SpySheriff won't go away

Hi,

I've spent countless hours trying to get rid of Spysheriff. I did the things you suggested in the Spyware tutorial, and after all that, I still can't get rid of SpySheriff.

Basically, the software pops up every time i restart. it's also taken over my desktop with a big "System Stopped" black sign.

Can you please help? I am extremely frustrated....
Thank you in advance!

~anna~

 

Look at the topic here SpySheriff and also look at the other topics regarding SpySheriff on how to remove it.

controlmind

 

thank you for the reply.

the problem is that i've already done all that stuff....and still, nothing's worked.

does anyone know the name of the exe file for spysheriff?

~anna~

 

Is it SpySheriff.exe?

controlmind

 

yes, it is spysheriff.exe. but it's not just that...it's hidden somewhere, when the computer is restarted. to the point that it actually disables avast from running until spysheriff has loaded and opens up.

i even tried renaming all of the files in the spysheriff folder, and even naming the folder something else, without deleting the files, or removing them from the programs. but that didn't work either, because as soon as i restarted the computer, another spysheriff folder appeared.

this is a tricky little bastard...
anna

 

Is the file C:\Program Files\SpySheriff\SpySheriff.exe or C:\WINDOWS\svchost.exe or C:\WINDOWS\kdx\KHost.exe or C:\WINDOWS\System32\zolk.dll ?

controlmind

 

AnnaB,

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Dear Controlmind,

thank you very much for suggesting i search for those files. spysheriff.exe does exist, but that's not what's causing all this, as every time i erase it or remove it, the sucker comes back upon restart.

none of those files you suggested are the culprits either.

sigh....

~anna~

 

Then just follow bjgarrick post above

controlmind

 

Hi,

Here is the Hijack This log you asked for, attached. Thank you for your help. I really appreciate it.


~anna~

 

AnnaB,

Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, Right Click on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
(C:\Program Files\HJT) and click Next.

Now run HJT from there. Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

 

Hi,

Sorry about that. I thought I followed the directions correctly, but i guess not.
Hopefully I got it right this time.

Thanks a bunch.
~Anna B~

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

Daily Weather Forecast

Bucikca


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

R3 - Default URLSearchHook is missing

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - blank (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - blank (file missing)

O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [Zobaxe] C:\Program Files\Bucikca\Fhqp.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\Daily Weather Forecast ←–– Delete this whole folder if it exist!

C:\Program Files\Bucikca ←–– Delete this whole folder if it exist!

C:\winstall.exe

ShowWnd.exe <-- Search for this file and delete when found!

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

HOLY GUACAMOLE!
you fixed it.
thank you SO much! i can't tell you how much I appreciate your help.

yaay!
~anna b.~

 

Your Welcome!

To confirm your clean go ahead and attach a fresh HJT log.

 

In the newer threads I am referring them to it but in these older threads I am manually removing them. In this case problems are already resolved no need for it.

 

Hello,

Attached is my newest HJT log, as you requested (to make sure that it is ineed all gone). Thank you for the gazillionth time. You're awesome.

~Anna~

 

Your HJT log is clean, are you having any further problems?

 

Nope! Looks like this case is closed.
Thanks a million!!!! You rock.

Best,
Anna

 

Your Welcome!

You should see this article on How to Protect yourself from malware!