Monster-Hardware Logo
  Login or Register
Real American

USA Flag

 
nukeNAV
 
Search



 
Who's Online
There are currently, 82 guest(s) and 0 member(s) that are online.

You are an Anonymous user. You can register for free by clicking here
 
Latest Forum Posts
Last 10 Forum Messages

My Best Buy Sales Experience
SABERTOOTH R2.0 BIOS MIA
SodaStream Anyone?
Tazerball
A Joke Gone Bad
Retrode Gaming
Stealth Bastard
Cooler Master HAF X
Thoughts About Bulldozer
Crucial DDR3-1600 8GB

Monster-Hardware Forums

 
Latest Reviews

· Crucial DDR3-1600 8GB
· Cooler Master HAF X
· Seagate ST31000524AS
· Logisys MS6801 Mouse
· Mitsuba DC500T 5MP
· Infrared Thermometer
· DXG-595V 5MP 1080p
· SanDisk Sansa View
· Rfrb Dell Latitude D410
· (HP) Sempron LE-1250
 
NukeSentinel
This is the list of NukeSentinel(tm) banned IP addresses.

· 91.134.248.245  - Script
· 49.182.23.24  - Script
· 138.68.98.144  - Script
· 136.144.221.164  - Script
· 178.238.226.31  - Filter
· 50.63.162.9  - Script
· 125.123.120.72  - Filter
· 162.241.6.83  - Filter
· 103.211.218.108  - Script
· 173.249.40.169  - Script
· 125.123.122.129  - Filter
· 121.20.7.55  - Filter
· 103.195.185.115  - Script
· 221.229.173.169  - Script
· 45.252.249.191  - Script
· 132.148.252.77  - Script
· 148.66.145.25  - Script
· 172.110.18.127  - Script
· 132.148.254.139  - Script
· 193.124.191.92  - Referer

NukeSentinel(tm)
 
January 21, 2006 04:27 PM PST

Spy Sheriff Exposed

Author: JimAdkins. 14106 Reads
  Print this page   Export to PDF format   Mail to a friend


It's been a long time since anything PC related actually made me angry enough that I felt compelled to write about it here. I am not sure if that means I am getting old, soft, or just plain lazy. Spy Sheriff, as I was about to learn, was primed to knock me out of my complacency. The story started several days ago when I got a call from a family member who wanted me to remove what they said was a particularly nasty malware infection. They claimed it was so severe it made it nearly impossible to use their PC. I figured they were embellishing things somewhat in the hopes of getting faster service. Family will do that to you sometimes. It turns out, though, that this time they weren't.

Spy Sheriff

Upon arriving on the scene and after booting into Windows XP I soon noticed several things are wrong:

-Windows background had been changed to a ridiculous fright screen claiming serious malfunction and threatening data loss so programs had been halted
-Repeated pop-up screens claiming false virus/spyware infections only removable through 30 usd Spy Sheriff registration payment granting you program S/N
-Internet Explorer browser home page hijack which was also used to pimp their dubious services and pretend they have a legitimate product, which they don't

That's all well and good, but how do I get rid of it once I am infected? Well, that seems to depend on what variant you have and whether it came by itself or loaded with some other malicious programs (Smitfraud) for instance. From what I can gather after the fact Spy Sheriff seems to install by using an IE browser exploit. The machine I removed it from was actually running a firewall which didn't protect against this infection either. I also should mention that while the method listed below worked for me, your results may vary. I also came across a much more thoughtful removal method which I thought I would link here.

I got started by visiting the Add/Remove programs sections by the way of CP to see if Spy Sheriff was listed. It was, so I chose remove and was informed that the action couldn't proceed because the program was active. Not about to let this stop me I went to the Run box by the way of the start menu and entered MSconfig. From there I searched around under the start-up tab for what files Spy Sheriff was loading. After a while I found the two files to be install.exe, and ibm00001.exe. After unchecking both of these I rebooted the machine. From here I ran Ad-aware and it found and seems to have removed Spy Sheriff. I did, however, have to manually remove the Winstall.exe, and secure32.html files from the the root. Attempts to run Ad-aware before using Msconfig and then uninstalling Spy Sheriff were in my case unsuccessful. I have also heard that Microsoft's AntiSpyware Beta if used properly is effective here. More information on this threat is also available on Ad-aware's site.

I would like to take a minute here to offer a few suggestions. Consider running a non-Microsoft browser--either Firefox or Opera. While neither of these programs has perfect security track records they are much better than IE. Not only that, but when an exploit is found it is patched much more quickly. Next, watch what sites you are visiting. Best as I can tell they seem to have picked up Spy Sheriff at one of the shady online games sites. That leads to the second tip: Pay close attention to the types of sites that you are visiting; sticking to reputable stand-up sites doesn't make you bullet-proof, but it does cut down your risk of infections. Last, but not least: Consider completely turning off Windows installs. Do you really need to install software through your browser? Possibly, but I bet for the majority of you like me the answer is no. To do this type in “about:config” in Firefox scroll down near the bottom of the page to xpinstall.enabled and set it to false.

Conclusion:

Although I am sure no one from Spy Sheriff would admit it, what is going on here is actually virtual kidnapping. Pay us 30 usd if you ever want to see your PC again. Even if you are flush with cash you should NEVER do this. After all, if this racket they have going here is financially successful for the makers of Spy Sheriff, you can bet that will encourage them to distribute more garbage like this onto the internet.



Jim Adkins



Copyright © by Monster-Hardware
All Right Reserved.


Category: None
Tags: None
Bookmark: Share/Save/Bookmark

[ Go Back ]
Content ©
Survey
What do you think about this site?

Ummmm, not bad
Cool
Terrific
The best one!
What is this?



Results
Polls

Votes 93
 
MHW Case Badges

MHW Case Badges

 
Of Interest

G-Shock

 
 

Copyright © 2001 - 2014 by Jim Adkins


Distributed by Raven PHP Scripts
New code written and maintained by the RavenNuke™ TEAM


(Original PHP-Nuke Code Copyright © 2004 by Francisco Burzi)
Page Generation: 0.05 Seconds

:: fisubice phpbb2 style by Daz :: PHP-Nuke theme by www.nukemods.com ::
:: fisubice Theme Recoded To 100% W3C CSS & HTML 4.01 Transitional & XHTML 1.0 Transitional Compliance by RavenNuke™ TEAM ::

:: W3C CSS Compliance Validation :: W3C HTML 4.01 Transitional Compliance Validation :: W3C XHTML 1.0 Transitional Compliance Validation ::