Spy Sheriff totally removed ?

G

Guest

I was hit by the Spysheriff spyware last dec 28. MSA did notice the spyware.
even removed some of it, but still i detected spyware in the registry and
also the desktop was changed and could not be changed back. After using
multiple spyware detectors and manual searches i believed i was relieved from
this spyware. But today I am not so sure anymore. Pls help me with some re to
the following Q's.
1. In my C:\Documents and Settings\Fred\Local Settings\Temporary Internet
Files i have detected the following statement - default
ms-its:C:\Program Files\Microsoft
AntiSpyware\MicrosoftAntiSpyware.chm::/default.css - Does this look normal to
you ?
2. Yesterday MSA registered the following event : Internet Explorer URL for
Search Bar has been allowed to be changed from www.google.com to
res://C:\WINDOWS\system32\hvfgr.dll/sp.html#88449%resultposition.net. This
URL is in the user's allowed Internet Explorer URL list.
Today the MSA registered the reversed event.
The hvfgr.dll is non-existent btw. I have no idea why the change of
yesterday was initiated (still spyware left over???) and second i do not know
where i could find that socalled allowed IE URL list.

Some help is really appreciated.
kind regards and thx in advance
Fred B
 
G

Guest

Hi itsgoofy,

From: "plun"
Follow this thread: Smitrem and Ewido remºval.

http://forums.techguy.org/printthread.php?t=376692

Also use CCleaner for junk removal www.ccleaner.com


From: "AndyManchesta"

You can use Add/Remove screen to remove SpySheriff if you have downloaded
this yourself but if its been downloaded as part of a trojan infection then
it will take alot more work to remove it.

Has your desktop wallpaper changed to a spyware warning
and do you have icons in the system tray that say you are
infected with malware and need to download some rogue
remover such as SpySheriff to clean it.
This is just a couple of signs of this Trojan Infectiºn

If you cannot remove this through Add/Remove screen Id
suggest using Hijack This and posting back the log it
produces to show if this is a Trojan Infectiºn.
The Trojan drops files all over the place and most scanners
will not remove this.
Last time I checked all the main
scanners (MS Antispy,Ewido,Adaware,Spybot) were failing
to find the main parts to this trojan so it kept coming
back, its also hooked into explorer.exe so it starts with
windows so it can be a pain if you miss some of the
entries for this as it will just download anything that
gets removed when your system restªrts

Download Hijack This if needed :

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Save it to desktop or c:/drive, Run Hijack This and
choose to do a system scan and save the logfile, when its
finished it will open the results in notepad, post them
back and please do not fix anything using Hijack This as
most will be harmless or essential files.

You could post the results over at spywareinfo or
tomcoyote or other Hijack This forums but you will have
to wait a few days for a reply as they get swamped with
requests for help.

http://www.bleepingcomputer.com/for...Sheriff_Winstallexe_Spysheriffexe-t22402.html

Good luck

Engel
 
I

Ira

Hi itsgoofy, there is a programs "Windows Registry Repair" I use it and
found that it really cleans up and fixes any problems that occur with the
registry. It even has a defrag option for the registry. Hope this helps.
Ira
:I was hit by the Spysheriff spyware last dec 28. MSA did notice the
spyware.
: even removed some of it, but still i detected spyware in the registry and
: also the desktop was changed and could not be changed back. After using
: multiple spyware detectors and manual searches i believed i was relieved
from
: this spyware. But today I am not so sure anymore. Pls help me with some re
to
: the following Q's.
: 1. In my C:\Documents and Settings\Fred\Local Settings\Temporary Internet
: Files i have detected the following statement - default
: ms-its:C:\Program Files\Microsoft
: AntiSpyware\MicrosoftAntiSpyware.chm::/default.css - Does this look normal
to
: you ?
: 2. Yesterday MSA registered the following event : Internet Explorer URL
for
: Search Bar has been allowed to be changed from www.google.com to
: res://C:\WINDOWS\system32\hvfgr.dll/sp.html#88449%resultposition.net. This
: URL is in the user's allowed Internet Explorer URL list.
: Today the MSA registered the reversed event.
: The hvfgr.dll is non-existent btw. I have no idea why the change of
: yesterday was initiated (still spyware left over???) and second i do not
know
: where i could find that socalled allowed IE URL list.
:
: Some help is really appreciated.
: kind regards and thx in advance
: Fred B
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

My problems so far...!!! 6
MS Antispyware false alert? 2
AntiSpyware Removes but 1
Explanation of Unknown Service that AntiSpyware Silently Grants Permission to Install (long) 28
Detailed Report - Self-inflicted Infestation and MSAS 1.0.501 26
Recent spyware attack 2
Control Panel 3
NAV vs Defender 3

Top