComponents
Remove This Value NoEditingComponents
Remove This Value NoHTMLWallpaper


Now, Navigate to and delete the following file:

C:\WINDOWS\Web\wallpaper.html


Final Step:

Right Click on your desktop, click properties, click the Desktop Tab, click Customize Desktop, click the Web Tab. Now, uncheck everything in this tab.

After you have completed ALL of the above, reboot and see if problem remains!

 

i can't thank you enough, it looks like it worked. what should i do for regular maintenence, just spybot and ad-aware?

thanks again,

andrew

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

 

i actually have noticed one small difference in my computer since the spyware hit, the text under my desktop icons has a backgroud behind it, in the default gray, and i can't figure out how to get it back to the way it was (no background behind the text), if you could help that would be great, thanks

 

Can you take a snapshot of it and attach it to your post?

Taking Screenshots Thread

 

here is the screen shot, thanks

 

I thought you meant a desktop hijack, this is an easy task.

Right click on your desktop, select properties, select the appearance tab. Click Effects and uncheck the option "Show Shadows under menus"

If this doesnt work, let me know!

 

The problem with my desktop is a result of the spysheriff virus. Changing the shadowed menu option didn't do anything. The icons always look as if they're highlited. Thanks

Andrew

 

thanks, you guys are awesome

 

The image you attached, shows no sign of this hijacker. I dont see anything abnormal in this image.

As Chaslang asked, is everything ok now?