I caught the SpySheriff trojan on a Windows 2000 machine. None of the published methods would get rid of the thing completely. browsela.dll, loaded by a registry entry at close to boot time could not be removed. It seems to have the capability to detect registry entries designed to delete files on the next boot and destroy these. Accordingly, nothing I tried using HT or killBox or other such tools could get rid of it.

Finally, using all available information from HT and from information on the web relative to trojans on XP, I killed the beast as follows:

1. Remove the following files and all the registry entries referencing these:

WINNT\system32\: cmd32.exe, z11.exe, z12.exe, z13.exe, z14.exe, dial32.exe

2. Shutdown the computer.

3. Remove the hard drive.

4. Set the hard drive up as a slave drive.

5. Install the hard drive in A DIFFERENT WINDOWS COMPUTER as a SLAVE.

6. Start Windows on the second computer.

7. Open a command window.

8. Switch to the original drive (containing the trojan)- eg. "I:"

9. cd to the directory containing the trojan: cd WINNT\system32

10. Delete the trojan dll: "del browsela.dll"

11. Shutdown the second computer. Remove your original hard drive.

12. Set the hard drive up as MASTER (do not forget this).

13. Re-install the hard drive in your computer.

14. The computer should boot now without running browsela.dll (it is no longer there).

15. Run HiJackThis and remove fix any residual registry issues.

16. Restart the machine.

17. Repeat 15. This time you should have a clean machine.

Good Luck!