Spy Sheriff Infected My PC...Need Help To Remove

Discussion in 'malware problems & news' started by mackiecross, Dec 15, 2005.

Thread Status:
Not open for further replies.
  1. mackiecross

    mackiecross Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    6
    Hello, can someone please help me.

    I have some spyware or adware on my home pc.

    It is calling itself Spy Sheriff and it has also changed my desktop background image so that it looked like an error message:

    SYSTEM STOPPED


    System has been stopped due to a serious malfunction.
    Spyware activity has been detected.

    It is recommended to use spyware removal tool to prevent data loss.
    Do not use the computer before all spyware removed.


    Since seeing the above message on my desktop, I have used my Norton and McAfee to do a clean on it but it is still there.

    It removed 2 out of the 5 infected files but it cannot remove:


    C://winstall.exe
    C://windows/system32/vxh8jkdq6.exe
    C://windows/system32/vxh8jkdq2.exe

    I have also tried to go task manager but no matter which way I try a message comes on screen saving that my administrator has blocked my access to this.

    Also I have tried to go to “Add/ Remove Programs” but it is not there. I have tried to get rid of something called winstall but it doesn’t go.

    This Spy Sheriff is not even letting me connect to the internet. I am using my wireless connection on my laptop to send this to anyone who can help me please.

    Thank You
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
  3. mackiecross

    mackiecross Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    6
    ^^^^

    Much thanks for your swift reply.

    I went to the first link you posted, but the thing is the first step is to download softwares and update them....my PC cannot obtain a connection to the net.

    in theory i could download all the recommended softwares needed on to my laptop...which im on now...burn them to cd then open them on the infected desktop pc....but will not be able to update their definitions...would this be a pointless exercise?

    I also saw these steps posted elsewhere:

    http://www.delphifaq.com/faq/windows_user/f850.shtml

    but have not cured the problems.....

    any further ideas will be appreciated!
     
  4. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    U could download HJT and burn it to cd then copy and paste a HJT log from infected computer over to the the forum i linked too with explanation of what's happening(no connection). They would then give u instructions on what to remove so u could at least gain some control back on your system.

    HJT download here,

    http://www.bleepingcomputer.com/files/hijackthis.php


    snowbound
     
  5. mackiecross

    mackiecross Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    6
    ^^^^^^^^^^^^

    SnowBound

    Many thanks for responding....I have downloaded the programme you have recommended, and as soon as I get home tonight I will follow your instructions and run the software and post the log.

    Only problem is that I cannot access the web with the infected PC, as the spy sheriff stops me from doing so....but I can access the web via my laptop.
     
  6. mackiecross

    mackiecross Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    6
    If I did a system restore to a few days before this bastard hit my pc....would that work?
     
  7. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    I'm not sure but u could give it a shot. Hopefully u could at least gain your connection back....


    snowbound
     
  8. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Hi, at my friends house it didn't work but I believe this would be the fix

    http://www.delphifaq.com/faq/windows_user/f850.shtml

    /edit: after that, install Ewido and let it update. reboot your puter into safe mode and let Ewido run and clean the rest ;)
     
  9. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    I was inquiring around about your issue and was told by a very knowledgeable Spyware Veteran who frequents Wilders along with many other boards that these instructions should resolve this issue,

    EDIT- Ignore this post as i see the above instruction is part of the excellent help you're receiving over here,

    http://gladiator-antivirus.com/forum/index.php?showtopic=30717

    Good luck. :)



    snowbound
     
    Last edited: Dec 16, 2005
  10. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    About two weeks ago, we had a customer with a pc with Spy Sheriff on it.
    At became clear that a lot of Windows System files where removed and/or
    replaced.

    After restoring several files, there where still problems,

    b.t.w. the Windows system restore doesn't
    restore the infected or deleted files.

    So, the only thing we could do was, start BartPE (XP Bootable cdrom)
    and backup all data to another disk.
    After that reinstall the OS
    and restore the (cleaned) data back.

    The problem is that there is no real solution for this because it can
    happen on several versions of Windows.
    And because that the damaged System files are not the same
    versions in those OS-es there is not one solution.

    Depending on the version of the OS you have to restore the
    files that belong to that version.

    XP Sp1, Sp2,or ME or 98 English, French or German etc.

    Then we do not now for sure, how many files are gone (or infected)
    by this malware.

    Btw it is installed by visiting a website with Internet Explorer ...
    it uses a IE exploit/ security problem to do that.

    Good luck.
     
  11. mackiecross

    mackiecross Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    6
    ^^^^^^

    Guys, thanks for the response so far....

    Im trying out a couple of things that have been suggested and will see how it goes.

    In the meantime if anyone has any suggestions they will be greatly appreciated!

    Hope everyone's having a great weekend!!
     
  12. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    Please let us know how you solved the problem,if it is solved
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi mackiecross,

    I do not want to interfere with Mosaic1 helping you (she is the best)

    But I would like to have a look at this file you have running:
    C:\WINDOWS\system32\kernels64.exe

    Would you mind uploading it at TheSpykiller.
    Follow the instructions here to do so:
    http://www.thespykiller.co.uk/forum/index.php?topic=5.0
    Mosaic1 has access there too.

    I found this information:
    http://www.viruslist.com/en/viruses/encyclopedia?virusid=105011
    but that looks like only a part of it.

    Regards,

    Pieter
     
  14. controler

    controler Guest

    I am sure now that Regrun Platinum would get red of it.
     
  15. hypersteroid2ooo

    hypersteroid2ooo Registered Member

    Joined:
    Dec 16, 2005
    Posts:
    3
    Hi mick, I believe that spy sheriff is actually the trojan file. You can find todays trojan sites that I posted on anti trojan software. At the moment I also searching for the best anti trojan products. so I open all my securty system. In other words I become vulnerable. the only anti trojan product that not be infected by spy sheriff is a squared. off the remaining I havent finished testing.


    Spy sheriff a trojan program. this accute trojan file is available from some porn sites like ~snip....Bubba~ on your desktop, you must be able to find unknown software i.e ibm.

    removed link. Please do not link to possible malware sites....Bubba
     
    Last edited by a moderator: Dec 18, 2005
  16. mackiecross

    mackiecross Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    6
    ^^^^

    Thanks for the feedback guys....I have been trying to follow Mosaic1 instructions on the other forum....but everytime I try to restart in safe mode, these are the options that I am given:

    After tapping F8 at Restart:

    Select First Boot Device

    Floppy: 1.44MB 3.5
    IDE-O: Samsung SV0602H
    CD ROM: LITE-ON DVD RW SOHW-1673S
    : NETWORK
    NETWORK:


    I remember going into safe mode several months ago...and do not remember seeing this message...so im not sure if im doing something wrong (tried to go into safe mode several times and the same box appears everytime) or whether this virus is worse than I first imagined.

    and obviously still no connection to the net
     
  17. controler

    controler Guest

  18. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    hi mackiecross, you wrote:

    I understand that this is confusing, but your bios/cmos/nvram
    has a pop-up menu built in as well, this allows you to select the bootdevice
    (the thing where windows has to start from),
    in most cases you can skip that by hitting the <Esc> key.

    But after that hit (be fast, within seconds) the <F8> again, because now you are starting Windows
    and that is where F* can bring you to the menu where you can select
    'safe mode' .

    Good Luck
     
  19. ramster3

    ramster3 Guest


    First remove the folder where spy sheriff is residing. You may have to
    rename the folder as a .txt file to delete it. Then do a system restore.
    It worked on mine running xp pro.
     
  20. Chuckamatic

    Chuckamatic Guest

    Re: Spy Sheriff

    OK, I had this last spring, got rid of it, but don't remember how. Sometimes the email provider can help you. Anyway, after removing this trojan it still has the black box with bold red font, "Your System Is Infected!", what I call a "footprint" _on my background_ that I cannot get rid of. How can I simply remove this. Going to Task Manager and Background it shows up, but does not allow me to remove it. Guessing there's still something in my registry that I need to delete? Any help would be greatly appreciated.

    Chuckamatic
     
  21. Ga1tar

    Ga1tar Registered Member

    Joined:
    Apr 11, 2004
    Posts:
    118
    Location:
    U.K
    Try booting up in safe mode and remove spy sheriff through your control panel.

    Failing that there is a program which does work, I know as I had to clean up my sons machine which had the very same problem.

    http://secured2k.home.comcast.net

    You need the antipuper removal tool

    Let us know how you get on
     
  22. auriell

    auriell Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    105
    Location:
    Warsaw, Poland
    I will try to translate from another forum:

    ~Cleaning instructions removed~

    This type of assistant requires custom instructions based upon what has been seen on the person's system given from posting a HijackThis log, with followup from a spyware removal expert.

    I have removed the instructions that you posted as we no longer perform spyware cleaning services here, as referred to in this Announcement.

    Bubba
     
  23. Firesign

    Firesign Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1
    My XP has been down for 2 weeks because of SpySheriff.
    Symptoms:
    -hijacked desktop - blue screan with black box "spyware infection! Warning..."
    -hijacked (disabled) task manager
    -infected system restore - went back 3 mos and it didn't help (now turned off)
    -AVG is showing a root sector error

    I can still access files and still get online. I’m using an old computer until my XP is disinfected – just have to switch the monitor back and forth.

    I have a few problems with the various removal instructions I've found:
    Task: manager doesn’t work
    Add/Remove Programs will not delete “Spy Sheriff”
    How do I access the root directory?
    Should I delete the recommended HKEY... if it says "NO DEFAULT SPECIFIED"?

    I got clean AVG and ZoneAlarm scans after running Trend Micro Housecall free online scan (it took 3 hours), but it came back.

    Comments and Suggestions greatly appreciated. Thanks, Firesign
     
  24. controler

    controler Guest

  25. Proland

    Proland Guest

Loading...
Thread Status:
Not open for further replies.