1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Spy Sherrif debris (HJT log)

By 5aq1b ยท 5 replies
Dec 15, 2005
  1. Hi,

    recently just cleaned up some trojans and viruses from my laptop after browsing some sites....i think keygen.us was the culprit. anyway, it installed spy sherrif on my laptop also, which has been removed successfully. I'm still recieving popups though and i think there are a few suspicious entries in the HJT log but i'm not 100% sure.

    if any1 could help, that would be appreciated!


    oh....my quicklaunch toolbar has disappeared also but the shortcuts are still in the quicklaunch folder. how do i restore this? and what was the reason that it disappeared in the 1st place?
  2. Tedster

    Tedster Techspot old timer..... Posts: 6,000   +15


    Spysheriff is malware and should not be used to clean a PC from spyware/ adware/ malware. It's pretty bad e.g. if you try to use System Restore you will find that Spysheriff erased your restore points, so that won't work.

    Instead follow these steps:

    1. Open task manager by pressing Ctrl-Alt-Del, and click on the "Processes" tab. Look for Spysheriff there and kill the process if you see it. If you see a process named "winstall" (winstall.exe) then delete this one also.
    2. In the control panel goto "Add/ Remove Programs" and remove the "SpySheriff" program. If it says that it cannot uninstall, then you still have it running. It will uninstall once it's not running.
    3. Your desktop background will not be restored by that uninstall. Go into the registry by starting RegEdit.exe from the start button
    4. Look for this key:
    It will have about 6 values stored that disable certain things. Delete this whole branch ActiveDesktop - the system will work with default values afterwards.
    Also delete this branch in your registry:
    5. Look in your root directory for a file named winstall.exe. Mine was in c:\ and 24064 Bytes in size.
    This file is scheduled to execute each time you boot and it will re-install Spysheriff.
    Delete that file.

    There may also be additional executable files that were created at the same time as winstall.exe. Those files may be named 'winstall.exe' and 'ibm00001.exe'. You should delete those files as well. If you have this file ibm0001.exe please see the other article regarding ibm0001.exe.
    6. Restart your system.
  3. 5aq1b

    5aq1b TS Rookie Topic Starter Posts: 63

    thanks, thats the exact method i used to remove 'sherriff'. The HJT log was created after the sherriff had been removed. is there any suspicious activities goin on in the log?
  4. Tedster

    Tedster Techspot old timer..... Posts: 6,000   +15


    Turn off MS Messanger. It's an invitation to viruses. Don't run any instant messanger.

    what are the following?

    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

    O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
    O4 - HKLM\..\Run: [adtech2006] C:\windows\adtech2006a.exe
  5. 5aq1b

    5aq1b TS Rookie Topic Starter Posts: 63


    heres a description i found of starwind:

    Process File: StarWindService or StarWindService.exe
    Process Name: Alcohol 120% StarWind

    StarWindService.exe is a process which belongs to Alcohol 120% and provides network drive sharing capabilities to this product. This program is non-essential process to the running of the system, but should not be terminated unless suspected to be causing problems..


    did virus scan etc in safe mode, heres an updated HJT log.

    also on startup, it gives me a message saying it cannot find inet20002/services.exe. how do i fix that? and also....HOW DO I restore my quick launch bar?
  6. Tedster

    Tedster Techspot old timer..... Posts: 6,000   +15

    ok, now run spybot and ad-aware .... what do they report?
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...