Spy Sheriff removal procedure fixed desktop display, but left system slow

MY PC specs:
- Win XP Pro, SP2
- P4 2.4 GHZ
- 1 GB RAM

1. I completed the steps in the "READ & RUN ME FIRST"
Note that "Bit Defender" always stopped scanning for some reason. The first time it said...
Files: 7256 out of 46873
C:/Downloads
... then froze. I deleted the two files in this folder (I knew what they were) and scanned again. It froze again at...
Files: 2572 out of 46873
C:/Documents and Settings/Adam/Local Settings/Temp/tmp00034de
... I did not delete this, though, because I don't know what it is. I just gave up here and continued with the rest of the steps.


2. I completed the steps in the "Smitfraud, SpySheriff, SpyAxe & PSGuard Removal" thread.
With the HijackThis scan, I removed the following:
R1 - KCU/Software/Microsoft/Internet Explorere/Main,Default__Page_URL = about:blank
After this, I unchecked "Security" in Control Panel/Display/Customize Desktop/Web.
Attached are "smitfiles.txt" and "activescan.txt"

Now my desktop is back to normal, but the system performance is still very "spywarish." I know that's not a word. Note that the ActiveScan showed a few spyware infections. Can I remove? Do I have to buy this product?

Can anyone help?
Is there something in the attached log files that should concern me?
Spyware is the devil.
This site rocks, and has been quite helpful so far. Thanks!

 

Please post a HijackThis log.

 

Thank you. The log is attached.

Upon startup this morning, MS anti-spyware asked me if I wanted to block MSCORNET.EXE from the registry. I blocked it. Know what this is?

 

Whatever you are using MSConfig to disable reenable, reboot and post a fresh HijackThis log.

We need to see everything.

 

I wasn't aware anything was disabled when I ran HijackThis. I only used MSConfig to reboot in safe mode in much earlier steps. In any case, I re-ran and re-attached the log in normal mode. Let me know if this helps.

Do you mean the "Services" and "Startup" tabs in MSConfig? I know in the past I've unchecked some of the options in the sake of system performance. I've disabled nothing since my spyware infection, however.

 

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Now scan and have HJT Fix the following:

Download
- Pocket Killbox
- ExplorerXP

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

Post WinPFind.txt and a fresh HijackThis log.

 

It's as if this problem just started over. It reclaimed my desktop and I keep getting the supposed "Windows" balloon telling me how I'm infected and should allow it to download up-to-date software (probably SpySheriff).

Anyway, the steps have been completed and logs are attached.

 

P.S. I ran the MS Anti-spyware scan (again) and it found two problems. Fixing this fixed the fake Windows ballons telling me I'm infected.

 

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to Network Security Service or NSS or 11Fßä#·ºÄÖ`I ... right click the entry(Whichever one you find), select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Network Security Service or NSS or 11Fßä#·ºÄÖ`I (Whichever one you found above)

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Now scan and have HJT Fix the following:

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Follow the directions for Running Ewido Security Suite.

Run WinPFind again the log is incomplete, it can take several minutes for WinPFind to complete a scan.

Run HijackThis and post a fresh log.

 

I attached the Ewido log. I also attached updated WinPFind and HJT logs. Thank you.

Please answer this question - Should I be worried about using my PC for paying bills and such using secure websites (e.g. credit cards, etc.)??

 

Delete the following folder: C:\!KillBox

Scan with HijackThis and fix teh following lines:

- Run CWShedder
- Run HSremove
- Run about:Buster and save the log to ab1.txt.
- Immediately reboot into safe mode and run about:Buster again in safe mode and save another log (ab2.txt) Newer versions of about:Buster will probably append to the previous log file. That's ok.
- Now immediately reboot in normal mode and post the results of these steps and your about:buster log.
- Also you should now run HijackThis and save a log. Follow the instructions given in HJT's link to properly attached your log.
- Do not reboot or power down your PC or the malware could mutate if still infected.

 

Deleted C:\!Killbox and all contents.
Ran CWShedder
Ran HSremove
Ran about:Buster in normal mode, then in safe mode (appended to original file)
Reboot to normal mode to run HJT
I will not reboot again until you tell me to.

Note: Upon startup my Ewido (trial version) found an infection, but about:Buster found nothing in safe mode.

Per the instructions, I believe I am posting the HJT log correctly. Are you still having a problem viewing it?

 

Scan with HijackThis and fix teh following line:

REBOOT

Post a fresh HijackThis log.

How is your computer running?

 

The log is attached. My PC seems to be running fine.

Upon reboot, Ewido found and cleaned a file (IdDCOA.tmp) in the system32 folder. Should I be concerned? The Ewido program is only a trial version. Any recommendations going forward?

 

Your log is clean.

Even though Ewido is a trial program, it will remain functional after the trial expires. The resident/realtime functions will no longer work but the rest of the program remains completely functional.

Disable system restore, and then enable system restore. This will flush your restore points and create a new restore point.

System Restore

How to Protect yourself from malware!

 

Thanks for your help. I still have the Trojan file - IdDCOA.tmp. Norton finds it but cannot clean it. Can you help? Should I start a new thread?

 

Boot to Safe Mode.

Using the Search function in the Start Menu search for IdDCOA.*; delete every occurance.

 

I ran Norton AV scan and found 3 spysheriff (again?) and the trojan discussed above. It removed the 3 spysheriff, but could not delete the trojan.

I booted to safe mode and deleted two things (info from Norton)

1. Registry (using regedit) -
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations

2- File (using search function) -
c:\WINDOWS\system32\__delete_on_reboot__ld90A9.tmp

I then restarted only to find the same problem under a new name -
c:\WINDOWS\system32\__delete_on_reboot__ld8709.tmp

How can I stop this thing from reinfecting under a new name when I boot in Normal mode?

 

Follow thte directions for Smitfraud, SpySheriff, SpyAxe & PSGuard Removal.

Post the smitfiles.txt file once completed.

 

Done...

1. I found nothing in the HJT scan.

2. smitREM seems to have found nothing. While I was in safe mode, I deleted the trojan file and registry again, per my previous post:

Registry (using regedit) -
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations

File (using search function) -
c:\WINDOWS\system32\__delete_on_reboot__ld8709.tmp

I then restarted in normal mode and it doesn't seem to have come back under a different name this time... strange. Another instance of this trojan.zlob tried to come up in C:RECYCLER, but Norton AV removed it.

3. I also attached the Panda Scan, which found some spyware.

Thank you for the continued support.

 

Sorry, for some reason the Smitfiles.txt wouldn't upload. I re-ran it and attached the file.

 

Run CCleaner. Delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Empty the contents of you Microsoft Antispyware Quarintine folder.
Empty the contents of your Norton Antivirus Quarintine folder.
Empty the contents of the Norton Protected Recycle Bin.
Empty the Firefox Internet Cache.

Your system should now be clean.

 

For some reason, the smitfile.txt didn't post correctly. I re-ran and re-attached.

 

The one that posted earlier is clean.

 

I agree that everything appears clean now. Much thanks for all of your help. Is there somewhere I can leave feedback for you on the site?

 

We don't have a feedback mechanism. You could always PM the owners with comments about the service you received.