Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Titan Shield Antispyware, A Spyware Sheriff Variant


  • Please log in to reply
15 replies to this topic

#1 Doom Cometh

Doom Cometh

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 08 June 2006 - 12:52 PM


How To Remove Titan Shield And Antispywarebox.com (removal Instructions here) - Grinler


Hello,

I stumbled across the post "How to Remove Spyware Sheriff and Antispylab" - this was a great post and it sounds like the problem that I am having is a slight variant.

My browser will go to www.antispywarebox.com and they are trying to sell the following three products in order:
- Titan Shield Antispyware
- Adware Sheriff Antispyware
- Regfreeze Antispyware

Otherwise all the other symptoms are the same. I tried the SmitFraudFix and it worked initially (I followed all the steps) but when I run either an Explorer window or Internet Explorer, the infection returns, so I am guessing that there are probably some different registry keys and/or exe's that are not being removed.

I was wondering if you were familiar with the differences between the Spyware Sheriff infection, and if you could point me to a fix. If not, I would be more than happy to post a HijackThis log.

Thank you for your help. This is a great resource.
-:thumbsup:

Edited by Grinler, 13 June 2006 - 08:05 AM.

Doom Cometh

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:01 AM

Posted 08 June 2006 - 01:20 PM

When you say the infection returns can you describe exactly whats going on?

Are you just getting the fake "Your computer is infected" message in the system tray or are there other symptoms present?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Doom Cometh

Doom Cometh
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 08 June 2006 - 02:40 PM

Hi Quietman7, thanks for the response!

I have Spybot S&D setup on my system now, so when I launch Explorer or Internet Explorer, twelve "Registry change denied" messages appear. Prior to configuring Spybot, these items were doing all of it - rerouting my blank page, changing my home page, crashing lsass, displaying the "your system may be infected" messages, the "Your system may be infected" message from the system tray, etc. I also get one "Registry change denied" message when I close an Explorer or Internet Explorer window. Spybot is doing a good job of neutralizing it.

Currently the only undesireable behavior that I am seeing (besides the Spybot messages) is that when I enter "Titan Shield", "Spyware Sheriff", antispywarebox or a few other strings in a google search on Internet Explorer, IE is rerouted to //antispywarebox.com/

Thanks,
-:thumbsup:

Edited by KoanYorel, 08 June 2006 - 03:34 PM.

Doom Cometh

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:01 AM

Posted 08 June 2006 - 05:20 PM

Sounds like the entire infection was not removed so lets try again. If this does not work, then I would suspect you have additional malware on your system that may be interferring with the fix. If that's the case it will have to be identified and removed first. Anyway, give this a try and lets see if we can nail this.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download and install Ewido Anti-Malware v3.5. DO NOT perform a scan yet..
Print out the Ewido Install and Scan Instructions.

Go here and follow the instructions for using SmitfraudFix.
After using the tool reboot again in "SAFE MODE" and

Clean out your Temporary Internet files as follows:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click "Delete Files" under Temporary Internet Files.
  • In the Delete Files dialog box, tick the "Delete all offline content check box", and then click "OK".
  • On the General tab, click "Delete Cookies" under Temporary Internet Files, and then click "OK".
  • Click on the Programs tab then click the Reset Web Settings button. Click "Apply" then "OK".
  • Click "OK".
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click "Ok" then "Apply" and "Ok".

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

Then perform a scan with Ewido and reboot back to normal mode.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 deke112

deke112

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 11 June 2006 - 07:54 PM

I tried this to the letter and I still have it please help. This is the scan report from ewido if this helps


Scan result:

C:\WINDOWS\system32\qjrkvy.exe -> Not-A-Virus.Hoax.Win32.Renos.dm : Cleaned with backup
C:\WINDOWS\system32\users32.exe -> Not-A-Virus.Hoax.Win32.Renos.dk : Cleaned with backup
C:\WINDOWS\system32\winflash.dll -> Not-A-Virus.Hoax.Win32.Renos.dm : Cleaned with backup


::Report End

Edited by deke112, 11 June 2006 - 08:11 PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:01 AM

Posted 12 June 2006 - 04:09 AM

If that fix did not work, then its time to have a deeper look as to what's going on with your system by creating a hijackthis log. This will help us to identify and remove the malware files responsible for your problems.

I suggest you read and follow all instructions in the pinned topic titled Preparation Guide For Use Before Posting A Hijackthis Log.

When you have done that, post a log in the HijackThis Logs and Analysis Forum, not here, for assistance by the HJT Team Experts.

It may take a while to get a response because the HJT Team members are very busy. Please be patient as they are volunteers who will help you out as soon as possible. Once you have made your post, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have no replies as this makes it easier for them to identify those who have not been helped. If you post another response, a team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

After posting a log you should NOT make further changes to your computer (install/uninstall programs, delete files and other items on your own, etc.) unless advised by a HJT Team member. Doing so can result in system changes which may not show it the log you already posted and can complicate the malware removal process.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Burt69

Burt69

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 12 June 2006 - 07:23 AM

Doom, I'm having the Titan Shield problem as well. A few other things I see, though, are when I open Task Manager, it wont allow me access to Applications or Processes. Are you seeing the same thing?

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,590 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:01 AM

Posted 12 June 2006 - 04:06 PM

I just put a guide on removing it here:

How To Remove Titan Shield And Antispywarebox.com (removal Instructions)

Let me know how it works out

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,590 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:01 AM

Posted 12 June 2006 - 04:23 PM

Symptoms of this infection in a HJT log are:

O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: adobepnl.ADOBE_PANEL - {2513A321-CB50-4C5F-91C5-80342AFACFB1} - C:\WINDOWS\System32\adobepnl.dll
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\System32\runsrv32.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\System32\susp.exe
O4 - Startup: titanshield.lnk = C:\Program Files\TitanShield Antispyware\titanshield.exe

#10 deke112

deke112

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 12 June 2006 - 06:20 PM

i followed the instructions in the preparation guide and it seems to have worked but now i can not change my home page. it keeps defaulting back to msn.com

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,590 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:01 AM

Posted 12 June 2006 - 06:58 PM

If you go into internet explorer and change the home page there, press apply and then ok, close IE and reopen it, it is back at msn?

#12 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:09:01 AM

Posted 12 June 2006 - 06:59 PM

Check Spybot, to make sure you don't have the start page locked.

Open Spybot.
On the tool bar, at the top left, click Mode.
Click Advanced Mode.
A box will open, asking if you want to go to Advanced Mode, click Yes.
On the left, near the bottom, click the Tools tab.
Then on the menu, click IE tweaks.
In the panel on the right, make sure there is no check next to Lock IE start page settings against user changes (Current user).
If there is a check, remove it.
Close Spybot.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#13 deke112

deke112

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 12 June 2006 - 08:26 PM

there was no check in the spybot ie tweaks. Have tried changing it thru internet explorer and other ways it keeps going to msn.com. AAAAAAAAAARRRRRRRRRGGHHHHHHH

#14 Doom Cometh

Doom Cometh
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 13 June 2006 - 02:15 PM

Thanks Quietman7 and Grinler for solving this problem! You guys are great! My apologies for the slow response.

The SmitFraudFix did indeed work, however, I had to deviate from the instructions slightly. After confirming the registry clean in step 11, my system prompted me to either continue in Safe Mode or go to a System Restore point. Previously I had just rebooted the system, which did not successfully clean it. This time I selected option 3. Delete Trusted zone, then confirmed restoring the backup, and now my system is clean as a whistle. I was forced to use Safe Mode with Networking Enabled, which could account for the difference (this is my work system).

Bert69, the UI for both the Task Manager and Regedt32 were disabled; I couldn't kill processes or look at any registry keys. Sounds like exactly the same thing.
Doom Cometh

#15 Doom Cometh

Doom Cometh
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 13 June 2006 - 02:23 PM

Deke112, another suggestion:

- If Spybot S&D is resident in your system, right click on the icon in the system tray and select "Settings".
- A window called "Black & White List" should appear. Select the "Allowed registry changes" button.
- You should see the following regkey:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page=<whatever you want it to be>

Check the "Blocked registry changes" and make sure this key is not there. If it is, delete it.
Doom Cometh




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users