Although I have never managed to fall victim to spyware or other variants, I am the de-facto Help Desk for my family, as I’m sure many tech-savvy family members are.
My brother-in-law lives in Atlanta and whenever I visit, I check their computers, apply any required updates and patches, and install anything I think they need. This time, I had known for a few months that his computer was totally hosed, since he described the problems over the phone to me. I instructed him to disconnect his network cable so that the problems wouldn’t get any worse. About all he wanted to do was play video games as a single player, so losing network access wasn’t a big deal.
Oh, and this is a post about cleaning up Spyware, so of course, he’s running Windows (2000).
When I got here, I expected the clean-up effort to be pretty easy: a little virus scan here, two or three runs of Spybot: Search & Destroy, and that would be that.
Boy, was I wrong.
It turned out that, not only had he fallen victim to some spyware and adware, but that he had been successfully attacked by several Trojan Horses. These programs were running on startup and basically re-installing all the stuff that I kept uninstalling every time.
My first mistake was not running the virus scanner as my first order of business. I ran Spybot a few times between reboots, and some of the things couldn’t be removed for one reason or another, so I ended up performing some boot-time scans as well. Apparently, this kind of pissed-off whatever was installed and everything seemed to get worse: there was a new program running called SpySherrif, which is a thinly-veiled effort to get you to buy something that you don’t need (i.e. a spyware cleaner that installs more spyware).
After wising up and installing my favorite anti-virus package, Avast!, it detected virii running in memory and recommended a boot-time scan. Of course, I accepted the offer and rebooted.
Along with a host of other files that were infected with things like win32:Trojano, win32:Trojan-XYZ (where XYZ is a random number between 1 and 1000), win32:Beavis-A, and a host of festering, adware-style trash, I was dismayed to learn that explorer.exe was infected with something. I tried to “repair” the file, but there was nothing to be done: it had to be deleted. I did that with a heavy heart, since I didn’t know how Windows would act with it’s primary shell gone. I figured that I would have to reinstall the OS if it was that badly damaged, anyway, so I’d better just delete the damned thing.
After all that, Windows started up, but with no desktop (as I would have expected). Fortunately, CTRL-ALT-DEL still worked, and I was able to run the command prompt and get some real work done. Conveniently, Windows still comes with expand.exe and I had conveniently copied all of the original files from the installation CD to his hard drive. Using those, I was able to restore explorer.exe and make some more progress.
It took several grueling rounds of reboot, virus scan, kill evil-looking resident programs, spyware scan, and then cleanup of Internet Explorer’s “Temporary Internet Files” folder because it ended up containing adware on every reboot. But, I was able to finally exorcize the machine of all the crap that was on it. Below is a list of extremely
useful programs that I keep in my bag of tricks to clean computers:
- Avast! AntiVirus. Nice, ’cause it’s free for home use and very reliable.
- Spybot: Search & Destroy. There’s no better spyware cleaner if you ask me.
- Process Explorer from sys-internals. This puppy shows you everything, and will even let you scan for which program is using a particular file and snoop what resources a program is using.
- Autoruns, also from sys-internals. This one was new to me, but I had to root-out lots of stuff that was re-installing itself on boot, and Windows has like 12 different places where run-on-boot programs can be specified.
Now, it was time to fix everything that was broken. For example, SpySheriff (or another program, it’s pretty much impossible to tell) changed the Desktop to be a web page telling me that my computer had been “stopped” due to spyware and virus activity. Now that I had cleaned it out (no thanks to SpySheriff), I was going to restore the desktop to its previous state. Unfortunately, the options to change any desktop settings were mysteriously greyed-out. This was obviously the work of nefarious software. I set about finding out what happened and how to fix it. Along the way, I discovered that the following items had been hosed by all the software that had taken over my brother-in-law’s computer.
- ActiveDesktop permanently* enabled
- Desktop wallpaper permanently disabled
- Windows AutoUpdate permanently disabled
After much searching, I found out how to fix each of these problems. Below, I describe them so that others might have an easier time finding this information.
- ActiveDesktop is Disabled
-
I feel bad that I can’t remember precicely where I found this information or what it was, but I believe that checking this registry value will help you out a lot:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerForceActiveDesktopOn (you’ll want this to be set to “0” — zero).
- Desktop Wallpaper is Disabled
-
Using the information found at this site (http://www.bleepingcomputer.com/forums/How_to_remove_the_Smitfraud_or_Wpexe_bswexe_WindowsFY-t17258.html), I found a registry script that you can run to clean up after a handful of evil programs. I was leery of blindly running that script on my own registry, so I picked out those changes that seemed to make sense for me. Here they are for convenience:
Delete the following keys and their values:
In HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem:
NoDispAppearancePage, Wallpaper, WallpaperStyle, and NoDispBackgroundImageIn HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer:
NoActiveDesktopChangesIn HKEY_CURRENT_USERControl PanelDesktop:
Wallpaper, WallpaperStyle - AutoUpdate is Disabled
-
I first found this site (http://www.amset.info/windows/auto-updates.asp, which told me which registry keys were significant, here (search for “greyed out”). Unfortunately, there was more to it than their suggested fix, so I went looking for more information about those registery values. I found this site (http://www.susserver.com/FAQs/FAQ-InterpretingAUStateValues.asp) which described all the possible values and their meaning. That didn’t help too
much, so I kept looking and found this site (http://snakefoot.fateback.com/tweak/winnt/service/abc.html#AUTOMATIC_UPDATES) which pretty much lays it all out there for you. Using that information, I was able to correct all of the registry values that had been hosed.
Since I was both working and enjoying my family — including my nephew who was celebrating his 1st birthday — it took me 4 days to do all this. *Sigh*
Needless to say, he’s now running with all the latest OS patches, Avast!, Spybot, and, of course, Mozilla Firefox as a replacement for Internet Explorer.
Your Catchphrase Here 
What a LOT of work!!! Uncle Chris triumphs over the “evil do-ers” again. You have the grateful thanks from your “technologically disadvantaged” family.
LikeLike
Thanks for all the hard work. I am having same troubles (SpySherrif running, Windows Wallpaper disabled). It also has disable task manager, making things even more difficult.
I appreciate you taking the time to document your succes!
LikeLike
man… YOU are a friggin genius!
LikeLike
Thanks for the information, I couldnt agree more, what a complete pain in the rear end. What a sales technique! I am now off to find the home of this SpySherrif to give him a piece of my mind.
Thanks again
LikeLike
Really a LOT of work! Thanks for Your incredible help!
LikeLike
Many thanks. You ended six hours of hell for me. That awful desktop has finally gone! Now I’m off to bed but I promise to read the rest of your ramblings tomorrow.
Again, thank you.
LikeLike
I have this now, thanks, you’ve been a great help, i hope the hackers get hit by a bus. ..twice.
Just fixing it now. Thnaks alot
LikeLike
you don’t know how helpfull this was !!! big thanks !!!
you saved me from burning my pc………..
LikeLike
Thanks for taking the trouble to list the regedit fixes for Spysherrif! You saved me ton’s O’ grief.
~Mal
LikeLike
After days of un-doing the nasty SpySheriff spyware, that came through mlb.com when I was checking baseball scores, you finally gave me the solution I needed to get rid of their stupid wallpaper!!!!!!!!!!!!
Before your blog I looked up so-called expert Windows XP sites, ran numerous registry scripts from well-intentioned but feckless experts and pulled out half my hair.
Happy Father’s Day Uncle Chris!!!!!!!!! You da bomb!!!!!!!
LikeLike
I saved your website to my favorites because you saved my computer for that bad SpySheriff…
If you have any other good tips, please add it to you website and I will check in from time to time. In the meantime, I know a lot of others with this Pain-In-The-Ass SpySheriff program virus…
Ad-Aware Pro removed SpySheriff and how you showed me to get rid of the desktop screen worked like a champ.
I will pass this site to them…
Mikey G.
LikeLike
I know the feeling… I get this job, as well.
One question, though: with a system THAT hosed, why not just back up, format, clean, and re-install Windows? Would certainly have taken less time…
LikeLike
Sorry for not moderating these sooner — I had to wade through 180 blog comment spams to find these. Who knew that anyone actually read my blog!
I’m glad that my post has helped you guys solve your problems.
WRT reinstalling… with an old system, it’s not always easy to find the license key for windows for a re-install. Also, I didn’t have a Win2k CD handy. Given the fact that I’m trying to recover an infected system, downloading a potentially compromised CD image over the Internet seemed like a bad idea. 😉
-chris
LikeLike
Add another to the list of responses with the message omg you’re awesome thank you so much for helping me. Just fyi, this is the most helpful guide on how to rid oneself of spysheriff on the whole internet. Trust me, I looked.
LikeLike
I was infected with this spysherrif thing and after removing it I still could not figure out how to restore my desktop. Thanks very much for all your info. You have saved me much time and headaches! It’s nice to see someone who posts helpful information for no reason other than to help others. Thanks Uncle Chris!
PS-one thing I found annoying was that microsoft anti-spyware had found spysherrif and reported it as “potentially unwanted software”- NO DUH!
LikeLike
Same thing happened to me. I said ‘screw it’ though and just put my pictures on a flash drive and reinstalled the OS. SpySheriff really pisses you off though. It would be painfully ironic (and funny to boot) if someone were to hack into their servers and install their own spyware on their comps.
LikeLike
a friends father got nailed with this. your procedure for removal was very helpful.
thanks for taking some of your time to do this. it saved ME a lot of time.
LikeLike
I seriously don’t know how companies can be so blatant about their spyware activities and remain in business. Spysheriff still has a website running after all the bullcrap they’ve caused. I came home tonight to my girlfriend pointing at my hijacked desktop with a “I don’t know what happened” look on her face. I ran my anti-virus and spyware programs, got rid of it. Then deleted the active desktop registry keys. Luckily through the trial and error efforts of others I was able to Google the steps for removal.
LikeLike
Can’t somebody locate these Spysheriff guys? If we can find their homes or office they should be sued!!!
LikeLike