need some help w. spyware removal

First of all, great forum and thx for any help in advance...

English is my second language, so excuse any grammar or spelling errors...I'm also not the greatest when it comes to in-depth computer dealings...which is how I ended up here.

3 days ago, my computer went haywire. I think I caught that shy sherrif thing and probably sev. other problems. I worked my way through this all night. I believe I got rid of spysheriff completely and a bunch of other stuff as well. I ran scans with Norton and also Microsoft anti spyware. At first they found a bunch of stuff, subsequent scans came up clean.

I did those in safe mode as well.
I disabled system restore, enabled showing of hidden folders.

I fixed something in regedit that gave me back my desktop display (had that annoying warning msg. in it) by following some steps I found on a similar website.

I still had some odd things happening sometimes, mostly the new firewall (that I downloaded from here) freezing up every time it came across something and then a small window would open up by the start button and writing would appear, like a "command" I was able to x out of it before anything happend.

So then I found your Spy Sherrif Removal, and did all that as well...

After that everything seemed fine...but today that annoying small window with the "ghost writing" appeared again..ugh.

So I checked everything again, read through everything on here. I already have ran scans for spyware and viruses, both in safe and normal mode. I still have system restore disabled, have hidden folders enabled.
I have hijack this and also the "fixadt.reg" file.

I just downloaded spysweeper, ran that following your instructions , and it did find some stuff...which I "fixed".

Not sure if my system is ok now, though...just get a weird feeling, altho nothing else happend yet.

I didn't attach any logs yet, cause I'm not sure if you want me to do other things first...I ran virus scans, spyware scans...but don't have all the many diff. ones I see on here...

I wanted to do the Cleanup procedure for removing malware problems. But I do have a (probably stupid) question about it. It asks to download "smitRem.exe" and save to desktop. Well, I saved it to desktop. It asks to doubleclick it to extract it to its own folder on desktop.
When I doubleclick it, it prepares to "run"...is that what its supposed to do? Is it goign to "extract" by running???

Help..I know its a really amateur question, but I'm so tired of these problems and I do not want to do anything wrong...I'm just slowly working my way through this, learning...

Any help you can give, I'll be very grateful for. Thank you, and sorry this is so lenghty...

 

Btw. Something keeps happening with my IE settings. The spysweep said that it had already been hijacked and changed, and they fixed it for me. But now it takes longer to load and it messed up my homepage (already fixed that again) After I typed up this post and clicked on "preview" I got the message that I wasn't connected to the internet...SIGH.

I clicked on "try again" and then it worked. But still...not kosher

 

Please post a HijackThis log as an Attachment.


Downloading, Installing, and Running HijackThis

 

Ok, having problems still...it keeps telling me I'm "offline", then the puter froze up as I tried to attach the file, and internet explorer takes forever to load...sigh.
It worked better before the spysweeper resetting something?

Trying to attach again...


...Ok, so now I'm in real trouble, it just won't let me attach anything. When I try, it freezes up doing nothing...when I try again, same problem.

So now what...

 

Ok, I turned off Spysweeper, closed it off...and now I can attach things...how strange but here is my HJT Log, and also the spysweeper log from earlier...

again, thx

 

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Now scan and have HJT Fix the following:

Download
- Pocket Killbox

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis log.

 

Alright, I followed the instructions...

After running "killbox" a alert popped up in the lower right corner...this happens frequently lately (as I try to fix things) and I'm never sure whether I should "allow" or "block" it...

This one said: An internet Explorer URL Search hook requiers your approval.

"Shell Document Object and Control Library"

"c/windows system 32\shdocvw.dll"

I did "allow" it, not knowing whether that was a fixed problem or not...prior to this I always blocked whatever came up, not sure which one was correct to do...

I then kept following instructions, went into safe mode...
In Windows Explorer I didn't find any of the files to delete...

I ran CC cleaner

I had the internet cable disconnected while in safe mode and also still have system restore disabled...

Here is the new hijack this log

Again, thank you for all help

 

Scan and have HJT Fix the following:

Download
- ExplorerXP

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Run CCleaner before doing the below.

Download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

Post the WinPfind Log and a fresh HijackThis log.

 

Before I do this...

I know this is a stupid question, but how do I extract a file?

I will download WinPfind (click run or save?) ...where will it end up?

And how to extract it to the root folder of drive C. By doing what?

I'm really sorry for such a amateur question...but this extracting to thing has me stumped...

 

also...when I run Killbox and choose "tools >delete temp tiles" it opens up a new window, with all kinds of things to choose that can be deleted. Temp files is one of them,but there are also cookies, etc...
do I put checkmarks on all of those and then say "delete"? This is what I did last time.
Thx

 

Just click the red X.

to unzip a file, right-click the zip file and select "Extract All" from the pop-up menu.

 

I did everything in the order you said.

One thing, when I opend the Pocket Killbox I got a microsoft alert asking me to either allow or block the process...I allowed, after which Killbox simply disappeared, leaving only the logpart in the folder (exe.part was gone)

I re downloaded Killbox and proceeded to follow your directions.

Also, in Killbox the "unregister DLL" is not available.

Should I disable microsoft spyware while doing steps? It seems each time I try to work on this problem, some alert pops up, leaving me unsure whether to allow or block it...

Here are the 2 logs

Again, thank you for bearing with me, I know I'm very amateur about all this and it has to be frustrating for you...

 

Disable MS AntiSpyware and Spy Sweeper. Run Pocket Killbox and delete teh files I posted before.

Next:

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to Network Security Service or (NSS) or ( 11Fßä#·ºÄÖ`I) ... right-click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config' button, and then the 'Misc tools' button ... select 'Delete an NT Service' ... copy/paste the following into the box that opens, and press "OK":

Network Security Service or (NSS) or ( 11Fßä#·ºÄÖ`I) (Whichever you found above)

Now scan and have HJT Fix the following:

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Please run Panda Online Scan.

Post the log from Panda along with a fresh HijackThis log.

 

You can add that file into the last fix, so you don't have to reboot so many times.

 

This is really disheartening...

Here is what happend. First of all, when I went into services.msc, the network security service was already "stopped"..I then "disabled" it, like you said.

Then I ran HJT and fixed the first file, the second one you wanted me to fix, wasn't there (023 - Service: Network Security Service....)

Then I ran Pocket Kill box and copied pasted all the diff. files you wanted me to have it kill...at the end rebooted and safe mode.

In safe mode I couldn't find any of the files to delete in explorer xp.

I followed all other instructions and then ran the Panda online scan. It found 27 Spyware (sigh...is there ever a end). I then saved the log, and from then on everything froze up. I couldn't do anything, not open the internet, not close out ....I had to reboot.

And here I am...with the Panda log and a fresh HJT Log...

Sorry my computer seems so messed up...

 

No reason, to be discouraged. If you can't find the files then they were deleted by killbox like they were supposed to be.

Open ExplorerXP and delete the following:

Next Reboot to Safe Mode.

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK

Reboot to Normal Mode.

Run PandaScan once more, post the log along with a fresh HijackThis log.

This should be the last of the infection.

 

alright...still finding 3 spyware...strangely enough one seems to be in the system32/msblank again...the one I just tried to kill?

Here are the scans

Thanks so much for not giving up on me

 

I'm not seeing any of the files associated with the virus that msblank.html belongs to in the other logs.

Please EXTRACT all the files from RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.

 

alright, did what you asked...

...one thing, when I tried to reboot, Internet Explorer refused to shut down, it kept saying "end program" "not responding"...not sure if that has anything to do with it, but it gave me a hard time turning off the computer.

Here is the log of the rktool

and thanks

 

That happens sometimes.

RKFiles didn't show any files that we need to be concerned about.

Reboot to Safe Mode Open Windows Explorer and delete C:\WINDOWS\SYSTEM32\msblank.html.

Reboot to Normal Mode, and tell me how your computer is running.

 

It seems to run just fine, I guess time will tell If I have any problems popping up within the day or so I'll let you know...

Can't tell you how grateful I am, thank you !