SpySheriff Problems

Hi I have been having this SpySheriff problem. I did all the Basic Spyware, Trojan And Virus Removal. Yet SpySheriff keeps coming back So any help would be much apriceated

 

Here is my Hijack Logfile

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

Daily Weather Forecast

Viewpoint

wppsrpxx

QuickSearch

SpySheriff

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)

O2 - BHO: CInterfaceObj Object - {58F07DD3-924D-4141-BC74-299F523A95F1} - C:\WINDOWS\pxwma.dll
O2 - BHO: SDWin32 Class - {91C628FE-36DD-44C5-81DB-E808BA372ED6} - blank (file missing)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: SDWin32 Class - {E5CBDE1C-C1FE-40AA-91C4-C8EF009A950E} - blank (file missing)
O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll (file missing)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

O4 - HKLM\..\RunServices: [kernctl32] rundll32 kctl32.dll,initialize
O4 - HKCU\..\Run: [YoppROcsg] ski7enu.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1059.dll,InstantAccess
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

O8 - Extra context menu item: SirSearch - file://C:\Program Files\PWRSMND1\Cache\SelectedContextSearch.htm

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {1CD49DC9-FD88-41FA-B892-47E037267D45} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1059_XP.cab'
O16 - DPF: {BFC9677B-8006-4336-9D49-2C797AEFCB9E} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1058_XP.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\Program Files\Daily Weather Forecast ←–– Delete this whole folder if it exist!

C:\Program Files\Viewpoint ←–– Delete this whole folder if it exist!

C:\Program Files\QuickSearch ←–– Delete this whole folder if it exist!

C:\Program Files\SpySheriff ←–– Delete this whole folder if it exist!

C:\Program Files\PWRSMND1 ←–– Delete this whole folder if it exist!

C:\Program Files\wppsrpxx ←–– Delete this whole folder if it exist!

C:\WINDOWS\pxwma.dll

C:\winstall.exe

kctl32.dll <-- Search for this file and delete when found!

ski7enu.exe <-- Search for this file and delete when found!

EGDACCESS_1059.dll <-- Search for this file and delete when found!

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


After you complete ALL of the above, perform this last step:


Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixadt.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixadt.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

After you have completed ALL of the above reboot and post a fresh HJT log.

 

Thanks bjgarrick for all the help Ok here is the log after doing everything you told me. I Tried to delete Crogram files/wppsrpxx but it said cannot delete cnml.exe and I still have that system stoped on my desktop.

 

Download Pocket KillBox
(Don't run it yet)

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo. com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;Sheri;192.168.0;



Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\Program Files\wppsrpxx\RYQCGsBL.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Allow Killbox to reboot your computer. After you have rebooted, boot back into Safe Mode!

Once in Safe Mode try to again delete the folder C:\Program Files\wppsrpxx. If you still cant delete it, then open the folder and list the files for me.

Also, get me a fresh HJT log after you do the above, also let me know how things are running.

 

Ok I Deleted RYQCGsBL.exe But could not delete the folder. Computer is running great Spysheriff has not come back so i'm very happy.

Here is a screenshot of the folder.
http://img118.echo.cx/img118/6792/wppsrpxxfolder7ve.th.jpg

If you can't see it good here is the list

babe.dat
cnml.exe
dfs.dat
exit.dat
odj.dat
profile.dat
RYQCGsBL.dll
Url1.dat
Url2.dat
Url8.dat
Url9.dat
Urlx.dat

Desktop still has the system stop thing on there.
http://img118.echo.cx/img118/6103/desktop0df.th.jpg

 

Search for these files and delete when found:

wp.exe

wp.bmp

desktop.html


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\Program Files\wppsrpxx\babe.dat into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Do the above for each file below, after you enter the LAST file have Killbox reboot your system. If you get any errors from Killbox reboot manually. After you have completed this step let me know how things are running.

C:\Program Files\wppsrpxx\babe.dat
C:\Program Files\wppsrpxx\cnml.exe
C:\Program Files\wppsrpxx\dfs.dat
C:\Program Files\wppsrpxx\exit.dat
C:\Program Files\wppsrpxx\odj.dat
C:\Program Files\wppsrpxx\profile.dat
C:\Program Files\wppsrpxx\RYQCGsBL.dll
C:\Program Files\wppsrpxx\Url1.dat
C:\Program Files\wppsrpxx\Url2.dat
C:\Program Files\wppsrpxx\Url8.dat
C:\Program Files\wppsrpxx\Url9.dat
C:\Program Files\wppsrpxx\Urlx.dat

Also, after you have removed each of the above files, you should be able to remove the folder now.

 

Thank you once again. Everything is running great got rid of all the files. The system stop wallpaper is gone but for some reason I can't put any wallpaper images on the desktop won't let me choose.

 

This fix should take care of your problem, instead of doing parts of it I just added the whole fix so just ignored anything that doesnt apply.


Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file desktopfix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the desktopfix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!


Click Start > Run > type regedit

Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Look for a DWORD value called "NoViewContextMenu"

When located right click and delete it!


Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Look for a DWORD value called "NoViewContextMenu"

When located right click and delete it!


Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

Look for a DWORD value called "NoChangingWallPaper"

When located right click and delete it!



Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Only Should have "NoDriveTypeAutoRun"

Remove This Value "NoActiveDesktop"
Remove This Value "ForceActiveDesktopOn"

Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

There should on be the (default) string here

Remove This Value NoComponents
Remove This Value NoAddingComponents
Remove This Value NoDeletingComponents
Remove This Value NoEditingComponents
Remove This Value NoHTMLWallpaper


Now, Navigate to and delete the following file:

C:\WINDOWS\Web\wallpaper.html


Final Step:

Right Click on your desktop, click properties, click the Desktop Tab, click Customize Desktop, click the Web Tab. Now, uncheck everything in this tab.

After you have completed ALL of the above, reboot and see if problem remains!

 

Thank you finally the wallpaper is back to normal

 

Your Welcome!

So no further problems remain?

 

Yeap everthing is running fine.

 

Great!

You should see this article on How to Protect yourself from malware!