Is Spysheriff gone?

The READ & RUN ME gives a link to Special Removal Procedures which contains a procedure for SpySheriff Removal. You should look at it: SpySheriff (aka SpywareNo) Removal

 

You're welcome.

Make sure you checkout the below too:

How to Protect yourself from malware!

 

If you have performed ALL of step 1 in the SpySheriff procedure, then proceed to the below.

Make sure you have booted in normal mode and follow the steps in the below to properly use HijackThis and attach your log.

Downloading, Installing, and Running HijackThis

 

What two critical hits?

What do you mean use explorer? Do you mean each time you use your Internet Explorer web browser you are having a problem? Explorer and Internet Explorer are two different executable programs.

You also have not run all the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

 

Cookies are not normally any big deal. You will always have cookies to remove even after doing minimal surfing.

It also looks like you did not run all the other tools too. I do not see Microsoft Antispyware or Spybot S&D either.

 

Did you setup the below items this way yourself?
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

 

You should have told us you use and removed MS Antispyware.

The READ & RUN ME requests that you verify you are using the same versions as we indicate in our links and also check for updates. This is a good example of why. The version of Spybot you are using has not been used in a very long time. You need to follow our directions properly and install the versions of software we indicate.

I did not say all is good. I said cookies are not normally big problems. You do have other issues we need to fix. But you should be running the steps in the READ ME before we do manual cleaning. Doing manual cleaning with HJT first is not the correct way to work. Doing that can leave many bad things laying around in the registry and on your disk drive.

 

After completing the steps in the READ ME with the proper versions of software continue with the below to fix your problems if they still remain.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\windows\adtech2005.exe
C:\PROGRA~1\FELLES~1\mqwk\mqwkm.exe
C:\PROGRA~1\FELLES~1\mqwk\mqwka.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\system32\sywsvcs.exe
O4 - HKCU\..\Run: [mqwk] C:\PROGRA~1\FELLES~1\mqwk\mqwkm.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\windows\timessquare.exe
C:\windows\adtech2005.exe
C:\Program Files\FELLES~1\mqwk <--- the whole mqwk folder must be deleted

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

No problem! Yes the online scans do take a long time to run. That's because they do comprehensive checking on all files. Make sure you get all applications we recommend up to the current revision levels (check your versions against the ones shown in the links by clicking on them) and get all updates for definitions.

After you complete the READ ME and my last cleanup instructions, post the followup HJT log and let me know how things are working. I would expect them to be a lot better.

 

It was bad too. Your last log only showed the two running. Deleting the folder as directed should have deleted all instances anyway.

The below line was not in your previous log but it is in the new log:

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

Do you know what this is? If not, do the following:

I would like to get some more info on the C:\WINDOWS\SYSTEM32\WgaLogon.dll file. Locate it using Windows Explorer and then right click on it and select Properties. Now see if there is a Version tab in the window. If so, select the Version tab and on the next window select each of the listed Item names (one at a time) to get more info about the file. The most important Item is the company name. If there is no Version tab, tell me that too.

How are things working right now?

 

Okay that file is safe. ( Where are you located? It's always nice to know!)

Your SpySheriff problems are gone. You would know if they were not! Your log is clean!

Time for you to work thru the below:

How to Protect yourself from malware!

 

Happy I could help you out from the other side of the Atlantic. Surf safely!