Spyware Question

[SpinnerBait_Nut]

Anyone heard of SpySherriff?
Windows security says I have it.
Some kinda trojan.
Guess windows security was not working real well. :|
Ok, who has a good spyware removal system to tell me about.
This one effects the desktop.
I can not set my desktop wallpaper, just the color background.

 

[Bob_VT]

Re: Spyware Question

I found a solution here is the C&P
Spysheriff is malware and should not be used to clean a PC from spyware/ adware/ malware. It's pretty bad e.g. if you try to use System Restore you will find that Spysheriff erased your restore points, so that won't work.

Instead follow these steps:

1. Open task manager by pressing Ctrl-Alt-Del, and click on the "Processes" tab. Look for Spysheriff there and kill the process if you see it. If you see a process named "winstall" (winstall.exe) then delete this one also.
2. In the control panel goto "Add/ Remove Programs" and remove the "SpySheriff" program. If it says that it cannot uninstall, then you still have it running. It will uninstall once it's not running.
3. Your desktop background will not be restored by that uninstall. Go into the registry by starting RegEdit.exe from the start button
4. Look for this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\A ctiveDesktop
It will have about 6 values stored that disable certain things. Delete this whole branch ActiveDesktop - the system will work with default values afterwards.
Also delete this branch in your registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\S ystem
5. Look in your root directory for a file named winstall.exe. Mine was in c:\ and 24064 Bytes in size.
This file is scheduled to execute each time you boot and it will re-install Spysheriff.
Delete that file.
Update:

There may also be additional executable files that were created at the same time as winstall.exe. Those files may be named 'winstall.exe' and 'ibm00001.exe'. You should delete those files as well. If you have this file ibm0001.exe please see the other article regarding ibm0001.exe.
6. Restart your system.
Done.
__________________

 

[SpinnerBait_Nut]

Re: Spyware Question

Ok, got most of it out of there, but a dumb question, how do I get to my root directory?

 

[Bob_VT]

Re: Spyware Question

Complicated but there are 2 ways...

Old school - get a command promt and go in from "dos" or the windows equivilant

Windows Explorer - go to C drive and start hunting...

Got any local guru friends because one wrong item deleted and your computer could fail to work.

 

[SpinnerBait_Nut]

Re: Spyware Question

Hey Bob, got everything back, but now have this annoying pop-up that says window security center has detected blah, blah, blah.
I have ran 4 different anti-virus programs and show nothing.
AVG, AdawareSE, system doctor and stinger and none of them show anything after taking out the branches in the regedit.
Nothing different, but this pop-up out of the system tray.
argggggggggggg!!!!!!!!:|:|:|

 

[SpinnerBait_Nut]

Re: Spyware Question

Oh yea, there is a red X in the system tray where it comes from and you can't get rid of it either.
Argggggggggggggggg:|:|:|

 

[Bob_VT]

Re: Spyware Question

That means there is a piece of it still embedded. Have you tried trend micro housecall (google it) a free one too.

 

[Plainsman]

Re: Spyware Question

Try Spybot. Also go to Start>Run>type msconfig. Look under the Startup tab to see if you see that program there. If so, uncheck it and reboot.

You can also look in the registry under:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\currentVersion\Run and see if it is there. If so, delete it.

 

[SpinnerBait_Nut]

Re: Spyware Question

spybot found it and got rid of it. Thanks guys. 8)