My Anti Spyware

AntiSpywareMaster and RegistryGreat | How to remove

AntiSpywareMaster looks like AntiSpywareExpert, AntispywareDeluxe.
The program reports false or exaggerated system security threats on the computer. The user is then prompted to pay for a full license of the application in order to remove the errors.

Usuallly, rogue antispyware infects systems via misleading advertising on free download, warez and porn websites, trojans and browser security holes.

Hijackthis shows infection:

O4 - HKLM\..\Run: [AntiSpywareMaster] C:\Program Files\AntiSpywareMaster\asm.exe

AntiSpywareMaster Files:

%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiSpywareMaster.lnk
%UserProfile%\Desktop\AntiSpywareMaster.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster\AntiSpywareMaster.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster\Uninstall AntiSpywareMaster.lnk
%ProgramFiles%\AntiSpywareMaster\asm.exe

RegistryGreat
The program may then give a report of exaggerated registry errors on the computer.

Hijackthis shows infection:

O4 - HKLM\..\Run: [RegistryGreat] C:\Program Files\RegistryGreat\RegistryGreat.exe

RegistryGreat files:

%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Registry Easy.lnk
%UserProfile%\Desktop\Registry Great.lnk
%UserProfile%\Local Settings\Temp\Perflib_Perfdata_e04.dat
C:\Documents and Settings\All Users\Start Menu\Programs\Registry Great\Registry Great Help.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Registry Great\Registry Great on the Web.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Registry Great\Registry Great.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Registry Great\Uninstall Registry Great.lnk
%ProgramFiles%\Registry Great\Code
%ProgramFiles%\Registry Great\errorlist.txt
%ProgramFiles%\Registry Great\GreatHelp.chm
%ProgramFiles%\Registry Great\RegGreatUpdate.exe
%ProgramFiles%\Registry Great\RegistryGreat.exe
%ProgramFiles%\Registry Great\RegistryGreat.url
%ProgramFiles%\Registry Great\ScanResult
%ProgramFiles%\Registry Great\unins000.dat
%ProgramFiles%\Registry Great\unins000.exe
%ProgramFiles%\Registry Great\Update.ini

How to remove
Download and install SuperAntiSpyware.

Start SuperAntiSpyware. On the main screen click on ‘Scan your computer’. Check: ‘Perform Complete Scan’. Click ‘Next’ to start the scan.

Superantispyware will now scan your computer,when it’s finished it will list all/any infections found. Make sure everything found has a checkmark next to it,then press ‘Next’. Click on ‘Finish’ when you’ve done.

If you are still having problems with spyware after completing these instructions, it`s possible, then please follow the steps: How to use Spyware Removal Forum

How to remove new rogue antispywares Malware Bell and IE Antivirus

S!Ri.URZ and Bharath’s Security Blog reported about new rogue antispywares: Malware Bell and IE Antivirus.

Malware Bell is a new version of IE Defender.

VirusTotal shows Malware Bell installer:

AntiVir 7.8.0.10 2008.04.25 DR/FraudTool.MalwareBell.F
DrWeb 4.44.0.09170 2008.04.26 Trojan.Fakealert.525
Fortinet 3.14.0.0 2008.04.26 Misc/MalwareBell
Ikarus T3.1.1.26 2008.04.26 Downloader.FraudTool.MalwareBell.F
Kaspersky 7.0.0.125 2008.04.26 not-a-virus:FraudTool.Win32.MalwareBell.f
NOD32v2 3057 2008.04.26 Win32/Adware.IeDefender.NDG
Prevx1 V2 2008.04.26 Generic.Malware
Sophos 4.28.0 2008.04.26 Troj/FakeVir-AY
Symantec 10 2008.04.26 MalwareBell
Webwasher-Gateway 6.6.2 2008.04.26 Trojan.Dropper.FraudTool.MalwareBell.F

It display alert message:

Your system is infected with dangerous virus!
Note: Strongly recommend to install antispyware program to clean your system and
avoid total crash of your computer!

IE Antivirus looks like: IE Defender, Files Secure, Malware Bell.

VirusTotal shows IE Antivirus installer:

AntiVir 7.8.0.10 2008.04.25 DR/FraudTool.IeDefender.CJ
Fortinet 3.14.0.0 2008.04.26 Misc/IeDefender
Ikarus T3.1.1.26 2008.04.26 Downloader.FraudTool.IeDefender.CJ
Kaspersky 7.0.0.125 2008.04.26 not-a-virus:FraudTool.Win32.IeDefender.cj
Symantec 10 2008.04.26 MalwareBell
Webwasher-Gateway 6.6.2 2008.04.26 Trojan.Dropper.FraudTool.IeDefender.CJ

Home sites for these rogue apps:

Site Name: MalwareBellAgreement.com
Site Name: IEAntiAVDownload.com
IP Address: 89.149.227.195

Sample URL’s:

malwarebellagreement(dot)com/mb.exe
malwarebellagreement(dot)com/ieav.exe
ieantiavdownload(dot)com/ieav.exe
ieantiavdownload(dot)com/mb.exe

Use SmitfraudFix to remove them.

If you are still having problems with spyware after using SmitfraudFix, then ask help on Spyware help forum.

Found new rogue antispyware programs

Sunbelt blog reported, found some new rogue antispyware programs.

unigray.com
spymaxx.com
spywatche.com
pcprivacytool.com
thelastdefender.com
thespybot.com
spywareisolator.com
pc-cleaner.com
pc-antispyware.com
MalwareWar.com
DataHealer.com

These can all be removed with the free trial version of CounterSpy.

VirusHeat rogue antispyware - How To Remove

VirusHeat is the fake anti-spyware, or rogue antispyware program. This program uses deceptive means for installation and purpose, may display fake scan results. This program usually installed itself onto your PC without your permission, through Zlob Trojan, Virus, fake audio/video codecs.

Symptoms:
Add/Remove Programs control panel entry: VirusHeat 3.9, VirusHeat 4.3
The hijackthis shows:

O4 - HKLM\..\Run: [VirusHeat 3.9] “C:\Program Files\VirusHeat 3.9\VirusHeat 3.9.exe” /h
O4 - HKLM\..\Run: [VirusHeat 4.3] “C:\Program Files\VirusHeat 4.3\VirusHeat 4.3.exe” /h

For fix your problems, make follow steps:

Download CCleaner. Double click on the file for install.
Download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: VirusHeat 3.9, VirusHeat 4.3

Download virusheat_fix.reg and save file to your Desktop.

Right clicking on the link and selecting Save Link As or Save File as, depending on your browser.

Double-click on the virusheat_fix.reg. When it asks if you would like to merge the information, press the Yes button and then the OK button when it is done.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd.

Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).
You will be prompted : “Registry cleaning - Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.

The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

Reboot your PC.

If you are still having problems with spyware after completing these instructions, it`s possible, then please follow the steps: How to use Spyware Removal Forum - MUST READ

How to remove IE Defender

IE Defender a rogue antispyware application that is starting to infect a lot of users. This particular infection is harder to remove. Also IE Defender installed in your Internet Explorer browser that hijacks searches you input into the Google and Yahoo search engines. When infected your Internet Explorer opens Google or Yahoo and make search request you will see a hijacked search result listing. You will also periodically get fake message:

Google Error
Your computer is infected! Some of your search results were changed by spyware
You have to clean your PC and we recommendto use our ANTISPYWARE!

For remove IE Defender spyware, make follow steps:

Download FixIED.reg and save the file to your desktop.
Download CCleaner. Double click on the file for install.
Download Avenger and unzip to your desktop.
Download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: IE Defender

On your desktop find and double-click on the FixIED.reg file that you just downloaded. When it asks if you would like to merge the information, press the Yes button and then the OK button when it is done.

Run Avenger.
Check the ‘Input script manually’ option. Click the Magnifying Glass icon. In the box that opens, copy,then paste the following text:

Files to delete:
C:\Windows\System32\bDivX.dll
C:\Windows\System32\bDivX.dll.bak
C:\WINDOWS\system32\IR9V0_QCX.dll
C:\WINDOWS\system32\IR9V0_QCX.dll.bak
C:\Windows\System32\Video32.dll
C:\Windows\System32\Video32.dll.bak
C:\WINDOWS\system32\IntelVideo.dll
C:\WINDOWS\system32\IntelVideo.dll.bak
C:\WINDOWS\system32\IntelVideoDivX.dll
C:\WINDOWS\system32\IntelVideoDivX.dll.bak
C:\WINDOWS\system32\XunLeiBHO_Now.dll
C:\WINDOWS\system32\XunLeiBHO_Now.dll.bak
C:\Windows\System32\dx50codec.dll
C:\Windows\System32\dx50codec.dll.bak
C:\Windows\System32\a3gpcodec.dll
C:\Windows\System32\a3gpcodec.dll.bak
C:\WINDOWS\system32\aDivX.dll
C:\WINDOWS\system32\aDivX.dll.bak
C:\WINDOWS\system32\mp3avi.dll
C:\WINDOWS\system32\mp3avi.dll.bak
C:\Windows\System32\VideoMP3.dll
C:\Windows\System32\VideoMP3.dll.bak

Then click on ‘Done’.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Boot your PC in Safe Mode.

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode

Open the SmitfraudFix folder and double-click smitfraudfix.cmd. Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).

You will be prompted : “Registry cleaning - Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.

The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.

Run the Panda online virus scan.

- Once you are on the Panda site click the Scan your PC button
- A new window will open…click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

Disable system restore to flush out infected restore points. Reboot your computer again. Turn on Windows System Restore. After that click START > ALL PROGRAMS > ACCESSORIES > SYSTEM TOOLS > SYSTEM RESTORE. click on “create new restore point” > click on NEXT and follow the prompts.

If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topic linked below

Spyware removal - Read Before Posting

Found new rogue antispyware - Web Spy Shield

Sunbelt team found a new scam, which does a fake scan of your PC.

It installs a toolbar and an exe in a webspyshield folder however, it is a fake web based scam. You have to be connected for it to run and I would hate to think what anyone may pay for to register it as it is no real software but only a new form of their online scanner scams.

The hijackthis shows Web Spy Shield:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webspyshield(dot)com/scan.html
O2 - BHO: WebSpyShieldToolBarShower - {DC87418B-0B2C-424E-900D-54F2ECE15B6B} - C:\Program Files\WebSpyShield\WebSpyShield.dll
O3 - Toolbar: WebSpyShield - {E4988DE7-C5DB-4173-96F9-AAC426AF7BCE} - C:\Program Files\WebSpyShield\WebSpyShield.dll
O4 - HKCU\..\Run: [WebSpyShield] C:\Program Files\WebSpyShield\WebSpyShield.exe

If have problems with uninstall WebSpyShield, then please follow the steps outlined in the topic linked below

Spyware removal - Read Before Posting

Read more: New Scam: Web Spy Shield

Microsoft Antispyware ? Check twice before install !

Sunbelt blog and Swatkat reported about new Fake Microsoft Antispyware Center.

.

The website that pushes this rogue application calls itself as “Microsoft Antispyware Center”! Layout of this website is identical to old rogue applications like SpyShredder, MalwareMonitor etc.

Read more:
Fake Microsoft Antispyware Center
Rogue application pretends as Microsoft Antispyware

Found new fake codec and new rogue antispyware

Sunbelt blog reported about new malwares.

DVDacess (hosted at inc-codec(dot)com)

is a Trojan horse that drops and executes a copy of Trojan-Zlob, a back door Trojan that allows the remote attacker to perform various malicious actions on the compromised computer.

VirusHeal (hosted at virusheal(dot)com)

a clone of rogue security product SpyHeal.

For protect your PC, add both domains in the your blocklist.
If you have problems with these malwares and can`t uninstall them, then try free spyware removal tool - smitfraudfix.

Found new spysheriff variants - Malware Stopper, Malware Panacea

Sunbelt blog reported about new rogue antispywares - Malware Stopper and Malware Panacea.

Malware Stopper and Malware Panacea are a new variants of SpySheriff.

Don`t install both programs, read more about rogue antispyware.
If have problems with uninstall them, try Smitfraudfix - free tool for remove Desktop Hijack malware.

How To Remove Spylocked And Spywarelocked rogue antispyware

SpyLocked (SpywareeLocked) is the fake anti-spyware, or rogue antispyware program.

This program usually installed itself onto your PC without your permission, through Zlob Trojan, Virus, fake audio/video codecs. SpyLocked will show fake system alerts or fake security alerts to trick user to buy the Paid Version of SpyLocked.

Symptoms:

fake security warnings popup in the bottom right of screen. Examples:

System Alert!

System has detected a number of active spyware applications that may impact the performance of your computer. Click the icon to get rid of unwanted spyware by downloading an up-to-date anti-spyware solution.

Add/Remove Programs control panel entry:
SpyLocked 3.1
SpywareLocked 3.2

For fix your problems, make follow steps:

Download and unzip Avenger to your desktop.
Download CCleaner. Double click on the file for install.
Download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: SpyLocked 3.1
SpywareLocked 3.2

Run Avenger.
Check the ‘Input script manually’ option. Click the Magnifying Glass icon. In the box that opens, copy,then paste the following text:

Files to delete:
C:\Windows\System32\fyxkaah.dll
C:\Windows\System32\onwtj.dll
C:\Program Files\SpyLocked\
C:\Program Files\SpywareLocked\

Next, please reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd. Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended)

You will be prompted : “Registry cleaning - Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

Your computer should now be free of the Spylocked/Spywarelocked infection.
If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topic linked below

Spyware removal - Read Before Posting

Fill your blacklist again, found new rogue antispyware apps

Spyware Warrior reported about new rogue antispyware apps

# Ad Armor
# Fixer AntiSpy
# Spy Analyst
# Spy Officer

Found new rogue antispyware apps - SpyMarshal, AntiVermins (AntiVerminser)

Bleepingcomputer team found new rogue antispyware apps: SpyMarshal, AntiVermins (AntiVerminser).

AntiVermins (AntiVerminser)

AntiVermins, like all rogue antispyware apps, uses misleading advertising, false positives, and fake scan reports as a scare tactic for you to purchase the commercial version of their application.

Symptoms in a HijackThis Log:

O4 - HKLM\..\Run: [AntiVermins] C:\Program Files\AntiVermins\AntiVermins.exe /h
O4 - HKLM\..\Run: [AntiVerminser] C:\Program Files\AntiVerminser\AntiVerminser.exe /h
O4 - HKLM\..\Run: [AntiVermeans] C:\Program Files\AntiVermeans\AntiVermeans.exe /h

Current  AntiVermins (AntiVerminser) versions: cvnzie.dll, kuhmk.dll, ownyhr.dll, vwfps.dll, cthkpcv.dll, gwquvw.dll, axlet.dll, nbbrhbd.dll, oksrqqu.dll, vblhanf.dll

SpyMarshal

Also as all rogue antispyware apps uses misleading advertising, false positives, and fake scan reports as a scare tactic for you to purchase the commercial version of their application and also  hijacks  DNS settings.

If you can`t uninstall or remove, ask about help: Spyware Removal Forum

Found new rogue antispyware - PestCapture / how to remove

Sunbelt blog reported about new rogue antispyware PestCapture.

PestCapture uses dlls that are the same as that of another rogue antispyware - Spysheriff

For protect your PC, add these sites into your blocklist:

pesttrap(dot)com
pesttrap(dot)com
Innovagest2000(dot)com
1stantivirus(dot)com
Anti-virus-pro(dot)com
Spycontra(dot)com
Spydeface(dot)com
Virushammer(dot)com

For remove PestCapture from your computer, make follow steps:

Download CCleaner. Double click on the file for install.
Download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: PestCapture

Next, please reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd. Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended)

You will be prompted : “Registry cleaning - Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”
Reboot your PC.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

Your computer should now be free of the PestCapture infection.
If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topic linked below: Spyware removal - Read Before Posting

Found new rogue antispyware - SpyHeal

Sunbeltblog reported about new rogue antispyware SpyHeal. This is probably the replacement for Spyware Quake (or SpywareQuake).

Sysprotectionpage(dot)com showed spyheal(dot)com as one of the new partner sites and some rogue anti spyware apps also.

After opening Sysprotectionpage(dot)com, i have got message:

Warning!
W32.Myzor.FK@yf is a virus that infects files with .exe extensions. It attempts to steal passwords and private information from the infected computer.
Type: Virus Infection
Length: 138,293 bytes
Systems Affected: Windows 95, 98, ME, NT (all versions), 2003, Windows XP (all service packs)
Systems Not Affected: DOS, EPOC, Linux, Macintosh, Novell Netware, OS/2, UNIX
Technical details: 1. Creates files in %Windir% directory. By default, this is C:\Windows. 2. Adds values to registry keys:
HKEY_LOCAL_MNACHINE\Software\Microsoft\Windows\CurrentVersion\Run
3. Scans the hard drive for .exe files and infects any executable files.
Searches for passwords/information, which it may send to a remote attacker. Recomendations: Click “OK” to download officially approved security software. Always keep your patch levels up-to-date.

What strange :), i have open this page in linux -”Not Affected System“, but got the fake message!

For protect your PC, add these sites to your blocklist: Sysprotectionpage(dot)com, spyheal(dot)com

Found new rogue antispyware - AdwareFinder

Found new rogue antispyware - AdwareFinder.

The program claims it detects and destroys spyware, yet it is part of engagemarketing(dot)com which is being bundled via Dollarrevenue.

URL: www(dot)adwarefinder(dot)com/AdwareFinder_download(dot)html

Thanks to Sunbeltblog.

Another rogue antispyware app for your blacklist - Trust Cleaner

Bleepingcomputer blog and Sunbelt blog reported about rogue antispyware - Trust Cleaner. At first view, this rogue anti-spyware application works the same way as the other ones that have been released lately like SpyFalcon and SpywareQuake as it uses trojans to display fake warnings that act as a goad to make you purchase the full commercial version of its software.

After the malware is installed the rogue anti-spyware program Trust Cleaner is set to to start automatically when your computer starts. It then scans your computer for supposed Spyware and malware and displays a list of the items found. It is quite funny, though, as it finds its own components and labels them as Spyware as shown in the image below.

After install, Trust Cleaner change your Internet Explorer homepage to a html page that is loaded from a file on your local computer called C:\Windows\local.html. This page will generate a home page that looks strikingly like Google. In fact, it states at the bottom of the page that it is powered by Google. In reality, though, this page that actually uses results from the site www.mswindowssearch.com and not from Google.

Trust Cleaner use these addresses, block them now:

mswindowssearch. com
trustcleaner. com
trustinbar. com
813aw0nr01jsxfj374ca. com
adelinatech. com
adsforsite. com
azebar. com
blablablablablablablablabla. com
fandl. net
finditanyway. com
globosoft. info
googlecaches. com
trustclicks. com
trustincash. com
trustincontextual. com
trustinpopups. com
trustinsearch. com

If you can`t uninstall or remove, ask about help: Spyware Removal Forum

Found new rogue antispyware - Titan Shield

Found new rogue antispyware - Titan Shield.

Available at antispywarebox(dot)com (a new rogue site) and titanshield(dot)com

If you can`t uninstall or remove, ask about help: Spyware Removal Forum

How to remove Spyware Sheriff and Antispylab

Spyware Sheriff is an rogue antispyware application that uses Trojans and other malware into tricking or scaring you into purchasing it. If you are infected with this malware, your Internet Explorer home page will be reset to about:blank and display a fake Windows Security Center alert stating that you are possibly infected.

When you click on the button on this page it will bring you to the site antispylab.com which attempts to sell you either Spyware Sheriff, Adware Sheriff, or Regfreeze Antispy.This program will also create fake security alerts in the Windows taskbar stating that there are various security risks with your computer ranging from spam and hack attempts to Trojan infections. When you click on these alerts they will bring you to the antispylab.com site as well. There have also been reports of this infection crashing the legitimate Microsoft process lsass.exe.

When this process crashes, your computer will begin a countdown which at the end will shutdown your computer.

Read more about Spyware Sheriff: New rogue antispyware - SpywareSheriff

As your first step, please download HijackThis.

Important: Create a specific folder on your hard drive called HijackThis to keep its backups.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HijackThis.
Download HijackThis.exe into this folder.

Print out these instructions as we will need to close every window that is open later in the fix.
Download SmitfraudFix. Extract the content (a folder named SmitfraudFix) to your Desktop.

Download and unzip Avenger to your desktop.

Download CCleaner. Double click on the file for install.

Next, Download, install, and update the free version of Ewido security suite:

1. When installing, under “Additional Options” uncheck “Install background guard” and “Install scan via context menu”.
2. Run Ewido.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display “Update successful”)
5. Exit Ewido. DO NOT scan yet.

Reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd. Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).

You will be prompted : “Registry cleaning - Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.

The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.

Reboot again your computer in Safe Mode.

Start up Avenger.
Check the ‘Input script manually’ option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste the following bold text:

Files to delete:
C:\WINDOWS\system32\winapi32.dll

Then click on ‘Done’.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Reboot your PC again in Safe mode.

Run HijackThis, Choose “Do a system scan only” and checkmark the box next to the following entries:

O2 - BHO: winapi32.MyBHO - {26C43C19-A1CE-456E-9CBF-77FFB9E92681} - C:\WINDOWS\system32\winapi32.dll (file missing)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)

close all other windows and browsers, then click “Fix Checked”.

Reboot your computer .

Run Ewido

1. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
2. If Ewido finds anything, it will pop up a notification. Please select “clean” and check the boxes “Perform action with all infections” and “Create encrypted backup” before clicking on OK.
3. When the scan finishes, click on “Save Report“. This will create a text file. Make sure you know where to find this file again.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

Restart your computer in normal mode.

Run the Panda online virus scan.

- Once you are on the Panda site click the Scan your PC button
- A new window will open…click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Your computer should now be free of the Spyware Sheriff and Antispylab.com infection.

If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topic linked below:

Spyware removal - Read Before Posting

Last update: 06/15/06

New rogue antispyware - SpywareSheriff

SpywareSheriff, a new rogue antispyware application that is starting to infect a lot of users. This particular infection is harder to remove than other variants such as SpywareQuake and SpyFalcon. This is because it uses a lot of random names for the files. It is, though, easy to tell when you are infected with this malware.

When infected your Internet Explorer home page will be set to about:blank that opens the screen shown below. If you attempt to change your home page to another site, it will reset it to the one below.

Then when you click on the page, it will take you to the url http://antispylab.com/
You will also periodically get fake taskbar messages that state the following among others:

Alert! Trojan.Virus.Z.32.exe launch attempt detected…
It is recommended that you run a full system scan now to
reveal other possible threats. Click here to download spyware
remover.

Internet attack attempt detected…
Somebody’s trying to infect your system with spyware or
harmful viruses. Run system scan now to secure your PC from Internet
attacks and hijacking attempts!
Click here to download spyware remover now…

Alert!
Trojan.Virus.Z.32.exe launch attempt detected and blocked!
It is recommended that you run a full system scan to reveal other
possible threats.
Click here to visit Security Center web site and protect your system
against spyware and harmful viruses…

Credit card hijacking attempt detected…
This is a result of harmful spyware activity.
Scan your PC now to reveal and remove malicious spyware.
Visit Windows Security site to download antispyware…

The application is distributed at antispylab(dot)com or spywaresheriff(dot)com.

If you can`t uninstall or remove, we can help, post in the Spyware Removal Forum about that.

Thanks to Bleeping Computer Blog

Found new rogue antispyware - Spyware Soft Stop

Sunbelt blog reported about new rogue antispyware Spyware Soft Stop.

If you have the misfortune to run an executable named “sss_bot.exe”, you’ll get presented with a fake (and poorly worded) security message:

Warning!
Your computer is probably infected. Microsoft Corporation
recommends you to check your computer on the spyware
presents. Click here to download updates

If you can`t uninstall, remove or have problems with Spyware Soft Stop,
post in the Spyware Removal Forum about that.