Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Not open for further replies.
1 - 15 of 15 Posts

35 Posts
Discussion Starter · #1 ·
A couple of weeks ago, I got hit with the "SpySherrif" trojan or whatever it is. After going through a bunch of scans with several different programs, I finally succeeded in clearing that program and its remnants out, with one exception. I still do not have control of my desktop. I don't get that big "WARNING ..." box anymore, but I have lost the ability to choose my desktop background. When I go to properties and then select "Desktop," the background choices are all grayed out.

Can someone tell me how to get my desktop back?

Thanks for your help.

123,556 Posts
Go to Control Panel - Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security" or similar. Select that entry and click the "Delete" button. Click OK then
Apply and OK.

35 Posts
Discussion Starter · #3 ·
There was nothing like "Security" in there, only "My Current Home Page" and this other thing which has been putting this world map on my desktop ever since the SpySherrif got in. I deleted that and now I've got the big black black rectangle with "SYSTEM STOPPED" in red letters back on the desktop.

123,556 Posts
Download and Save Cleandesktop to your computer from this link: and double click on the cleandesktop.exe

It will automatically extract to c:\desktopclean where it needs to be to run and will automatically run the cleandesktop.vbs script.

If it doesn't open then go to c:\desktopclean and double click on the cleandesktop.vbs Do not run any other file from there please unless asked to.

If you have script blocking enabled you will get a warning about a malicious script wanting to run. Please allow this script to run. It is not malicious.

If you get a message when you first run it "Cannot find script file "blah blah blah" then don't worry just double click the cleandesktop.vbs script again as you sometimes get that message when a script blocker blocks the script.

It will then kill Explorer. You will lose your taskbar and desktop. It will repair the registry entries returning your normal desktop and context menu functions.

It will restart Explorer.

Once you have performed the big cleanup, each of the other Users on the System needs to be signed in to clean up their desktop and regain the right click.

Another vbs is included to do this. It is named Other Profiles Regfix.vbs

Have each User sign in and run Other Profiles Regfix.vbs.

Open C:\ (Go to Start – Run and type C: Press enter) and Open the c:\desktopclean folder. Double click on Other Profiles Regfix.vbs

Explorer will be ended and that user's active desktop registry entries will be repaired. Explorer will be restarted.

To restore the desktop to whatever picture you normally have right click on a blank part of desktop & select properties/desktop & select your preferred picture press apply & then ok to exit and then press F5.

You will need to do this step for every user account

35 Posts
Discussion Starter · #9 ·
Thank you Cookiegal!

Here is another solution that was sent to me:

Before beginning, backup your registry,

1. Clean out your prefretch folder. Open C:/Windows/Prefetch, and delete all files, reboot.

2. Download CCleaner and run it. ( )

3. Download these fixes, double click them to merge the reg file, then reboot your system

4. Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present. Delete any web pages listed if any. Click OK.

123,556 Posts
I am aware of the solution but was under the impression from your post that you already had the problem solved and the only problem remaining was the desktop.

It would be a good idea to post a Hijack This log so we can see where you stand with this.

Please do this. Click here to download HijackThis.

Close all open windows and open HijackThis. Click “Scan”. When the scan is finished, the scan button will change to “Save Log”. Click on “Save Log” and then save it to Notepad. Click on “Edit” – “Select all” – “copy” and then “paste” into the thread.

DO NOT FIX ANYTHING YET, most items that appear in the log are harmless or even needed.

35 Posts
Discussion Starter · #11 ·
That's what I thought too--that everything was taken care of except the desktop problem.

Here is the HijackThis! log:

Logfile of HijackThis v1.99.1
Scan saved at 3:03:27 PM, on 7/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\ET4Tray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\Daily Weather Forecast\weather.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
D:\Program Files\Intermute\SpySubtract\SpySub.exe
D:\Program Files\SpamPal\spampal.exe
D:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Gary\Desktop\New Stuff 7-15-05\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {63B46341-D785-DF05-D958-DD7F116AD5C9} - C:\WINDOWS\System32\zyzoj.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {13E29D3B-7BE4-4FAE-8EDB-18F97F782F94} - (no file)
O4 - HKLM\..\Run: [EasyTuneIV] C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\ET4Tray.exe
O4 - HKLM\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [RegisterDropHandler] D:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - Startup: SpamPal.lnk = D:\Program Files\SpamPal\spampal.exe
O4 - Startup: SpySubtract.lnk = D:\Program Files\Intermute\SpySubtract\SpySub.exe
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O4 - Global Startup: SpySubtract.lnk = D:\Program Files\Intermute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MUSICMATCH Radio - {A12651D6-468F-46B1-B99B-1D61FC39A6A9} - C:\WINDOWS\system32\SHDOCVW.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
O16 - DPF: {5DA6A3EB-DEAA-45AD-B303-64A474879FA0} -
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) -
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} -
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) -
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) -
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) -
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) -
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} -
O18 - Protocol: OWC11.mso-offdap - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - E:\CFusionMX\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - E:\CFusionMX\db\slserver52\bin\swagent.exe
O23 - Service: ColdFusion MX ODBC Server - Unknown owner - E:\CFusionMX\db\slserver52\bin\swstrtr.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

123,556 Posts
Go to Control Panel - Add/Remove programs and remove:

AWS (WeatherBug)
Daily Weather Forecast

Click here to download
  • Save the file to your desktop.
  • Unzip to extract the files it contains.
  • Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.

Go here to download CCleaner.
  • Install CCleaner
  • Launch CCleaner and look in the upper right corner and click on the Options button.
  • Click Advanced and remove the check by Only delete files in Windows temp folders older than 48 hours.
  • Click OK
  • Do not run CCleaner yet. You will run it later in safe mode.

Click here to download Killbox and save it to your desktop.

Download the trial version of Ewido Security Suite here.
  • Install Ewido.
  • During the installation, under Additional Optionsuncheck[ b]Install background guard[/b] and Install scan via context menu.
  • Launch Ewido
  • It will prompt you to update click the OK button and it will go to the main screen
  • On the left side of the main screen click update
  • Click on Start and let it update.
  • DO NOT run a scan yet. You will do that later in safe mode.

Click here for info on how to boot to safe mode.

Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.

Restart your computer into safe mode now. Perform the following steps in safe mode:

Now go ahead and set your computer to show hidden files like so:

Go to Start – Search and under More advanced search options, make sure there is a check by Search System Folders and Search hidden files and folders and Search system subfolders.

Next, click on My Computer, Go to Tools – Folder Options. Click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files and Hide extensions for known file types. Now click Apply to all folders. Click Apply and then OK.

Run HijackThis again and put a check by these. Close ALL windows except HijackThis and click Fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {63B46341-D785-DF05-D958-DD7F116AD5C9} - C:\WINDOWS\System32\zyzoj.dll (file missing)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: (no name) - {13E29D3B-7BE4-4FAE-8EDB-18F97F782F94} - (no file)

O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

O16 - DPF: {5DA6A3EB-DEAA-45AD-B303-64A474879FA0} -

O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} -

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the Full Path of File to Delete box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confirmation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the Paste Full Path of File to Delete box.


C:\Program Files\Daily Weather Forecast\weather.exe


Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure not to miss any.

Exit the Killbox.

Locate and delete the following folders:

C:\Program Files\Daily Weather Forecast


Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.

Wait for the tool to complete and disk cleanup to finish.

* Run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop

Start CCleaner and click Run Cleaner

Go to Control Panel – Internet Options. Click on the Programstab then click the Reset Web Settings button. Click Apply then OK.

Next go to Control Panel – Display. Click on the Desktop tab then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see an entry checked called something like Security info or similar. If it is there, select that entry and click the Delete button. Click OK then Apply and OK.

Restart back into Windows normally now.

Run ActiveScan online virus scan here

When the scan is finished, have it delete anything that it cannot clean. Make a note of the file location of anything that cannot be deleted so you can delete it yourself. - Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan and the Ewido scan

35 Posts
Discussion Starter · #13 ·
Wow. You have done a lot to help. I really appreciate this.

The AWS Weatherbug--is it really not a good program? I've been using it for a long time and like the handy way I can get the temp and weather with a simple click or two.

I've got some other stuff I've got to get done tonight so I'll probably follow your suggestions later tonight or tomorrow.

Again, thank you for all of your help here.
1 - 15 of 15 Posts
Not open for further replies.