PC Pals Forum
Technical Help & Discussion => Broadband, Networking, PC Security, Internet & ISPs => Topic started by: daveeb on October 15, 2006, 18:12
-
GRRRR this is a nasty little bugger. Tried the usual disable sys restore/safe mode / x-ray pc & ccleaner. Didnt work. Googled it and found some registry edits to remove references to the active desktop (it had installed a folders pane at the left hand side of the desktop and couldnt be altered).
Now i have two problems only :roll: The text under my desktop icons is highlighted blue instead of being transparent. There was a query in computeractive last week about this. The advice was to enable "use drop shadows for icon labels" however this was already ticked. tried unticking then reticking - no joy.
Also a red circle with a black multiplication sign in still keeps appearing in the task bar claiming to be windows security centre telling me my pc is compromised and to click the balloon to fix it. I've searched the pc for the suspect files/progs i.e. spy sheriff/ brave sentry and files winstall.exe and ibm00001.exe. Can't find 'em.
any advice on either problem very welcome.
Forgot to add : How do you disable active desktop..i can't find any reference to it in the menus :?
-
Enable / Disable Active Desktop - http://support.microsoft.com/kb/190228
Oh, and here's a Spy Sheriff Removal Tool (http://www.bleepingcomputer.com/forums/topic22402.html)
Next patient, please! :grin:
-
Thanks Doctor :D I seem to have ridded myself of spy sheriff by sheer numbers of obscenities i've uttered and a bit of registry editting. As for the active desktop i don't get a web tab option or an active desktop option in the respective methods described.
-
As for the active desktop i don't get a web tab option or an active desktop option in the respective methods described.
I was hoping you wern't going to say that - neither do I! :laugh: I know I used to have an Active Desktop option in my right click Desktop menu, but it's not there anymore. :( If you go into Desktop Properties, click the Desktop tab, then Customise Desktop, have you got a Web tab there? Also, I found a Microsoft article which might be relevent if you use TweakUI:-
http://support.microsoft.com/?id=192400
-
I didnt think that XP had an active desktop, I thought that was a remnant of 98 :?
In 98 if you selected none in desktop settings instead of selecting a wallpaper, that disabled the active desktop but I have never seen it come up in XP.
-
Oh yes, it definitely does have one somewhere, San. I remember seeing it in mine, and trying it out. It's a mystery where it's gone now though! Maybe one of the Windows Updates killed it? :dunno:
-
I spoke too soon Simon, that so**ing warning box is back "your computer is in danger" etc etc every 2 minutes. That link you gave for spy sheriff removal me doesnt seem to work do you have any other reliable ones ?
-
THIS (http://www.monster-hardware.com/modules.php?name=Content&pa=showpage&pid=3) is an interesting read Dave. AdAware is supposed to remove it.
-
Can't access the site Clive as it said i was using a proxy (presumably means my router). I did run adaware yesterday and it didn't detect it :(
-
I think it's probably Spy Sherriff attempting to prevent you accessing sites which may help you to remove it Dave. Here is the article:
Spy Sheriff Exposed
It's been a long time since anything PC related actually made me angry enough that I felt compelled to write about it here. I am not sure if that means I am getting old, soft, or just plain lazy. Spy Sheriff, as I was about to learn, was primed to knock me out of my complacency. The story started several days ago when I got a call from a family member who wanted me to remove what they said was a particularly nasty malware infection. They claimed it was so severe it made it nearly impossible to use their PC. I figured they were embellishing things somewhat in the hopes of getting faster service. Family will do that to you sometimes. It turns out, though, that this time they weren't.
Upon arriving on the scene and after booting into Windows XP I soon noticed several things are wrong:
Windows background had been changed to a ridiculous fright screen claiming serious malfunction and threatening data loss so programs had been halted
Repeated pop-up screens claiming false virus/spyware infections only removable through 30 usd Spy Sheriff registration payment granting you program S/N
Internet Explorer browser home page hijack which was also used to pimp their dubious services and pretend they have a legitimate product, which they don't
That's all well and good, but how do I get rid of it once I am infected? Well, that seems to depend on what variant you have and whether it came by itself or loaded with some other malicious programs (Smitfraud) for instance. From what I can gather after the fact Spy Sheriff seems to install by using an IE browser exploit. The machine I removed it from was actually running a firewall which didn't protect against this infection either. I also should mention that while the method listed below worked for me, your results may vary. I also came across a much more thoughtful removal method which I thought I would link here.
I got started by visiting the Add/Remove programs sections by the way of CP to see if Spy Sheriff was listed. It was, so I chose remove and was informed that the action couldn't proceed because the program was active. Not about to let this stop me I went to the Run box by the way of the start menu and entered MSconfig. From there I searched around under the start-up tab for what files Spy Sheriff was loading. After a while I found the two files to be install.exe, and ibm00001.exe. After unchecking both of these I rebooted the machine. From here I ran Ad-aware and it found and seems to have removed Spy Sheriff. I did, however, have to manually remove the Winstall.exe, and secure32.html files from the the root. Attempts to run Ad-aware before using Msconfig and then uninstalling Spy Sheriff were in my case unsuccessful. I have also heard that Microsoft's AntiSpyware Beta if used properly is effective here. More information on this threat is also available on Ad-aware's site.
I would like to take a minute here to offer a few suggestions. Consider running a non-Microsoft browser--either Firefox or Opera. While neither of these programs has perfect security track records they are much better than IE. Not only that, but when an exploit is found it is patched much more quickly. Next, watch what sites you are visiting. Best as I can tell they seem to have picked up Spy Sheriff at one of the shady online games sites. That leads to the second tip: Pay close attention to the types of sites that you are visiting; sticking to reputable stand-up sites doesn't make you bullet-proof, but it does cut down your risk of infections. Last, but not least: Consider completely turning off Windows installs. Do you really need to install software through your browser? Possibly, but I bet for the majority of you like me the answer is no. To do this type in ?about:config? in Firefox scroll down near the bottom of the page to xpinstall.enabled and set it to false.
Conclusion:
Although I am sure no one from Spy Sheriff would admit it, what is going on here is actually virtual kidnapping. Pay us 30 usd if you ever want to see your PC again. Even if you are flush with cash you should NEVER do this. After all, if this racket they have going here is financially successful for the makers of Spy Sheriff, you can bet that will encourage them to distribute more garbage like this onto the internet.
Jim Adkins
-
Thanks for that Clive :D I decided to get the latest version of adaware and ran that. It found 57 problems but none seemed linked to any of the culprits associated with spy sheriff. Anyway i quarantined them (should i delete them??) and rebooted. It now takes about 30 seconds to get past the welcome screen when before it was almost instant and the desktop icons take an age to appear. I still have the coloured text box problem ie i cant make it transparent. The nag box has just appeared again as well. Grrrr. I'm stumped on this one. :evil:
-
Dave, you have an email. :)
-
Simon that "seems" to have worked a treat, can't thank you enough :D
windows looks for C:\delfiles.cmd at startup but it doesnt show in msconfig so i cant do a selective boot. A small price to pay to avoid that darned popup.
EDIT aaargh that nagbox has just reappeared although the deskyop is back to normal :evil:
-
I have to admit, I've never needed to use the tool myself, and haven't tested it, as I don't really want my desktop interfered with, but I am assured that it works with all variants of this malware. Did you run it in safe mode? Here are some fuller instructions on how to remove SpySheriff:-
http://www.schrockinnovations.com/removespysheriff.php
Note, the file they tell you to download is the one I sent you. I think it might just be a question of following the instructions precisely, step by step, to ensure complete removal. This is a real bugger to get rid of, so I'm not surprised you're finding it a challenge!
-
Cheers Simon i'll have a look. One thing i did notice was that spyware guard told me that various IE settings had changed and did i want to keep the old values. I said No to the old values, don't know if that was a mistake or not.
And no i didnt run it in safe mode so i'll try that tonight if i get chance.
-
I wouldn't bother trying to rectify IE settings until you've got this thing removed, Dave. Running the removal process in safe mode is crucial, as it probably can't be removed when it is running. Those instructions are quite comprehensive, so hopefully you'll have it sorted very soon.
-
You're right about safe mode Simon. I've noticed that the instructions for brave sentry removal (from the same site) are slightly different to those for spy sheriff although they are supposedly one and the same piece of crapware.
As for the IE settings who cares :D
-
I had to remove "Spy Sheriff" once, i used "Hiren's boot disk" , the anti virus
programs got rid of it :)
-
Well the good news is i seem to have cleared it for now. I finally realised that a file in startup "xpupdate" was the cause of the nagbox coming back so i killed that with task manager and finally with msconfig.
However the final step (no 8) in the instructions for removing brave sentry mention a list of files to search and delete. i found 3. These were
c:\windows\xpupdate and c:\windows\ prefetch\xpupdate (created 15.10.06)
c:\windows\system32\services.exe and \sys32\dllcache\services.exe (created
29.8.02)
c:\windows\sys32\alg.exe and \sys32\dllcache\alg.exe (created 29.8.02).
The last two appear to be genuine windows files in genuine locations. The creation date presumably can't be spoofed ? I did actually delete services.exe then thought better of it and went to the recycle bin to restore it. Strangely the file was still in its original location as well as in the recycle bin. I'll probably leave well alone for now :roll:
-
I would probably do the same, providing the system is now running correctly, Dave. You might want to try a scan with www.hijackthis.de and post the log file in the box provided for analysis. 'alg.exe' and 'services.exe' are both valid Windows services, and as they seem to be in the right place, they should be safe, but SpySheriff and it's counterparts is such a tricky piece of malware, it might be best to be certain by scanning with a couple of anti-spyware scanners, to put your mind at ease.
I have just started using Cyberhawk (http://www.novatix.com/cyberhawk/), which I think is a fairly new utility. It's too early to say whether it works or not, but it is free, and probably wouldn't do any harm to have as an extra security layer.
-
Thanks for the feedback Dave. Glad it seems to be sorted.
-
Yes i use hijack this and x-ray pc. I'll give cyberhawk a look as well. Thanks for the input guys and especially that link Simon :D
-
What Anti-Spyware protection are you using, Dave? Something that offers real-time protection might have prevented this from getting into your PC in the first place.