Need help with Spysheriff. Won't let me do last step.

I have completed all steps in your help thread except the last one about the registry. When I try to add to the registry it says that it is not valid.

Quote:
SpySheriff (also known as SpywareNo) Removal

If you are among the hundreds of lucky people who have some how been infected with this malware, try the steps below and let us know the results.

1) Make sure you have run all the Steps this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

2) Open Control Panel and select Add/Remove programs. Look for SpySheriff and uninstall if found.

3) Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

4) Now Run HijackThis and select Do a system scan only. Look for the below lines (you may not always find both of them) and select them but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe

After clicking Fix, exit HJT.

5) Boot into safe mode and use Windows Explorer to delete (if found):
C:\winstall.exe
C:\WINDOWS\Web\wallpaper.html
C:\WINDOWS\Web\desktop.html
C:\Windows\Desktop.html
C:\wp.exe
C:\wp.bmp
C:\Program Files\SpySheriff <--- the whole folder
C:\Documents and Settings\username\Start Menu\Programs\SpySheriff <-whole folder
C:\Documents and Settings\username\Application Data\Install.dat

Note: replace username with the actual user name for the account your are cleaning. Like C:\Documents and Settings\chaslang\Start Menu\Programs\SpySheriff


6) Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

7) Now reboot in normal mode and continue with the below.

8) Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixadt.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixadt.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.
Quote:

REGEDIT4

[HKEY_CURRENT_USER\Control Panel\Desktop]
"Wallpaper"=-
"WallpaperStyle"=-

[HKEY_CURRENT_USER\Control Panel\Colors]
"Background"="0 78 152"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallPaper"=-
"NoComponents"=-
"NoAddingComponents"=-
"NoDeletingComponents"=-
"NoEditingComponents"=-
"NoHTMLWallpaper"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoViewContextMenu"=-
"NoActiveDesktop"=-
"NoActiveDesktopChanges"=-
"ForceActiveDesktopOn"=-
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispAppearancePage"=-
"Wallpaper"=-
"WallpaperStyle"=-
"NoDispBackgroundPage"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"ThemeActive"="1"
"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,72,00,65,00,73,00,6f,00,75,00,72,00,63,00,65,00,73,00,5c,\
00,54,00,68,00,65,00,6d,00,65,00,73,00,5c,00,6c,00,75,00,6e,00,61,00,5c,00,\
6c,00,75,00,6e,00,61,00,2e,00,6d,00,73,00,73,00,74,00,79,00,6c,00,65,00,73,\
00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Desktop\General]
"WallpaperFileTime"=-
"WallpaperLocalFileTime"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoViewContextMenu"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"notepad.exe"=-
"notepad2.exe"=-
"winlogon.exe"=-
"paint.exe"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
"CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="Search Bar"="http://search.msn.com/intl/searchpane/en-au/prov2.htm"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
""="http://home.microsoft.com/access/autosearch.asp?p=%s"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="http://search.msn.com/spbasic.htm"
"Use Custom Search URL"= dword:00000000
"Use Search Asst"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}]
[-HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}]
[-HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}]
[-HKEY_CLASSES_ROOT\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3}]
[-HKEY_CLASSES_ROOT\CLSID\VMHomepage]
[-HKEY_CLASSES_ROOT\CLSID\VMHomepage.1]
[-HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}]
[-HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}]
[-HKEY_CLASSES_ROOT\VMHomepage]
[-HKEY_CLASSES_ROOT\VMHomepage.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\HTTP\Parameters\S]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\HTTP\Parameters\S]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\r]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Intel system tool"=-
"WindowsFZ"=-


9) Reboot your system and check to see how things are working. If still having problems, create a thread indicating you have followed all the steps in the SpySheriff Removal sticky and post your current HijackThis log as an attachment only.




Here is my Hijackthis log:

Edit by chaslang: Unrequested inline log removed


I have done every step.. and now my desktop is white which I guess is a good thing. It just will not let me complete the last step. I am using Windows XP. Am I doing something wrong? I am following the registry instructions exactly. I'm sorry.. I feel so stupid, but I have never done this before.

Dammit.. first time to the forums. I posted this in the wrong place didn't I?

 

I'm sorry. I didn't add my Hijack this log as an attachment. I feel like a stupid noob... I tried to edit but time was up. Sorry.

 

Ok.. I figured out what was wrong.. why it wouldn't let me add it. Problem fixed. Thanks for all of your guys help. The "SpySheriff" thread I mean. IT WORKED!!!!! Delete this thread if you want to. I am sorry for wasting your time.