also @ TechSpot: Samsung announces Galaxy Tab 2 with Android 4.0 ICS
Welcome to the TechSpot OpenBoards. Please read the FAQ if you have any questions. Sign up or Login to participate.
Go Back   TechSpot OpenBoards > Tech Support > Virus and Malware Removal
Reload this Page How To Remove Spysherriff

Collaborate in the cloud with Office, Exchange, SharePoint, and Lync

How To Remove Spysherriff
Page 2 of 2 1 2
Thread Tools Search this Thread
  #21  
Old 03-07-2006
Newcomer, in training
  
Member since: Feb 2006, 3 posts
Thank you verry much you smart fellers.
I tried it, and now it has been been 2 days I seen anny of all the pop ups.
So I am indeed verry gratefull to you people. Muchos gracias, thenk you verry much, dank u, wreed mercie, mercie beacoups. (or some spelling variations they need in the respective language)
Anny way I know now where to find the computer wisses of the 22 century.
I hope to ever be able to help you gys with annything else.
  #22  
Old 03-07-2006
Newcomer, in training
  
Member since: Mar 2006, 1 posts
spy sheriff
i have the same problem but its with adware sheriff???

is the procedure the same????????

thanks tom d
  #23  
Old 03-08-2006
TechSpot Evangelist
  
Member since: Aug 2004, 25,949 posts
Hello and welcome to Techspot.

Quote:
Originally Posted by tomahawk
i have the same problem but its with adware sheriff???

is the procedure the same????????

thanks tom d
Please open a new thread in the security and the web forum, after following these instructions.

Go and have your computer scanned HERE.

Then, go and read both these threads by RBS. Follow all the instructions exactly.

How to remove Trojans and its ilk! and How to remove Begin2search / coolwebsearch and other nasties.

Then see. How to post your Hijackthis log-file as an ATTACHMENT.

Only post a HJT log in your new thread, after doing the above.

Regards Howard
  #24  
Old 03-08-2006
Newcomer, in training
  
Member since: Jan 2006, 1 posts
The instructions Tedster gave to remove spysheriff didn't include the links to download the tools needed nor did he include the spysheriff image that was mentioned in his post






Quote:
Originally Posted by Tedster
here is the link in case it disappears:



These infections change your desktop to say an alert which acts as a goad to use the antispyware software it installs (SpySheriff).






SpySheriff Image




Tools Needed for this fix:

* HijackThis
* Killbox
* Smitfraud.reg
* Ewido Security Suite
* Cleanup!




Related Tutorials:

* How to use HijackThis to remove Browser Hijackers & Spyware



Symptoms in a HijackThis Log:

O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe



Removal Instructions:Update: New automated procedure can be found here. Try that automated procedure first and fall back to this manual one if it fails.



In order to remove this infection we will need to use HijackThis to manually remove the infection:

1. Print out these instructions as we will need to shutdown every window that is open later in the fix.

2. Download and install CleanUp! but do not run it yet.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

3. Download, install, and update Ewido Security Suite

1. Install Ewido security suite

2. Launch Ewido, there should be a big E icon on your desktop, double-click it.

3. The program will prompt you to update click the OK button

4. The program will now go to the main screen

5. On the left hand side of the main screen click on Update

6. Click on Start. The update will start and a progress bar will show the updates being installed.


4. After the updates are installed, exit Ewido

5. Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

6. Once in Safe Mode, Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:

1. Click Options...

2. Move the arrow down to Custom CleanUp!

3. Put a check next to the following:

* Empty Recycle Bins

* Delete Cookies

* Delete Prefetch files

* Scan local drives for temporary files

* Cleanup! All Users

4. Click the OK button

5. Press the CleanUp! button to start the program.

7. After Cleanup! is finished start Ewido Security Suite

1. Click on scanner

2. Click on Complete System Scan.

3. Let the program scan the machine

4. While the scan is in progress you will be prompted to clean the first infected file it finds. Choose clean, then put a check next to Perform action on all infections in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

8. When the scan is complete, exit the program and reboot back to normal mode.

9. Click on Start, then Control Panel, and double-click on the Add/Remove Programs icon.

10. Uninstall the SpySheriff program and then exit Add/Remove Programs.

11. Delete the following, in bold, if found:

C:\Documents and Settings\user account\Start Menu\Programs\SpySheriff <-whole folder
C:\Documents and Settings\user account\Application Data\Install.dat
C:\Program Files\SpySheriff <-whole folder
C:\Windows\Desktop.html
C:\winstall.exe
C:\Program Files\Daily Weather Forecast\

*NOTE* user account is not the actual name of that folder. The name of that folder will be the name of your computer profile.
12. Download HijackThis and save it to your C:\ folder. Extract the hijackthis.zip file to c:\hijackthis. We will use this program later.

13. Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HijackThis and press the Scan button. Place a check next to the following items, if found, and click FIX CHECKED:


O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe

14. Close HiJackThis.

15. RIGHT-CLICK HERE and go to Save As (in IE it's Save Target As) in order to download the smitfraud reg to your desktop.

16. Double-click smitfraud.reg on your desktop. When asked if you want to merge with the registry click YES.

17. After the merged successfully prompt, using Windows Explorer, navigate to the following folder:

C:\Windows\Prefetch

18. If there are any files inside the Prefetch folder, delete ALL of them. (Do NOT delete the folder. Just delete the files inside.)

19. Reboot your computer.

20. You should be able to change your desktop back to normal now.




Your computer should now be free of the SpySheriff infection.
  #25  
Old 03-09-2006
Tedster's Avatar
Techspot old timer.....
  
Location: Petersburg, VA
Member since: Feb 2005, 10,005 posts
System specs
the original message in this thread doesn't have links!

I don't have the time to post pictures.

That's the price you pay for FREE help.
  #26  
Old 03-10-2006
Newcomer, in training
  
Member since: Mar 2006, 1 posts
Thanks to this thread and forum for helping me with this issue. I managed to remove the spysheriff virus without having to call my brother or ex-boyfriend!

I followed the instructions here and on spyany.com and compiled them. These were my steps

1. Reboot the computer to Safe Mode (Press F8 when Windows start)
2. Delete the following files ( Before doing this make sure you can see hidden files and folders):

C:\Windows\Desktop.html
C:\Winstall.exe

3. Delete the folder 'C:\Program Files\SpySherrif\' and all the contents within it.
4. Click Start > Run, type 'regedit' to open the Registry Editor.
5. Navigate to and delete the following registry subkey (if exist):

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
-here I deleted 1 value
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\A ctiveDesktop
-here I deleted 6 values
Exit Registry Editor.

6. Search for and delete the following files
Ibm00001.exe – I didn’t have this one
Ibm00002.dll
Secure32.html
All files containing sheriff

7. Delete the following, if found:

C:\Documents and Settings\user account\Start Menu\Programs\SpySheriff <-whole folder
C:\Documents and Settings\user account\Application Data\Install.dat
C:\Program Files\SpySheriff <-whole folder
C:\Windows\Desktop.html
C:\winstall.exe
C:\Program Files\Daily Weather Forecast\

*NOTE* user account is not the actual name of that folder. The name of that folder will be the name of your computer profile.

7. Go to Start > Run, type %temp% to open the %temp% folder. Delete all the files with the %temp% folder.

8. Reboot the computer.

After all this, the virus seemed to be gone, but I could not run my xp firewall. I got an error that said “Windows cannot display windows firewall settings” when I tried to open the firewall in my control panel.

My fix for that was easy once I found this link http://windowsxp.mvps.org/sharedaccess.htm

BUT you must use IE. Mozilla won’t display the download properly.

And now everything works great!

Thanks again!
  #27  
Old 03-29-2006
Newcomer, in training
  
Member since: Mar 2006, 12 posts
this spysherriff caused me loads of grief this last couple days.. i knew it was spyware instantly when it told me in the alert box that spysheriff had detected a trojan.. well i knew for a fact that i had never installed spysheriff.. i know what anti-spyware soft i had installed.. but hell it takes some getting rid of..

i might add that it also allowed other spyware thru that my av, and firewall didn't detect because for some reason it had disabled the firewall and av..

i spent 14hrs in dos mode killing everything and removing locked files.. and scanning and rescanning with different av software..

i've had to install a different firewall, as it has rendered windows sp2 firewall useless.. it keeps saying unable to start firewall due to unknown problem.. winsockfix failed to solve it.. so i'm using kerio now..

now i have to repair my network somehow, as the attack somehow screwed that up and non of my home computers can connect except for limited accessibility. damn i hate malware.. (if the software i use mainly was available on linux, i wouldn't touch microsoft ever again)
  #28  
Old 03-29-2006
CrossFire851's Avatar
TechSpot Maniac
  
Location: Cali
Member since: Oct 2005, 1,058 posts
Simple and easy (I haven't read this one only the tittle sry but i need my nappy)

System Restore the computer to time it did not have SPyWare Sherif
  #29  
Old 03-30-2006
Newcomer, in training
  
Member since: Mar 2006, 12 posts
i don't use system restore, i think reaslly it's a waste of space because malware and viruses also copy themselves to the restore folders.. so even restoring to previous time will not get rid of them because they'll just re infect from their stealthy installers that were copied to the restore section..

which is why when running virus checks and stuff you should disable system restore because windows actually prevents the av software from modifying the protected restore files hence any viruses in the restore section can't be cleaned or killed..
  #30  
Old 03-30-2006
TechSpot Evangelist
  
Member since: Aug 2004, 25,949 posts
Quote:
Originally Posted by m0nty
which is why when running virus checks and stuff you should disable system restore because windows actually prevents the av software from modifying the protected restore files hence any viruses in the restore section can't be cleaned or killed..
Absolutely spot on m0nty.

Regards Howard
  #31  
Old 03-30-2006
Newcomer, in training
  
Member since: Feb 2006, 3 posts
Firewall
To the wizards of the Computerworld.
Once again congratulations on the fine instruction in removing all the comercial malarcie from the poor pc amoeba's like myself.
How ever I got another question relating the Spysherrif problem.
I got All the stuff of and the pc has been running fine up to now.
How ever when everything was removed I am still not been able to turn on the windows firewall. I cheked the win site and the help in the pc but no real help here.
I also followed the instructions provided by windows to go true the config screen but also no go.
Does anny of you have anny advice? Or is it just bvest to leave it off and work with a free Firewall? (curently using zone allarm)
Thanks in advance for the enlightenment.
  #32  
Old 03-30-2006
Newcomer, in training
  
Member since: Mar 2006, 12 posts
Quote:
stellar posted:

After all this, the virus seemed to be gone, but I could not run my xp firewall. I got an error that said “Windows cannot display windows firewall settings” when I tried to open the firewall in my control panel.

My fix for that was easy once I found this link http://windowsxp.mvps.org/sharedaccess.htm

BUT you must use IE. Mozilla won’t display the download properly.
the above fixes the windows firewall.

ideally you should actually fix it, as a broken file may give problems later on elsewhere..

but disable windows built in firewall if you are using any other firewall product, there's no reason to use 2, and they could conflict with each other at some point.
Closed Thread
Page 2 of 2 1 2

Similar Topics
Topic Replies Forum
Need to Remove Safely Remove Hardware Icon from start up menu 27 Windows OS
Remove stubborn programs that won't remove in control panel 3 Software Apps
Change/Remove programs in Add/Remove have diappeared. 22 Windows OS
no remove option with some files in the Add/Remove Tools 2 Windows OS
Hijack This Log, (Add or Remove Programs Missing Remove/Change Button) 3 Virus and Malware Removal

Thread Tools Search this Thread
Search this Thread:

Advanced Search
All times are GMT -4. The time now is 04:49 PM.