Spy Sherriff

I had a popup, and my desktop has some dribble about system stopped, major malfunction. I tried uninstalling spysherriff from add/remove programs in the control panel and when the computor next booted it was there again. I have and so ran eAnthology StopSign, and it cured a few things. I deleted the spysheriiff folder from program files. It all appears cured but I still can't change my desktop picture. I have included my HJT log. What have I missed?

 

Please make sure System Restore is disabled and the viewing of hidden files and folders is enabled per the tutorial!

Please look in Add or Remove Programs for the following and Uninstall them if found:

NewDotNet

eAcceleration <-- Remove anything relating to eAcceleration.

StopSign

Daily Weather Forecast

ISTsvc


NEXT:
Download LSP-Fix

After download is complete, Run LSP-Fix

Check the Box labeled "I know what I'm doing" and then click on the asiclayer.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move asiclayer.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

(Note: If the file asiclayer.dll is already in the remove section, then just click FINISH.)

After you complete ALL of the above, reboot into Safe Mode. I want you to run SpyBot and get into the Advanced mode by selecting Mode and then
Advanced mode. Then select Settings and the in the left column select Ignore Products.
In the right window pane make sure the All products tab is selected. Then in that
window, right click your mouse and choose "Deselect all". Now in the left pane click
at the top on SpyBot S&D and then choose Search for Updates. Download any updates
required. Now click Check for Problems. Fix any that are found.

After you complete the above, reboot back into normal mode and procede with the below online scans:

TrendMicro Online Scan
Bitdefender online scan
RavAntivirus online scan <-- select Auto Clean then click Scan My PC
TrojanScan online scan
Panda Online Scan


After you complete ALL of the above, reboot and post a fresh HJT log.

 

I have removed nearly all that you asked. To be fair only newdotnet was present and eAcceleration. The problem is eAcceleration/StopSign is my virus/spyware/adware/popup/spam software and it has been very good. Do you really think it is causing a problem (I have had it for 2 years and it ihas kept me apart from this completely clean, and yesterday when this all happened, before it scanned and cleaned out 9 trojans, it downloaded updates. after spysheriff installed itself)

I am doing what you said without getting rid of StopSign - I can do it again if you think it really has to go! I will post the results in a few minutes.

 

ok, I did everything you asked, apart from removing the eAcceleration and stopsign products (i subscribe to this as I mentioned earlier). However SPYBOT found 80 problems - it cleaned 22 off but according to spybot eAcceleration is causing 58. Housecall found 1 problem TROJ_SMALL.VS in C:\Program Files\Acceleration Software\antivirus\scan_update.exe (non-cleanable)

 

And here is the new HJT log file. And my desktop still has the picture which says it has a severe system fault.

 

I have done a system restore to 2 days ago - and then did all the checks you asked. Downloaded the newest microsoft security updates (todays). that appears that everthing is back to normal.

Thankyou for the help - I would consider this matter now resolved.

 

Attach a current HJT log to confirm your clean.

 

here it is

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

eAnthology

StopSign

Daily Weather Forecast

Acceleration Software

TopText

eAcceleration



Download LSP-Fix

After download is complete, Run LSP-Fix

Check the Box labeled "I know what I'm doing" and then click on the asiclayer.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move asiclayer.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

(Note: If the file asiclayer.dll is already in the remove section, then just click FINISH.)


Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse0.dll

O4 - HKLM\..\Run: [EanthologyApp] "C:\Program Files\Common Files\eAcceleration\eanthology.exe" /b Startup
O4 - HKLM\..\Run: [WebScan] C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe -k
O4 - HKLM\..\Run: [eanth_system_patcher] C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe /Startup
O4 - HKLM\..\Run: [eMailEncryption] C:\PROGRA~1\ACCELE~1\VELOZD~1\velozsys.exe runstart
O4 - HKLM\..\Run: [BAf6KGVL4] C:\WINDOWS\tyyxgtl.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [bO²
ùð,×y-¯Œ] C:\WINDOWS\tyyxgtl.exe
O4 - HKLM\..\Run: [3F3k38i] msnocheck.exe
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKCU\..\Run: [IosqRUG9h] mshchap.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\TopText\wo.exe

O8 - Extra context menu item: &Search - http://bar.mytotalsearch.com/menusearch.html?p=CPXXXXXX59

O9 - Extra button: (no name) - {2F099F5D-7003-4441-82C2-707C7C273FEB} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse0.dll
O9 - Extra 'Tools' menuitem: Block This Page - {2F099F5D-7003-4441-82C2-707C7C273FEB} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse0.dll

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\Program Files\Top Text ←–– Delete this whole folder if it exist!

C:\Program Files\Acceleration Software ←–– Delete this whole folder if it exist!

C:\Program Files\Daily Weather Forecast ←–– Delete this whole folder if it exist!

C:\Program Files\Common Files\eAcceleration ←–– Delete this whole folder if it exist!

C:\WINDOWS\tyyxgtl.exe

msnocheck.exe <-- Search for this file and delete when found!

mshchap.exe <-- Search for this file and delete when found!

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows

FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


After you complete ALL of the above, reboot and post a fresh HJT log.

 

AS I mentioned before - Stop Sign and eAcceleration products are my antivirus etc. Do I really need to remove them, I subscribe to these, and up until now they really work.

 

here is new one

 

If you have bought them and you like them and think they are safe then keep them. I dont know much about them, I just dont like eAcceleration software.

 

Regarding this new log, if your comfortable and like eAcceleration then you can keep it.

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file iefix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the iefix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R3 - Default URLSearchHook is missing
(Should be gone)

O4 - HKLM\..\Run: [3F3k38i] msnocheck.exe
O4 - HKCU\..\Run: [IosqRUG9h] mshchap.exe

O8 - Extra context menu item: &Search - http://bar.mytotalsearch.com/menusearch.html?p=CPXXXXXX59

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Be sure the viewing of hidden files and folders is enabled per the tutorial. Now look in the below 3 directories for these two files and delete when found!

msnocheck.exe
mshchap.exe

C:\WINDOWS
C:\WINDOWS\System
C:\WINDOWS\System32

NEXT:
Run CCleaner

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


After you comlpete ALL of the above REBOOT, Scan with HijackThis and attach the new log.