Hijacked by Spy Sheriff

My computer has fallen victim to the infamous SpySherrif. I've been trying to remove it for several days to no avail. Searching the web brought me to this forum with a thread posted by someone with the same problem. My computer is a Compaq running Windows XP with service pack 2 installed. I've downloaded and made a log with HijackThis which I ran in normal start up (non safe). I'll attach the file below. If anyone can help with this persistent problem it'll be greatly appreciated.

 

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

After doing ALL of the above if you still have a problem:


http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

I downloaded and run just about everything in the link you provided and, although I did manage to remove some spyware and adware, spysheriff is very much alive. I'm attaching my most recent HijackThis log file, done after these scans as instructed (normal boot), and here's hoping you can help me get rid of this parasite.

 

Lets start by running these online scans:

Bitdefender online scan
RavAntivirus online scan <-- select Auto Clean then click Scan My PC
TrojanScan online scan
Panda Online Scan

After you complete these above scan reboot and post a fresh HJT log.

 

I ran the scans and rebooted as requested. Spysherrif is still around with his desktop hijack; here is the latest HijackThis log which was run after the scans and reboot.

 

Are you familiar with NetGuard Lite, Information Update & Listview?


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_50.dll (file missing)

O3 - Toolbar: (no name) - {1E00D20B-95F0-486F-A941-24FA78822319} - (no file)

O4 - HKLM\..\Run: [61p7dq1l] C:\WINDOWS\system32\61p7dq1l.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: Support - {118A07BB-D11A-41D6-880B-2C8CC8A4D29B} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)

O16 - DPF: atlasbid - https://gw-r9.airline.compuserve.com/http://www.bidp1.nwa.com/atlbid_classic/atl asbid.cab
O16 - DPF: bea - https://gw-r3.airline.compuserve.com/http://www.bidp1.nwa.com/atlasbid/bea.cab
O16 - DPF: CTCBridge UTS - http://localhost/juts/classi/jutsi.cab
O16 - DPF: WebConnect Pro 5.1.7 - http://localhost:2080/WebConnectDU.cab
O16 - DPF: WebConnect Pro 6.2.9 - http://localhost:2080/WebConnectDU.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/10469377076b7c4bc106/netzip/RdxIE601.cab
O16 - DPF: {BFC9677B-8006-4336-9D49-2C797AEFCB9E} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1058_XP.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\NewDotNet ←–– Delete this whole folder if it exist!

C:\Program Files\SpySheriff ←–– Delete this whole folder if it exist!

C:\WINDOWS\system32\61p7dq1l.exe

C:\WINDOWS\about.htm

C:\winstall.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Thanks bjgarrick, I recognized NetGuard Lite and Listview but not Information Update. After following your instructions spysheriff is gone and has not revived but my desktop still has his wallpaper hijack. When I was going through the windows directory to delete some of the items I noticed an html file called desktop that has the image of the "System Stopped" message for spysheriff. But even if I delete this the options for setting the background in display (the area where you select the image) is gray and you cannot select or edit anything. The only thing you can change is the color. Do you know what spysheriff did and is there a way to fix it? Here's the latest log file and thanks again for the help.

Note: I just opened my control panel again and this time I'm getting a message that says "An error occured while Windows was working with the Control Panel file C:\WINDOWS\system32.netsetup.cpl"

 

First, delete the files below if they exist.

C:\WINDOWS\Web\Desktop.html

C:\WINDOWS\Desktop.html

C:\wp.exe

C:\wp.bmp

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixadt.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixadt.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

After you complete the above, reboot and let me know if any problems remain.

 

That fixed the problem, desktop has been restored as well as the ability to configure it. Thanks a lot for the help bjgarrick.

 

Great

Are you having any further problems?

 

Its been several days now and spysherrif seems to be permanently gone. Desktop settings are back up and running and there does not seem to be any further problems. Once again thanks for your help.

 

Your Welcome!

You should see this article on How to Protect yourself from malware!