Author Topic: Spy Sheriff (Read 3768 times)

daveeb · « **on:** October 15, 2006, 18:12 »

GRRRR this is a nasty little bugger. Tried the usual disable sys restore/safe mode / x-ray pc & ccleaner. Didnt work. Googled it and found some registry edits to remove references to the active desktop (it had installed a folders pane at the left hand side of the desktop and couldnt be altered).

Now i have two problems only :roll: The text under my desktop icons is highlighted blue instead of being transparent. There was a query in computeractive last week about this. The advice was to enable "use drop shadows for icon labels" however this was already ticked. tried unticking then reticking - no joy.

Also a red circle with a black multiplication sign in still keeps appearing in the task bar claiming to be windows security centre telling me my pc is compromised and to click the balloon to fix it. I've searched the pc for the suspect files/progs i.e. spy sheriff/ brave sentry and files winstall.exe and ibm00001.exe. Can't find 'em.

any advice on either problem very welcome.

Forgot to add : How do you disable active desktop..i can't find any reference to it in the menus :?

Simon · « **Reply #1 on:** October 15, 2006, 20:33 »

Enable / Disable Active Desktop - http://support.microsoft.com/kb/190228

Oh, and here's a Spy Sheriff Removal Tool

Next patient, please! :grin:

daveeb · « **Reply #2 on:** October 15, 2006, 21:14 »

Thanks Doctor

I seem to have ridded myself of spy sheriff by sheer numbers of obscenities i've uttered and a bit of registry editting. As for the active desktop i don't get a web tab option or an active desktop option in the respective methods described.

Simon · « **Reply #3 on:** October 15, 2006, 22:11 »

Quote from: "daveeb"

As for the active desktop i don't get a web tab option or an active desktop option in the respective methods described.

I was hoping you wern't going to say that - neither do I!

I know I used to have an Active Desktop option in my right click Desktop menu, but it's not there anymore.

If you go into Desktop Properties, click the Desktop tab, then Customise Desktop, have you got a Web tab there? Also, I found a Microsoft article which might be relevent if you use TweakUI:-

http://support.microsoft.com/?id=192400

Sandra · « **Reply #4 on:** October 15, 2006, 23:50 »

I didnt think that XP had an active desktop, I thought that was a remnant of 98 :?

In 98 if you selected none in desktop settings instead of selecting a wallpaper, that disabled the active desktop but I have never seen it come up in XP.

Simon · « **Reply #5 on:** October 16, 2006, 00:31 »

Oh yes, it definitely does have one somewhere, San. I remember seeing it in mine, and trying it out. It's a mystery where it's gone now though! Maybe one of the Windows Updates killed it?

daveeb · « **Reply #6 on:** October 16, 2006, 12:19 »

I spoke too soon Simon, that so**ing warning box is back "your computer is in danger" etc etc every 2 minutes. That link you gave for spy sheriff removal me doesnt seem to work do you have any other reliable ones ?

Clive · « **Reply #7 on:** October 16, 2006, 12:41 »

THIS is an interesting read Dave. AdAware is supposed to remove it.

daveeb · « **Reply #8 on:** October 16, 2006, 14:36 »

Can't access the site Clive as it said i was using a proxy (presumably means my router). I did run adaware yesterday and it didn't detect it

Clive · « **Reply #9 on:** October 16, 2006, 15:16 »

I think it's probably Spy Sherriff attempting to prevent you accessing sites which may help you to remove it Dave. Here is the article:

Spy Sheriff Exposed

It's been a long time since anything PC related actually made me angry enough that I felt compelled to write about it here. I am not sure if that means I am getting old, soft, or just plain lazy. Spy Sheriff, as I was about to learn, was primed to knock me out of my complacency. The story started several days ago when I got a call from a family member who wanted me to remove what they said was a particularly nasty malware infection. They claimed it was so severe it made it nearly impossible to use their PC. I figured they were embellishing things somewhat in the hopes of getting faster service. Family will do that to you sometimes. It turns out, though, that this time they weren't.

Upon arriving on the scene and after booting into Windows XP I soon noticed several things are wrong:

Windows background had been changed to a ridiculous fright screen claiming serious malfunction and threatening data loss so programs had been halted

Repeated pop-up screens claiming false virus/spyware infections only removable through 30 usd Spy Sheriff registration payment granting you program S/N

Internet Explorer browser home page hijack which was also used to pimp their dubious services and pretend they have a legitimate product, which they don't

That's all well and good, but how do I get rid of it once I am infected? Well, that seems to depend on what variant you have and whether it came by itself or loaded with some other malicious programs (Smitfraud) for instance. From what I can gather after the fact Spy Sheriff seems to install by using an IE browser exploit. The machine I removed it from was actually running a firewall which didn't protect against this infection either. I also should mention that while the method listed below worked for me, your results may vary. I also came across a much more thoughtful removal method which I thought I would link here.

I got started by visiting the Add/Remove programs sections by the way of CP to see if Spy Sheriff was listed. It was, so I chose remove and was informed that the action couldn't proceed because the program was active. Not about to let this stop me I went to the Run box by the way of the start menu and entered MSconfig. From there I searched around under the start-up tab for what files Spy Sheriff was loading. After a while I found the two files to be install.exe, and ibm00001.exe. After unchecking both of these I rebooted the machine. From here I ran Ad-aware and it found and seems to have removed Spy Sheriff. I did, however, have to manually remove the Winstall.exe, and secure32.html files from the the root. Attempts to run Ad-aware before using Msconfig and then uninstalling Spy Sheriff were in my case unsuccessful. I have also heard that Microsoft's AntiSpyware Beta if used properly is effective here. More information on this threat is also available on Ad-aware's site.

I would like to take a minute here to offer a few suggestions. Consider running a non-Microsoft browser--either Firefox or Opera. While neither of these programs has perfect security track records they are much better than IE. Not only that, but when an exploit is found it is patched much more quickly. Next, watch what sites you are visiting. Best as I can tell they seem to have picked up Spy Sheriff at one of the shady online games sites. That leads to the second tip: Pay close attention to the types of sites that you are visiting; sticking to reputable stand-up sites doesn't make you bullet-proof, but it does cut down your risk of infections. Last, but not least: Consider completely turning off Windows installs. Do you really need to install software through your browser? Possibly, but I bet for the majority of you like me the answer is no. To do this type in ?about:config? in Firefox scroll down near the bottom of the page to xpinstall.enabled and set it to false.

Conclusion:

Although I am sure no one from Spy Sheriff would admit it, what is going on here is actually virtual kidnapping. Pay us 30 usd if you ever want to see your PC again. Even if you are flush with cash you should NEVER do this. After all, if this racket they have going here is financially successful for the makers of Spy Sheriff, you can bet that will encourage them to distribute more garbage like this onto the internet.

Jim Adkins

daveeb · « **Reply #10 on:** October 16, 2006, 15:40 »

Thanks for that Clive

I decided to get the latest version of adaware and ran that. It found 57 problems but none seemed linked to any of the culprits associated with spy sheriff. Anyway i quarantined them (should i delete them??) and rebooted. It now takes about 30 seconds to get past the welcome screen when before it was almost instant and the desktop icons take an age to appear. I still have the coloured text box problem ie i cant make it transparent. The nag box has just appeared again as well. Grrrr. I'm stumped on this one. :evil:

Simon · « **Reply #11 on:** October 16, 2006, 16:25 »

Dave, you have an email.

daveeb · « **Reply #12 on:** October 16, 2006, 17:21 »

Simon that "seems" to have worked a treat, can't thank you enough

windows looks for C:\delfiles.cmd at startup but it doesnt show in msconfig so i cant do a selective boot. A small price to pay to avoid that darned popup.

EDIT aaargh that nagbox has just reappeared although the deskyop is back to normal :evil:

Simon · « **Reply #13 on:** October 16, 2006, 17:39 »

I have to admit, I've never needed to use the tool myself, and haven't tested it, as I don't really want my desktop interfered with, but I am assured that it works with all variants of this malware. Did you run it in safe mode? Here are some fuller instructions on how to remove SpySheriff:-

http://www.schrockinnovations.com/removespysheriff.php

Note, the file they tell you to download is the one I sent you. I think it might just be a question of following the instructions precisely, step by step, to ensure complete removal. This is a real bugger to get rid of, so I'm not surprised you're finding it a challenge!

daveeb · « **Reply #14 on:** October 16, 2006, 17:44 »

Cheers Simon i'll have a look. One thing i did notice was that spyware guard told me that various IE settings had changed and did i want to keep the old values. I said No to the old values, don't know if that was a mistake or not.

And no i didnt run it in safe mode so i'll try that tonight if i get chance.