Author Topic: Spy Sheriff (Read 3767 times)

Simon · « **Reply #15 on:** October 16, 2006, 17:52 »

I wouldn't bother trying to rectify IE settings until you've got this thing removed, Dave. Running the removal process in safe mode is crucial, as it probably can't be removed when it is running. Those instructions are quite comprehensive, so hopefully you'll have it sorted very soon.

daveeb · « **Reply #16 on:** October 16, 2006, 18:23 »

You're right about safe mode Simon. I've noticed that the instructions for brave sentry removal (from the same site) are slightly different to those for spy sheriff although they are supposedly one and the same piece of crapware.

As for the IE settings who cares

gmax · « **Reply #17 on:** October 17, 2006, 04:44 »

I had to remove "Spy Sheriff" once, i used "Hiren's boot disk" , the anti virus
programs got rid of it

daveeb · « **Reply #18 on:** October 17, 2006, 18:59 »

Well the good news is i seem to have cleared it for now. I finally realised that a file in startup "xpupdate" was the cause of the nagbox coming back so i killed that with task manager and finally with msconfig.

However the final step (no 8) in the instructions for removing brave sentry mention a list of files to search and delete. i found 3. These were

c:\windows\xpupdate and c:\windows\ prefetch\xpupdate (created 15.10.06)

c:\windows\system32\services.exe and \sys32\dllcache\services.exe (created
29.8.02)

c:\windows\sys32\alg.exe and \sys32\dllcache\alg.exe (created 29.8.02).

The last two appear to be genuine windows files in genuine locations. The creation date presumably can't be spoofed ? I did actually delete services.exe then thought better of it and went to the recycle bin to restore it. Strangely the file was still in its original location as well as in the recycle bin. I'll probably leave well alone for now :roll:

Simon · « **Reply #19 on:** October 17, 2006, 19:44 »

I would probably do the same, providing the system is now running correctly, Dave. You might want to try a scan with www.hijackthis.de and post the log file in the box provided for analysis. 'alg.exe' and 'services.exe' are both valid Windows services, and as they seem to be in the right place, they should be safe, but SpySheriff and it's counterparts is such a tricky piece of malware, it might be best to be certain by scanning with a couple of anti-spyware scanners, to put your mind at ease.

I have just started using Cyberhawk, which I think is a fairly new utility. It's too early to say whether it works or not, but it is free, and probably wouldn't do any harm to have as an extra security layer.

Clive · « **Reply #20 on:** October 17, 2006, 19:46 »

Thanks for the feedback Dave. Glad it seems to be sorted.

daveeb · « **Reply #21 on:** October 17, 2006, 19:49 »

Yes i use hijack this and x-ray pc. I'll give cyberhawk a look as well. Thanks for the input guys and especially that link Simon

Simon · « **Reply #22 on:** October 17, 2006, 20:09 »

What Anti-Spyware protection are you using, Dave? Something that offers real-time protection might have prevented this from getting into your PC in the first place.