Please help (SpySheriff mainly)

I'll start off by saying I have read both the "please read this first" threads. I have always considered myself comp savvy, with good habits. I run FF and a bunch of anti psyware apps, but apparently I was bound to have some spyware problem sooner or later.

The problems:
- ~2 weeks ago I started getting Access_Control and Dialer.exe installing/running just about everyday. GIANT catches and "removes" it, but it keeps coming back. Timing for this has lead me to suspect IMEverywhere (ime.iknow.ca), a trillian plugin, as the culprit.... but that's pure speculation.
- Yesterday I got home from work to find my desktop hijacked by "SpySheriff" and none of my usual spyware apps (AA, SS&D, GIANT) seem to be able to correct this. This is my main problem. I can't get rid of spysheriff.

Googling spysherrif has led me here. Please help. Again, I followed your tutorials/walkthroughs to the best of my ability, so... here we go.

For the virus scanning:
- The online virus scans did not work (and I have no AV, but I think this is just a spyware issue)
- Symantec refused to run ("URL redirect limit exceeded"?)
- MicroTrend HouseCall ran, but was unable to remove any of the 6 or 7 things it found. Looking at them I'm doubting they not the problem. It didnt like some old Java .zips and a couple email attachments that have never been opened (mydoom). I deleted the ones I didn't like manually.
- STINGER found and removed 1 x Netsky and couldnt repair a couple more that were in old email archives

CCleaner gave an ActiveX error, and wouldnt run.

Primary spyware:
AdAware found and removed: DAE, Alexa, istbar, DyFucA.
S S&D found and removed: A pile of the regulars (bfast, doubleclick, etc)
SpywareBlaster now has all enabled.
CWShredder found nothing.
kill2me did its thing.

SpySheriff: Going strong

Help!

TIA,
TheRequiem

 

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

SOrry I took so long to get back in here. Network config got messed up and it took me a day to figure out just to uninstall, remove, reinstall it.

HJT log below.
I've gone through it and compared to the HJT READ FIRST thread.
To me, it seems fine. So I have no idea whats going on. Desktop still hijacked...

 

It doesnt show you have ran the online scans so let start by doing that.

TrendMicro Online Scan
Bitdefender online scan
RavAntivirus online scan <-- select Auto Clean then click Scan My PC
TrojanScan online scan
Panda Online Scan

After you complete the above online scans, reboot and post a fresh HJT log.

 

TM java version ran and found a little bit but couldnt fix anything. Most were buried in old emails that wont be a problem.

Rav only has single file scan. "Auto Clean" isnt an option anywhere, or any kind of full PC scan.

The rest require IE

Edit: unblocking and running IE... since I guess I'm the one asking for help. I feel dirty.

 

If you had rather not ran the online scans we can go to Plan B.

Download the following two files, create a folder on your desktop, call it TSC. Save these 2 files there!

Sysclean Package

Pattern.zip

Once you have these downloaded into the folder you just created, double click the file sysclean.com

When the system cleaner loads, click SCAN to start the scanner. After you complete this scan reboot and post a fresh HJT log.

 

Thanks. I've started into the IE only scans, might as well. I'll update tomorrow evening with some logs.

The link to pattern.zip is busted (for me, anyways).

Here's the latest version, for anyone else reading: http://www.trendmicro.com/ftp/products/pattern/lpt693.zip

 

Oops I forgot to update my link for the defs, thanks for letting me know.

Will be awaiting results!

 

Update:

RAV: Log attached, all non-Java files (the first 3 it lists) have been shredded via spybot. What to do with the Java ones?

TrojanScan: It only found cookies (removed), temp IE files (shredded), quarantied files by GIANT (ignored), and one thing C:\WINDOWS\System32\KILLAPPS.exe label "not-a-virus.RiskWare... "

Panda: Log attached

MT Sysclean: Log attached. Log looks awfully messy. I'm hoping you know what the important parts to look at are.

http://www.goorpy.com/uploads/PandaActivescan-2005-06-17.txt
http://www.goorpy.com/uploads/RAV-050618.txt
http://www.goorpy.com/uploads/MicroTrendSysclean-050618.txt

Will restart and post fresh HJT log.

 

New HJT:

 

Your log looks clean to me, are you having any further problems?

 

Yes, my desktop is still the SpySheriff Blue w Black, and is locked as such. I am not able to restore it.

I don't believe I have any software eating my cycles anymore, but this inability to restore my own desktop is a severe annoyance.

Any ideas how to forcably re-hijack it myself?

 

No dice on reclaiming my desktop?

 

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixadt.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixadt.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

After you comlpete the above, reboot and let me know what problems if any remain.

 

Did not correct locked desktop, unfortunately.

http://www.goorpy.com/uploads/bloodyspysheriff.jpg

Seems theres a lot of these SpySheriff issues coming up lately. I wonder what the sources are that have hit so many people.

Any more suggestions?

 

I'm going through the registry as posted in this thread:
http://forums.majorgeeks.com/showthread.php?t=65559

So you don't need to repost it here. Or you can, if you want.
I foresee a spysheriff sticky in the near future.

 

Ok, this is getting closer. The SpySheriff desktop no longer loads on startup.
However, when I went to check if I had control, I did not. The desktop selection was locked, and when I closed the desktop properties, there was spysheriffs pseudo BSoD.

I think there are some more regkeys/strings in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

I see:
http://www.goorpy.com/uploads/systemregkeys.jpg

I'm going to slash some of those.

 

Removing the wallpaper string and the NoVisualStyleChoise key has restored my control!
Do you think I should delete the rest of those?



In any case, thank you very much for the help and the kick in the right direction.

Me love you long time. Sucky sucky, 2 dolla.

 

Copy the below contents, save as fix1.reg

Double click to run, click YES to merge!

After doing the above, reboot and let me know if any problems remain.

 

Looks like we posted at the same time. I think its corrected now, but I've removed the rest of the system subfolder as per for instructions just in case. At the very least, it appears to be corrected, which is good enough since HJT sees nothing running.

And again, thanks much.

 

Just to confirm, no further desktop problems?

 

Correct.

Thanks for the help!

 

Good Deal!

You should see this article on How to Protect yourself from malware!