Help with SpySheriff removal

lilhaydo · Dec 6, 2006

Hey there...

I followed all of the instructions for the removal of SpySheriff in the stickied thread. However, my antivirus is still going off. It is saying that C:\WINDOWS\system32\xxfgmy.dll is infected with adware.spysheriff. The antivirus will not delete it. It will only skip over the file and do nothing.

Any help would be greatly appreciated.

DavidGP · Dec 6, 2006

Hi

Please run through the steps outlighted in our first steps guide to removing malware as many of the Activescan items would have been removed if you had done the preliminary cleaning steps, READ & RUN ME FIRST Before Asking for Support ?

and follow up with attaching all the logs requested as these were missing, if you had issues in running any of them please tell us what they were,

When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:

CounterSpy

AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy

Bitdefender - from step 6

runkeys.txt - the log from GetRunKey.bat

newfiles.txt - the log from ShowNew.bat

lilhaydo · Dec 7, 2006

Sorry...I had read through that thread and it said...

"Before you start the below procedure, you may want to first check to see if your problem is covered in the Special Removal Procedures sticky thread."

So I did...but I missed the part that says...

"If it is, try that procedure first and come back here to the READ & RUN ME if necessary afterwards."

Again I apologize.

lilhaydo · Dec 7, 2006

One more

bjgarrick · Dec 8, 2006

After you complete this post, I need you to run another CounterSpy scan and this time remove the found infections do not ignore them.

I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

STEP 1: Complete this procedure completely including attaching the requested log before doing the second procedure.

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note:process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/proc...processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!
Click to expand...

ATTACH THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!!!

STEP 2: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. Again, if there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer into Safe Mode : Starting your computer in Safe mode

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Now reboot into normal mode and attach this new rapport.txt log here.
Click to expand...

Now attach new logs from:

GetRunKey

ShowNew

HJT

How are things working now?

lilhaydo · Dec 15, 2006

Sorry I was away for a few days. I thought things were working pretty well but apparently they are now.

lilhaydo · Dec 15, 2006

lilhaydo said:

Sorry I was away for a few days. I thought things were working pretty well but apparently they are now.
Click to expand...

Opps I mean not working!!

lilhaydo · Dec 15, 2006

Here is the HJT log!

bjgarrick · Dec 16, 2006

Run CCleaner, then see this thread, once complete attach the logs and we will go from there.

SpywareStrike, Smitfraud, SpySheriff, SpyAxe & PSGuard Removal

lilhaydo · Dec 18, 2006

I don't understand why Active Scan is still picking up cookies...I ran CCleaner.
Let me know if I should post a HJT log. Thanks

bjgarrick · Dec 18, 2006

I need a fresh HJT log, also if you have multiple user accounts you will need to run CCleaner on each account.

lilhaydo · Dec 19, 2006

I keep getting this when scanning with CounterSpy even after quarantining and removing:

Trojan-Downloader.Zlob.Media-Codec

If I am not mistaken does that imply SpywareQuake or SpyFalcon?
I did those removal procedures also.

bjgarrick · Dec 20, 2006

Your HJT log looks good, reboot into Safe Mode and delete the following two files...

C:\WINDOWS\ss3unstl.exe

C:\Documents and Settings\kmitchell\My Documents\My Pictures\sinstaller.exe

Once you remove these two files, run CCleaner and then reboot back to normal mode. Let me know how things are running and if any problems remain.

lilhaydo · Dec 20, 2006

Thanks bjgarrick for all your help. I am just curious...what are the two files that you said to delete?

bjgarrick · Dec 20, 2006

lilhaydo said:

Thanks bjgarrick for all your help. I am just curious...what are the two files that you said to delete?
Click to expand...

From your Panda scan, typical adware per the log.

lilhaydo · Dec 20, 2006

Well I deleted the two files you said to and everything seems to be running fine. I ran Counterspy again and "Trojan-Downloader.Zlob.Media-Codec" was not recognized.

Once again bjgarrick, thank you so much for your help!!

bjgarrick · Dec 21, 2006

Your Welcome!

You should see this article on How to Protect yourself from malware!

Surf Safely!

Help with SpySheriff removal

lilhaydo Private E-2

Attached Files:

DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

lilhaydo Private E-2

Attached Files:

lilhaydo Private E-2

Attached Files:

bjgarrick MajorGeeks Admin - Malware Expert

lilhaydo Private E-2

Attached Files:

lilhaydo Private E-2

Attached Files:

lilhaydo Private E-2

Attached Files:

bjgarrick MajorGeeks Admin - Malware Expert

lilhaydo Private E-2

Attached Files:

bjgarrick MajorGeeks Admin - Malware Expert

lilhaydo Private E-2

Attached Files:

bjgarrick MajorGeeks Admin - Malware Expert

lilhaydo Private E-2

bjgarrick MajorGeeks Admin - Malware Expert

lilhaydo Private E-2

bjgarrick MajorGeeks Admin - Malware Expert