Spy Sheriff - so how do people get infected w/ this thing?

Spy Sheriff - so how do people get infected w/ this thing?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 General Computer Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Spy Sheriff - so how do people get infected w/ this thing? Todd H. 01-02-2006
Posted by Todd H. on January 2, 2006, 1:09 am
If you were  Registered and logged in, you could reply and use other advanced thread options

I've now had two friends get nailed with this Spy Sheriff rogue
anti-spyware app. While I've managed to clean up the infections (and
there are several resources on that out there on the net to help with
that) for these folks, but what I'm most interested in is:

"Where/how are people getting this?"

Both are XP SP2 users. What's concerning is that this second buddy of
mine is a person that's generally careful and does all the stuff yer
supposed to do to use windows semi safely (not use IE or OE, he uses
Mozilla v1.7.8 to surf and read email, has XP sp2 w/ windows updates
enabled, knows not to click on things in emails, keep the antivirus
scanner updated religiously, periodically scan with ad aware se, etc),
yet he STILL got infected. The only thing he does that I don't
recommend is that he does have an AOL account and runs their stuff
periodically to connect to them. Software is AOL 9.0 AOL
16.4184.5300.

So does anyone happen to know the vulnerability/sites where folks are
picking this up?

For those who haven't seen it, it's a tricky friggin program
apparently. It somehow gets installed, and then pops up telling you
it's detected all sorts of malware and offers to clean it up, but then
stonewalls the (typical) user from doing anything else with their
computer until they register the software and pony up their money.

As in:
http://elamb.blogharbor.com/hacked/removespysheriff.htm

Helpful in cleanup:
http://www.bullguard.com/forum/12/Spy-Sheriff-got-me-Please-help_25398.html


Best Regards,
--
Todd H.
http://www.toddh.net/


Posted by Vanguard on January 2, 2006, 1:50 am
If you were  Registered and logged in, you could reply and use other advanced thread options
>
> I've now had two friends get nailed with this Spy Sheriff rogue
> anti-spyware app. While I've managed to clean up the infections (and
> there are several resources on that out there on the net to help with
> that) for these folks, but what I'm most interested in is:
>
> "Where/how are people getting this?"
>
> Both are XP SP2 users. What's concerning is that this second buddy of
> mine is a person that's generally careful and does all the stuff yer
> supposed to do to use windows semi safely (not use IE or OE, he uses
> Mozilla v1.7.8 to surf and read email, has XP sp2 w/ windows updates
> enabled, knows not to click on things in emails, keep the antivirus
> scanner updated religiously, periodically scan with ad aware se, etc),
> yet he STILL got infected. The only thing he does that I don't
> recommend is that he does have an AOL account and runs their stuff
> periodically to connect to them. Software is AOL 9.0 AOL
> 16.4184.5300.
>
> So does anyone happen to know the vulnerability/sites where folks are
> picking this up?


Your friend could run System Restore and look at the checkpoints saved
therein. If it triggered due to an install, it lists what triggered it. He
might see whatever he installed for awhile back. Your friend should also
get accustomed to saving a checkpoint before performing an install and
noting why he created the checkpoint. Your friend probably got it from
something else he installed; i.e., it was bundled in something else. Your
friend should also reconfigure their browser to prompt for ActiveX downloads
so he/she knows when some site is trying to pushing one onto their computer.
AX is another method of delivery for this rogueware.

--
_______________________________________________________
** Post replies to the newsgroup. Share with others. **
For e-mail, remove "NIX" and append "#VC811" to Subject.
_______________________________________________________


Posted by BigJim on January 2, 2006, 2:36 am
If you were  Registered and logged in, you could reply and use other advanced thread options
some people get it from going to porn sites and looking at the free stuff
>
> I've now had two friends get nailed with this Spy Sheriff rogue
> anti-spyware app. While I've managed to clean up the infections (and
> there are several resources on that out there on the net to help with
> that) for these folks, but what I'm most interested in is:
>
> "Where/how are people getting this?"
>
> Both are XP SP2 users. What's concerning is that this second buddy of
> mine is a person that's generally careful and does all the stuff yer
> supposed to do to use windows semi safely (not use IE or OE, he uses
> Mozilla v1.7.8 to surf and read email, has XP sp2 w/ windows updates
> enabled, knows not to click on things in emails, keep the antivirus
> scanner updated religiously, periodically scan with ad aware se, etc),
> yet he STILL got infected. The only thing he does that I don't
> recommend is that he does have an AOL account and runs their stuff
> periodically to connect to them. Software is AOL 9.0 AOL
> 16.4184.5300.
>
> So does anyone happen to know the vulnerability/sites where folks are
> picking this up?
>
> For those who haven't seen it, it's a tricky friggin program
> apparently. It somehow gets installed, and then pops up telling you
> it's detected all sorts of malware and offers to clean it up, but then
> stonewalls the (typical) user from doing anything else with their
> computer until they register the software and pony up their money.
>
> As in:
> http://elamb.blogharbor.com/hacked/removespysheriff.htm
>
> Helpful in cleanup:
> http://www.bullguard.com/forum/12/Spy-Sheriff-got-me-Please-help_25398.html
>
>
> Best Regards,
> --
> Todd H.
> http://www.toddh.net/
>



Posted by Max Wachtel on January 2, 2006, 2:55 am
If you were  Registered and logged in, you could reply and use other advanced thread options
comphelp@toddh.net AKA Todd H. on 1/2/2006 in

>
> I've now had two friends get nailed with this Spy Sheriff rogue
> anti-spyware app. While I've managed to clean up the infections (and
> there are several resources on that out there on the net to help with
> that) for these folks, but what I'm most interested in is:
>
> "Where/how are people getting this?"
>
> Both are XP SP2 users. What's concerning is that this second buddy of
> mine is a person that's generally careful and does all the stuff yer
> supposed to do to use windows semi safely (not use IE or OE, he uses
> Mozilla v1.7.8 to surf and read email, has XP sp2 w/ windows updates
> enabled, knows not to click on things in emails, keep the antivirus
> scanner updated religiously, periodically scan with ad aware se, etc),
> yet he STILL got infected. The only thing he does that I don't
> recommend is that he does have an AOL account and runs their stuff
> periodically to connect to them. Software is AOL 9.0 AOL
> 16.4184.5300.
>
> So does anyone happen to know the vulnerability/sites where folks are
> picking this up?
>
> For those who haven't seen it, it's a tricky friggin program
> apparently. It somehow gets installed, and then pops up telling you
> it's detected all sorts of malware and offers to clean it up, but then
> stonewalls the (typical) user from doing anything else with their
> computer until they register the software and pony up their money.
>
> As in:
> http://elamb.blogharbor.com/hacked/removespysheriff.htm
>
> Helpful in cleanup:
> http://www.bullguard.com/forum/12/Spy-Sheriff-got-me-Please-help_25398
> .html
>
>
> Best Regards,
******************Reply Separator*************************
You did not mention any real-time scanning, anti-spyware programs that
your friend uses.
I have written some pages to help you.

Virus Removal Instructions: http://home.neo.rr.com/manna4u/
Keeping Windows Clean: http://home.neo.rr.com/manna4u/keepingclean.html
Windows Help: http://home.neo.rr.com/manna4u/tools.html
Specific Fixes: http://home.neo.rr.com/manna4u/fixes.html
Forums for HiJackThis Logs:
http://home.neo.rr.com/manna4u/forums_for_hijackthis_logs.html

max
--
To reply by e-mail change nomail.afraid.org to gmail.com
nomail.afraid.org is setup specifically for use in USENET
feel free to use it yourself. Registered Linux User #393236

Posted by Volker Birk on January 2, 2006, 6:12 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> I've now had two friends get nailed with this Spy Sheriff rogue
> anti-spyware app. While I've managed to clean up the infections

Did you flatten and rebuild?

http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

> he uses
> Mozilla v1.7.8 to surf and read email

An old release. Maybe updating would help.

http://www.mozilla.org/projects/security/known-vulnerabilities.html#Mozilla

F'up2here.

Yours,
VB.
--
Ein vision statement ist in aller Regel planfreies Gelalle einer Horde
realitätsferner Spinner.
        Dietz Pröpper in d.a.s.r

Similar ThreadsPosted
Re: Spy Sheriff - so how do people get infected w/ this thing? January 2, 2006, 10:10 am
INFECTED CD June 29, 2005, 9:27 am
Worm spoofs Google on infected PCs September 19, 2005, 8:56 pm
Is there any thing like Bubbleip April 16, 2005, 10:04 am
How do people write keygens? March 20, 2006, 5:32 am
Is there such thing as a multi-host security certificate? July 25, 2007, 6:50 pm

The site map in XML format XML site map

Contact Us | Privacy Policy