After Taking Care of Spysherriff....

[Steve08533]

Well I recently got infected with a nasty virus/malware whatever it is. It was called Spy Sherrif and it calso came with something called Surk Sidekick.
If you havent heard of it, it bassically for me anyways, made some crazy wallpaper asking me to buy something to solve the problem.

Well, on to the problem.

I got it fixed and its all gone, but there are things that are wrong with my computer.

1. My recycle bin icons is full, and when I click it, theres nothing inside, and when I delete something thinking its going to the recycle bin, it doesnt, and I dont know if its really gone or what.

2. When I turn on my computer several things pop-up saying errors like my ATI Catylyst Control Center (from my updated graphics card) wont load properly , and something called smax4pnp or something like that, I have no idea what that is.

3.My system restore points dont work..

So doesn anyone know whats wrong?

 

[cowboytech]

Along with spysherriff did you find and kill 'ibm00001.exe', with the same date on it?

And a simple rule of thumb is; most of those malware and troj will infect your restore points so I usually turn off restore before I even start the cleaning process, which varys depending on what you have caught.

If you can, go online and run the online scan from trendmicro

http://housecall.trendmicro.com/
read all of this before you start it!!!

I hope you did something like this; Spysheriff is malware and should not be used to clean a PC from spyware/ adware/ malware. It's pretty bad e.g. if you try to use System Restore you will find that Spysheriff erased your restore points, so that won't work.

Instead follow these steps:

1. Open task manager by pressing Ctrl-Alt-Del, and click on the "Processes" tab. Look for Spysheriff there and kill the process if you see it. If you see a process named "winstall" (winstall.exe) then delete this one also.
2. In the control panel goto "Add/ Remove Programs" and remove the "SpySheriff" program. If it says that it cannot uninstall, then you still have it running. It will uninstall once it's not running.
3. Your desktop background will not be restored by that uninstall. Go into the registry by starting RegEdit.exe from the start button
4. Look for this key:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesA ctiveDesktop
It will have about 6 values stored that disable certain things. Delete this whole branch ActiveDesktop - the system will work with default values afterwards.
Also delete this branch in your registry:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesS ystem
5. Look in your root directory for a file named winstall.exe. Mine was in c: and 24064 Bytes in size.
This file is scheduled to execute each time you boot and it will re-install Spysheriff.
Delete that file.
Update:

There may also be additional executable files that were created at the same time as winstall.exe. Those files may be named 'winstall.exe' and 'ibm00001.exe'. You should delete those files as well. If you have this file ibm0001.exe please see the other article regarding ibm0001.exe.
6. Restart your system.
Done.

--------------------------------------------------------------------------------

Eddy Rassy12-28-2005, 07:11 AM
In addition to deleting the files mentioned by Tedster, which you can only delete in safe mode, spysherif will also hijack your web page with URL SECURE32.HTML. The only way to resolve this is by deleting this file in safe mode (it comes back if you try to delete otherwise) and also by removing this file from your registry.

 

[Steve08533]

^ Yeah I already did all of that.

My problems occurred after that whole process.
Thanks anyway though.

 

[Steve08533]

One More question.
This is kinda annoying, when I start up windows this error box comes up, does anyone know how to get rid of it? When I look at the windows task manager it calls the error box klsx9e.exe and it is in my system32 folder under CWINDOWS . But when I right-click and delete, it says cannot delete, access is denies, make sure it is not in use, and when I try to right click it from the windows task manager, it just wont go away from the list.

 

[cowboytech]

Sad news my friend, you have only started killing the bad stuff, if it is calling for "archi.exe" you still have some infections, and it trying to get archi is just one of them. Hey, safemode with networking, in administrator is my favorite online scan. PS...look at what it was trying to start, Still.
Archi.exe= http://www.symantec.com/avcenter/venc/data/w32.ftrap.html

Hey, are you sure you ran trendmicro, eitherway, go online and go to panda= http://www.pandasoftware.com/products/ActiveScan.htm

If you ran the right scan on trend it will kill viruses and spyware, on Panda it will only kill the viruses and tell you what spyware is still left.
Personally I use Panda Titanium for protection.

 

[Steve08533]

I ran that virus scan thing. and it said I had 6 viruses, about 93 spyware. It didnt have an option to do anything about them though...just told me about them. Im surprised though, because I ran Norton anti-virus, and Microsoft Antispyware and this didnt come up.

 

[cowboytech]

Ok, so on your machine, we are still in the Identify the software problems, after we have identified these, then we need to, kill them, remove them, etc, and it depends on what they are to what we have to do to get rid of them. you go to safemode with networking and run trend again, this time look at more stuff on the page and you should see next.
Hey, even when you run this the way it is intended, and successfully remove all, I always do a shutdown, restart and scan again. And I scan again until I get a "No infections" type notification. Then and Only then you get to repair the damage done by these infections, or else you could be wasting your time. Now, if you had one on one proffessional help here, the infections and chat with you usually tell me where and while doing what you probably caught these problems, cause I hope after all this you don't want to go through this again.

 

[cowboytech]

About the norton or any other protection tool, most of these are being told to allow, or ignore the bad stuff in these buggers, So, when you use them to scan they never see the things you told them you wanted in your machine. After a lot of practice you go into the ignore areas of these tools and can tell quickly that the machine has infections. So if you don't know how to use these areas I try to tell folks to "get a second opinion, you know, trend, panda etc... Hey the bad news, sometimes depending on what you have, even they can be told to ignore, or in most cases the problems are still cloacked behind a smaller problem, and you have to kill the smaller problem before the software can digout the bigger problems. you are on your way to repairing the bad software that has got into your machine now.

 

[cowboytech]

Steve, I hope you are successful in your cleaning and repairs!
Good luck in all you do!