SpySheriff, Can't get it out of Hijack Log

I have completed all initial procedures before posting. I had a problem with Activescan. It showed no bad items found however I could not locate the option to print a report. I have attached logs and see some stuff that will not go away. Help is much appreciated.

 

Follow the directions for Smitfraud, SpySheriff, SpyAxe & PSGuard Removal.

Post the log from SmitRem and a fresh HijackThis log when finished.

 

I ran the smithfraud removal tool. I do not believe it found anything. Activescan found smitfraud. I ran another Hijack and it still shows things that should not be there like Spysheriff. I also need to get rid of the 04[Armor2net] and 04[Proxyway]. I do not use these. What is the 04-[contolpanel]? System runs fine, I do not have any obvious problems but I do not know what is lurking in the background.

Thanks

 

<< The installed version of Java on this compter is out-dated. Install version 1.5.0_07 available from http://www.java.com/en/download/manual.jsp. Uninstall all older versions of Java on your computer, before installing the latest version of Java. >>

Download
- Pocket Killbox

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis log.

 

Shadow,

Updated Java except could not figure how to uninstall old Javea version.
Ran all as suggested. While in safe mode, I also deleted the restore points.
Spysheriff and ohter still exist on HIjack... Do we have a plan "B" ?

 

OK, I need to collect a little more information. Looks like we may need to manually remove the infection.

Do the following:
Running WinPfind by OldTimer
Using GetRunKey
Using ShowNew

Post WinPFind.txt, runkeys.txt and newfiles.txt.

You can unistall older versions of Java from Add or Remove Programs in the Control Panel.

 

Ok, here is the three attachements. Hope you had a great weekend!!!!!

 

Download
- ExplorerXP

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop. DO NOT run it as this time we will do that later in Safe Mode.

Close Notepad.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis log.

 

New HJ log posted, !@#! *!#@....

Followed previous instructions almost exactly. The only thing I did not do was delete the Party Poker Folder. I will need to delete it later because it is still in use for the short term.

I dont get it. HIjack shows file like, SpySheriff.exe and the SpySheriff folder does not exist in C:\Program Files.. according to ExploreXP.


The next step is greatly appreciated.

 

I located something that may be of help. I did a file search for keyword "armor2net" and it was located in a few files all with the same format. One of the file names was cc_20060614_1928.reg. I believe this is a registry backup for Crap Cleaner. Should these reg backups be deleted and and then do some sort of cleaning?

 

Ok Shadow Dude,

I deleted the Crap Cleaner back up files and also used Crap Cleaner to delete the following startup items:

Armor2net] C:\Documents and Settings\All Users\Documents\Install\Armor2net.exe

[SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe

[ControlPanel] C:\WINDOWS\system32\popcorn72.exe rundll.dll,LoadMouseProfile.

I also found that in Spy Sweeper these same items were listed as start up items and checked to start up on system boot. They have now been unchecked. Spy Sweeper was the program that was alerting me of Spysheriff and would always put it in quarantine.

I did a normal reboot and ran Hijack. Log is posted. A complete review of the new HJ Log is greatly appreciated. I do not understand what it all is but am starting to get a few clues. Thanks

 

Your HijackThis log is clean. Nice job.

Flush all your restore points and create a new clean one for your system.

Disable And Enable System Restore
How to Protect yourself from malware!

Safe surfing.