My Desktop has been hijacked

I need help.

My 'Desktop' within 'Display Properties' has been hijacked, i.e I can't select new backgrounds, etc, as the scroll bar (within Desktop) has been disabled also.

The infecting spyware was something called 'Spy Sherif' or 'Spysherif'. Basically it has put a 'blue wall of death' on the desktop concealing my original background, with a message in the middle saying that my computer has been infected with spyware and a trojan that came with it.

I ran my trial version of Spyware Nuker, found the following as suspicious:

1. C:\WINDOWS\desktop.html
2. C:\WINDOWS\System32\paytime.exe
2. HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run:Windows Installer

Unfortunately Spyware Nuker could not remove them because its only the trial version, I would have to by the full version for this to happen.

So, I then uninstalled Spyware Nuker and downloaded Ad-Aware and ran this instead. It found suspicious files, which it removed or quarantined; however, no restoration of my Desktop.
I then downloade Norton antivirus to remove the trojan, but didn't find a thing!

A similar thing to this happened to me a few years back, a similar 'blue wall of death' and my Desktop being hijacked, but I was able to 'overide' this by opening my background image ( a .bmp file) in standard MS-Paint and selecting 'save as background.' This did not work this time however.

What do I do? All help appreciated - I'm in a real fix here.

 

Welcome to MajorGeeks.com, please follow the steps below:

http://www.majorgeeks.com/images/grenade.gif Run ALL the steps in this Sticky thread SpySheriff (aka SpywareNo) Removal

• Make sure you check version numbers and get all updates.

http://www.majorgeeks.com/images/grenade.gif Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

http://www.majorgeeks.com/images/grenade.gifAfter doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

http://www.majorgeeks.com/images/grenade.gif Downloading, Installing, and Running HijackThis

 

Many thanks for your help

I did the following, as you recommended

1. Went to forum where I posted the problem
2. Clicked on recommended url 'SpySheriff Removal'.
3. Went to Add/Remove Programs as suggested to remove SpySheriff. SpySheriff uninstalled
4. Suggested step to download HijackThis 1.99.1 - downloaded
5. Did above, was directed to download Spyware Cleaner; so I downloaded it and ran it.
6. Found 56 infecting files - I clicked on 'Remove Infections.'

However, upon attempting 'step 6' I was presented with a message saying
that I would have to register and pay for a copy for the infected files to be removed.

 

Just adding this.

This is the file concerned; SPYSHERIFF.EXE-06C9BFD9.

If I could remove it I am sure this would solve the problem.
I thought I had uninstalled it, or so Windows told me, so I don't know why this is still on the system.
Anyway, I attempted to delete it in the usual way, but Win' keeps giving me an error message saying 'Cannot delete file: Cannot read from the source file or disk'.

 

Many thanks...

I'll explain. Upon going to the url suggested, there is a table entitled 'Ads by Google' with a number of 'HijackThis' links/references. I mistakenly clicked on one of these links instead of one of the links right at the top - my mistake...

The present situation:

1. I've uininstalled Spyware Cleaner.
2. Via updating anti virus and anti spyware (Norton Antivirus & Ad-Aware SE) software I managed to locate and quarrantine a number of infecting files.
3. The spyware/trojan itself; Spysheriff, has been removed and uninstalled.
4. The blue 'background' with the black box in the centre, telling me that my PC has been infected, has been removed (Norton or Ad-Aware must have done this).
However, the file paytime.exe is still on the system and Desktop within Display Properties has not been restored.

Re' your last directions:

1. I downloaded, installed and ran HijackThis as per the instructions via the 'Downloading, Installing, and Running HijackThis' link.
2. I went to the message window of my/the thread on Majorgeeks and clicked on the Go Advanced button
3. I scrolled down to Manage Attatchments and clicked on it.
4. I browsed for, located, and uploaded the log file 'hijackthis.log' to Majorgeeks.

Sorry - but after step '4', I don't know...

Nothing 'specifically' was telling me that the log file was attatched, and neither was there an error mesage.

Re' the point/step 'Then close that window and save your message.'

Well I closed the window, but again, nothing specifically told me that the message was saved (and saved to where exactly anyway...).

If you mean hijackthis.log, well that was already saved, so I'm assuming that meant 'saving it to Majorgeeks'.

Anyway. Do I now go to the next main step and download smitRem.exe and then continue with the rest of the directions.

Incidentally, I went through this about 2 yrs ago (HijackThis, etc, etc) and it worked, so I do trust what you're telling me.
Except, I never thought I'd have to go through this again what with two firewalls and all other precautions.

Sorry for long message

 

I don't understand...

You clearly state the following link:

'Downloading, Installing, and Running HijackThis'.

Well I clicked on this, which presents you with the following link at the top of the page/thread:

Download 'HijackThis 1.99.1'.

If you click on this, you get a list of url's at the top of the page (MG links), but also, AT THE BOTTOM OF THE PAGE, there is a table containing a number of HijackThis links with the heading 'Ads by Google.
All I said was, that I clicked on one of these lnks by mistake instead of one at the top.

Anyway, do I now proceed to the next step and download smitRem.exe?

As to the attatchment, well I'll repeat exactly what happened - and I quote:

Nothing 'specifically' was telling me that the log file was attatched, and neither was there an error mesage.
Re' the point/step 'Then close that window and save your message.'
Well I closed the window, but again, nothing specifically told me that the message was saved (and saved to where exactly anyway...).

Unquote.

 

Ok - will do that.

However - (don't worry, I'll run SmitRem anyway), surely, there must be a way of reinstating 'Desktop' within 'Display Properties' from within Win-XP itself, no? I believe you have to do something with the registry?

Put it this way. Would 'You-know-who & company' have to rely on HJT, anti virus/spyware/malware progs, etc, etc, none of which really work - no they wouldn't.

They would use something within Windows itself. Probably a MS trade secret that no one knows about, right?

You know, I've said this before to many computer professionals over the years.

The sooner that so-called spyware is made illegal, and the sooner that MS is legally forced to tighten-up the inherent security flaws within Windows (esp' I.E), the better. Then, and only then will this nonsense be iradicated. At the moment, anti-virus/spyware soft' houses have been given a licence to print money, all courtassy of MS... LOL

 

The log file hijackthis.log is attatched - ok.

 

Quote:

Now you will need to print or save these instructions locally (to a text file on you Desktop) for later reference. This is necessary because you must not have any browers open and must not connect to the internet while following the below steps.

Unquote.

What is meant by 'these instructions'?

Do you mean the instructions in your post showing the example system scan, or is this refering to some other instructions?

 

I give up.

However, this is what I've done since. I cannot be more specific than this.

1. I printed the instructions and rebooted in Safe mode according to the
instructions given upon clicking on the 'Safe mode' link.
When the system rebooted my original desktop reappeared for a split second but then vanished.
The desktop was then completely black except for 'Safe mode' at the top-left of the screen and the Start button.
There were only two icons on the desktop; Norton antivirus and Ad-Aware anti spyware.

2. Upon the system rebooting I made sure that all other windows were closed.

3. I ran HijackThis and clicked on 'Do a system scan only'.

4. None of the lines in the instructions matched those in the resulting scan, except one of them, but not completely - so I didn't check it.
The particular line was/is:
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank.
The one in the scan was almost identical, but it started with HKLM and not HKCU - so again, I didn't check it. Something tells me I should...

5. I didn't click the Fix button for the above reason, so just closed HijackThis.

6. The next instruction to open the smitRem folder, and then run RunThis.bat could not be done because the smitRem folder was not showing on the Desktop in Safe mode

7. I rebooted as instructed into normal mode

My original desktop still did not reappear, but I expected this.

 

Many thanks...

The instructions say to log into Safe mode as Administrator, or under Administrator account, which is what I did.

There was some slight confusion here, however.

When the system rebooted into Safe mode (after running msconfig > BOOT.INI > /safeboot), I was presented with two login-ID icons, one above the other.

The first icon was called Administrator ( I am also the administrator, although I have never logged in this way).
The second icon below this was my usual one. But because the instructions say to log into Safe mode as Administrator, I clicked on the Administrator icon and entered my usual ID (the same one used for the usual login).
The login precess as such worked ok.

The account I was in (the same one that I am always in) when I downloaded SmitRem to the desktop, was the normal one.

The accounts are not the same, but how can they be the same? I do not understand. Again, the instructions state to reboot into Safe mode as Administrator, but I do not normally boot-up as Administrator.

SpywareCleaner has been properly uninstalled via Add/Remove Programs.

You asked me to attach a HJT log previously, which I did. Do you now want an additional log (it will be exactly the same).

 

Look. I have tried to be polite about this.

However, the instructions I am refering to are the ones that you get to if you click on the 'Safe mode' link given on your post dated 10/05/05!

If you click on this link, you are then told to click on another link for Win-XP. You are then told that you must login as Administrator to reboot into Safe mode.

However, it turns out that my normal account and the administrator account is one and the same thing.

So, I rebooted again into Safe mode, only this time I clicked on the usual icon and not the administrator icon.

All my desktop icons were present including smitRem, although the desktop itself was black/blanked out.

I did another HijackThis log, but it is exactly the same as before; the one that I've already sent to MG as an attachmnet.

As said before, I have uninstalled Spyware cleaner.

What ever, I will now run smitRem and then do another log, after of course rebooting into Safe mode.

 

It seems that I have my original background/Desktop back... Eureka!

I owe you a great deal.

This is what happened: I opened the smitRem folder after rebooting into Safe mode and ran RunThis.batch.
The log file smitfiles.txt was created, which I've located.
I then, as per the printed instructions, went to Control Panel > Display > Desktop > Web and checked for Security Info; Warning Message; Security Desktop & Warning Homepage. None of these were present so I didn't have to uncheck anything.
I than rebooted into normal mode and logged in as usual. I do not have (I checked for it via Start > Search) Panda ActiveScan however, so didn't do anything here.
Instead I went strait back to Desktop within Display Properties, and reselected my original background. Strait away, even before returning to the desktop, I new that it had been reinstated, i.e. everything was working as normal in Desktop.
I then returned to the Desktop and there was my original background.

So once again, I owe you a great deal.

The smitfiles.txt log is attached - again, don't know about Panda ActiveScan.

Considering that I have an active firewall via SP2, and allways upgrade my antivirus & anti spyware, plus take
all other precautions that I know of, how can I prevent this from happenning again? But at least next time I'll
know what to do.