View Full Version : problem with ununinstallable program
yesterday i was browsing some sites andd was drowned in popups. and now i have this program called spy sherrif(i and my stephfather think it is spyware in disguise(did i spell that right)) and we cant remove nomatter how we tried safe mode,using add remove programs and scanning then with adaware but every time i reboot it installs it self again. so my qeustion is how do i get rid of it?
Hi merder http://www.tombraiderforums.com/images/smilies/wave.gif
Download, update and scan with } Spybot S & D (http://www.safer-networking.org/index.php?page=download) { See how you get on with that.
http://www.tombraiderforums.com/images/smilies/wave.gif Hi Net it did'nt help spybot did find 3 entries but that did not remove that spysherrif
OK merder. I'll have to get you to download, install and use a program called HiJackThis.
You can download it from } THIS (http://www.spywareinfo.com/~merijn/downloads.html) { page under Official Downloads.
It is important that you create a folder in your C:\Program Files folder. Name it HJT and extract the program executable to that folder. Run it and click on Do a system scan and save a log file and post that log here. I'll take a look at the log and tell you how to proceed. (It'll take me a while to go through it.)
her is the logfile net
Logfile of HijackThis v1.99.1
Scan saved at 18:34:20, on 7-7-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
O:\vba\rew.exe
O:\download\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1118996039702
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
OK, thank you merder.
Now, if when you installed Spybot S & D you also installed the Tea Timer component, then please run Spybot again and disable this component before going on with the next part (it may interfere). When that is done, you MUST make sure all browser windows are closed before continuing (you will have to print these instructions).
Run HiJackThis again, click Do a system scan only When the scan is complete, check the box next to the entries:
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
And click Fix checked
When done, quite the program.
Next step, go to Control Panel/Folder Options and click on the View tab. In the scroll box, check the radio button Show hidden files and folders and uncheck Hide extensions for known file types. Then click Apply and OK.
When done, please restart your computer in Safe Mode. Then navigate to your C:\ drive and delete the file winstall.exe if found. Next, navigate to your C:\Program Files\ folder and delete the folder SpySheriff that contains SpySheriff.exe if found.
When done, reboot your system normally, load HiJackThis, perform another scan and post that new scan log here.
[ 07. July 2005, 18:01: Message edited by: Neteru ]
well here is the new logfile. note that i would even bother posting them if i did'nt have the problem(then i would'nt even post here but i have/had(don't know if stil exists) the problem and that can detroy more that a logfile and deleting some files)
Logfile of HijackThis v1.99.1
Scan saved at 9:50:16, on 8-7-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
O:\download\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1118996039702
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
[ 08. July 2005, 08:54: Message edited by: merder ]
Hi merder http://www.tombraiderforums.com/images/smilies/wave.gif
Thanks. You're log is clean! http://www.tombraiderforums.com/images/smilies/thumb.gif
Now you need to purge your System Restore points by following my guide } HERE (http://neteru.tombraiderforums.com/tech/htsrpurge.html) {
Once you've purged, rebooted, and reactivated System Restore, create a new Restore point to test all is well. If you have a problem with it, follow the rest of the instructions in that guide under SYSTEM RESTORE PROBLEMS. Let me know how it goes. http://www.tombraiderforums.com/images/smilies/smile.gif
Also, it would be a good idea for you to download and install } SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) { This program will help to prevent such nasties from getting on your system in the first place. If you want to know more about using the program, I've written a guide for that also, and it is accessible } HERE (http://neteru.tombraiderforums.com/tech/htspyblast.html) {
[ 08. July 2005, 11:41: Message edited by: Neteru ]
i purged it it went pretty wel i think. i made an checkpoint and it worked well i hope spywareblaster stays keeps my system perfectly safe(though i think it is some could slip trough just like viruses can sometime do).
[edit]:i still have one problem left created by spysherrif it has blocked my desktop with an i think fake warining telleing that my system has been blocked by spyware but everything but desktop imige changing still works i dont know how to restore desktop controll (should i keep this in this topic or open a new one)
[ 09. July 2005, 09:54: Message edited by: merder ]
Thanks merder.
OK, I've looked into it a bit more. It seems spysherrif does this too. You need to make some changes to your registry. So pay close attention.
Right click }HERE (http://neteru.tombraiderforums.com/files/fixadt.reg){ and select Save As. You should already be promted to save as fixadt.reg. Save the file to a place you can locate easily. When downloaded, double click the file, and when asked if you want to add to the registry, click Yes.
Next, Right click }HERE (http://neteru.tombraiderforums.com/files/desktopfix.reg){ and select Save As. You should already be promted to save as desktopfix.reg. Save the file again to a place you can easily locate. When downloaded, double click this file and again, add it to the registry.
When you have done that, you need to go to your registry editor. Do this by going to the Start Menu/Run and type in regedit and click on OK.
When your registry editor is open, look in the Left pane for the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\Explorer
Clicking on that folder, then look in the Right pane for a REG_DWORD value NoViewContextMenu
Right click that REG_DWORD and delete it!
-------------------------------------
Back to the Left pane, look for the next key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer
Again, look for the REG_DWORD NoViewContextMenu
Right click that REG_DWORD and delete it!
-------------------------------------
Back to the Left pane, look for the next key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\ActiveDesktop
Again, look for the REG_DWORD NoChangingWallPaper
Right click that REG_DWORD and delete it!
-------------------------------------
Back to the Left pane, look for the next key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer
In the Right pane, Right click and delete the following two values:
ForceActiveDesktopOn
NoActiveDesktop
-------------------------------------
Back to the Left pane, look for the next key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\ActiveDesktop
Only the (Default) string should remain here. If the following values appear, delete them.
NoComponents
NoAddingComponents
NoDeletingComponents
NoEditingComponents
NoHTMLWallpaper
When done, close the Registry editor. Then Right click on your Desktop and click Properties Select the Desktop tab and toward the bottom, click on the Customize Desktop button. Now select the Web tab and Uncheck everything in this tab and click OK.
When all this is done, please reboot your system. If all is well (which it should be), I would advise you to purge your System Restore again, as the previous registry entries locking you out will be backed up.
i install those 2 regfiles you put a link to in your last post. then i tried finding those regkeys but i did'nt have them so i tried removing that annojing fake warning and i immedeatly could :D so the problrm is finally fixed. so thanks for the help. http://www.tombraiderforums.com/images/smilies/thumb.gif
OK merder, great http://www.tombraiderforums.com/images/smilies/thumb.gif But can you just confirm for me that you did also go to the Web tab under desktop properties, and uncheck those boxes?
I actually think you got off lightly with this problem. You didn't seem to have half the trouble I've seen with it.
Hopefully you will now stay clean. http://www.tombraiderforums.com/images/smilies/smile.gif
vBulletin® v3.8.4, Copyright ©2000-2010, Jelsoft Enterprises Ltd.