Need help with Spysheriff

Hello. I have somehow obtained the infamous Spysheriff program. I went through all the steps under the "READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal" section. Unfortunately that didn't get rid of it. I have attached my Hijack This log. Any help you can give will be greatly appreciated. Thanks.

 

Lets start by running these online scans:

Bitdefender online scan
RavAntivirus online scan <-- select Auto Clean then click Scan My PC
TrojanScan online scan
Panda Online Scan

After you complete these online scans reboot and post a fresh HJT log.

 

Ok, I went ahead and did the RavAntivirus, TrojanScan, and Panda Online Scan. I tried to do the Bitdefender scan but it gave me this message when I tried to run it "This website is not authorized to hose this ActiveX control.
Please contact the webmaster of this web site, or report to Bit Defender at the email address: scanonline@bitdefender.com". After running the RavAntivirus scan it found no infections, but 2 suspicious files. After running the TrojanScan, it found 2 Malwares. After running the Panda Online Scan, it found 27 infections. They don't seem to have gotten rid of Spysheriff though. Previously, whenever I have tried to remove it through Add/Remove Programs or AdAware, it seems to get rid of it, but whenever I restart my computer, its back again. Anyway, I attached my new Hijack This log as well as the list of infections the Panda Online Scan found. Lemme know what to try next. Thanks.

 

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: HyperSearchHook - {A5B043E9-9F2C-43B7-8662-29E68EC4D9DA} - C:\Program Files\Common Files\Hyperbar\HyperbarSS3.dll

O2 - BHO: (no name) - {CCCA297C-86C2-98E6-2C79-3AC2A5C0B427} - C:\DOCUME~1\JOHNPO~1\APPLIC~1\Interrdr\mealabout.exe
O2 - BHO: (no name) - {D02C02BC-CF07-EBD9-7832-9FECA9E64AC0} - C:\WINDOWS\system32\nfqipkaa.dll (file missing)
O3 - Toolbar: Startnow - {1BC1FC4B-B0D2-4D8D-9307-2E40E2A8C257} - C:\Program Files\Common Files\Hyperbar\Hyperbar.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O4 - HKLM\..\Run: [Parallel Tasking] C:\Program Files\Parallel Tasking\ptask.exe
O4 - HKLM\..\Run: [burn file info pure] C:\Documents and Settings\All Users\Application Data\Mfcdkeepburnfile\logo eggs.exe
O4 - HKCU\..\Run: [warez] "D:\Programs\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [DateThat] C:\DOCUME~1\JOHNPO~1\APPLIC~1\THUNKA~1\stupidpeak.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Games\Party Poker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Games\Party Poker\PartyPoker.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\Program Files\SpySheriff ←–– Delete this whole folder if it exist!

C:\Program Files\MyWay ←–– Delete this whole folder if it exist!

C:\Program Files\AWS ←–– Delete this whole folder if it exist!

C:\Program Files\Parallel Tasking ←–– Delete this whole folder if it exist!

C:\Program Files\Common Files\Hyperbar ←–– Delete this whole folder if it exist!

C:\Documents and Settings\John Polyson\Application Data\thunk audio ball ←–– Delete this whole folder if it exist!

C:\Documents and Settings\John Polyson\Application Data\Interrdr ←–– Delete this whole folder if it exist!

C:\Documents and Settings\All Users\Application Data\Mfcdkeepburnfile ←–– Delete this whole folder if it exist!

C:\WINDOWS\about.htm

C:\winstall.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

Awesome! Looks like that got rid of the lil' bastard. Only thing is my wallpaper is still blue with that warning sign on it that says "System Stopped. System has been stopped due to a serious malfunction. Spyware activity has been detected. It is recommended to use spyware removal tool to prevent data loss. Do not use the computer before all spyware removed." The blue screen first appeared when the Spysheriff program came onto my computer. Any idea how to get it off there? I attached my Hijack This log. Thanks for all your help so far. You rule.

 

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixadt.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixadt.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

After you complete the above reboot and let me know what problems in any remain.

 

Hmmm...doesn't look like it worked. The blue screen of death is still there. Attached my Hijack This Log.

 

Your HJT log is clean!

Are you having any desktop problems?

Also, what does the BSOD say?

 

I'm not really sure if it classifies as a desktop problem. All I know is that as soon as Spysheriff got installed, my wallpaper on my desktop changed to this blue screen with blacksign in the middle that reads "System Stopped" etc. I tried going into Display under the Control Panel and changing my wallpaper, but it won't let me select any of the wallpapers...its like its locked or something. All I can change is the color. What does BSOD mean?

 

Blue Screen of Death, I think your talking about your wallpaper being the blue screen, correct? If so, this isnt a BSOD, thats a desktop hijack. A real BSOD either shuts your computer off and reboots it.

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file desktopfix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the desktopfix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!


Click Start > Run > type regedit

Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Look for a DWORD value called "NoViewContextMenu"

When located right click and delete it!


Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Look for a DWORD value called "NoViewContextMenu"

When located right click and delete it!


Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

Look for a DWORD value called "NoChangingWallPaper"

When located right click and delete it!



Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Only Should have "NoDriveTypeAutoRun"

Remove This Value "NoActiveDesktop"
Remove This Value "ForceActiveDesktopOn"

Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

There should on be the (default) string here

Remove This Value NoComponents
Remove This Value NoAddingComponents
Remove This Value NoDeletingComponents
Remove This Value NoEditingComponents
Remove This Value NoHTMLWallpaper


Now, Navigate to and delete the following filea:

C:\WINDOWS\Web\wallpaper.html

C:\wp.exe

C:\wp.bmp


Final Step:

Right Click on your desktop, click properties, click the Desktop Tab, click Customize Desktop, click the Web Tab. Now, uncheck everything in this tab.

After you have completed ALL of the above, reboot and see if problem remains!

 

You rule dude. My computer is officially 100% back to normal. Thank you so much. You saved the day!

 

Your Welcome!

You should see this article on How to Protect yourself from malware!