Spysheriff The Spyware Causing Anti-Spyware...

[Shrike 0]

Many of you probably already know of SpySheriff and its corrupt nature, and maybe there was already a post of it here, but either way if I can let a few people know I'll have helped them avoid some troubles that I went through. First of all under no circumstances should you install SpySheriff.

SpySheriff is a corrupt illegally distributed anti-spyware program. It is secretly installed to victim computers by various trojans and through certain web browser exploits. Once executed, SpySheriff registers itself in the system and runs a payload. It changes the desktop background to a fake warning message, forbids access to some web sites and may even block any attempts to connect to the Internet. The parasite can also disable some Windows essential components and tools such as the System Restore and the Date and Time application. In some cases SpySheriff may attempt to delete certain installed anti-spyware programs, crash the system and display bogus system error reports. This malware is able to prevent the user from uninstalling. It can also restore its removed components. SpySheriff automatically runs on every Windows startup.

Article from http://www.2-spyware.com/ - click here for the original article!

Several installations ago I made the mistake of Downloading and Installing SpySheriff, it's website (http://ww1.spysheriff.com/) does a convincing job of portraying it as a legitimate SpyWare Removal Program. However once I installed it my computer quickly became infected with all sorts of Adware and Spyware and through my best efforts I couldn't get rid of them. SpySheriff would go through its process and pretend to remove them while changing OS settings and locking up the internet. I eventually had to reformat my hard drive and re-install WindowsXP...I found out later that it was in fact SpySheriff that had caused the problem in the first place.

[WeaponX 0]

This infection has been spreading around for some time now and it's ever changing. It's really a part of the Smitfraud infection and came come in various flavors if you can call it that. Removing it used to be a huge pain, until some authors came up with a tool to help remove most of the infection and render it useless (except for a few things to clean up maybe...at most).

For the instructions on how to fix this, read up on Grinler's article at BleepingComputer.

[Shrike 0]

Yeah, it woulda been nice if I had known what the problem was while I was infected. Thanks for the link to the fix, I'll keep that in case I get infected again from some obscure .exe I download! I'm using Zone Alarm Internet Security Suite which includes an Anti-Virus/Anti-Spyware but it still misses ALOT.

[Cruzo 0]

Spy Sheriff is a system hijacker that causes popups to appear on your computer telling you that you have spyware installed (which you do!). Clicking on the alert brings you to a website which attempts to sell you a bogus spyware program called "Spy Sheriff".

In order to remove this infection we will need to use HijackThis to manually remove the infection:
1. Print out these instructions as we will need to shutdown every window that is open later in the fix.
2.Download and install CleanUp! but do not run it yet.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
3. Download, install, and update Ewido Security Suite
1. Install Ewido security suite
2. Launch Ewido, there should be a big E icon on your desktop, double-click it.
3. The program will prompt you to update click the OK button
4. The program will now go to the main screen
5. On the left hand side of the main screen click on Update
6. Click on Start. The update will start and a progress bar will show the updates being installed.
4. After the updates are installed, exit Ewido
5. Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.
6. Once in Safe Mode, Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
1. Click Options...
2. Move the arrow down to Custom CleanUp!
3. Put a check next to the following:
Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Scan local drives for temporary files
Cleanup! All Users
4. Click the OK button
5. Press the CleanUp! button to start the program.
7. After Cleanup! is finished start Ewido Security Suite
1. Click on scanner
2. Make sure the following boxes are checked before scanning:
Binder
Crypter
Archives
3. Click on Start Scan
4. Let the program scan the machine
5. While the scan is in progress you will be prompted to clean the first infected file it finds. Choose clean, then put a check next to Perform action on all infections in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.
8. When the scan is complete, exit the program and reboot back to normal mode.
9. Click on Start, then Control Panel, and double-click on the Add/Remove Programs icon.
10. Uninstall the SpySheriff program and then exit Add/Remove Programs.
11. Delete the following, in bold, if found:

C:\Documents and Settings\user account\Start Menu\Programs\SpySheriff <-whole folder
C:\Documents and Settings\user account\Application Data\Install.dat
C:\Program Files\SpySheriff <-whole folder
C:\Windows\Desktop.html
C:\winstall.exe
C:\Program Files\Daily Weather Forecast\

*NOTE* user account is not the actual name of that folder. The name of that folder will be the name of your computer profile.
12. Download HijackThis and save it to your C:\ folder. Extract the hijackthis.zip file to c:\hijackthis. We will use this program later.
13. Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HijackThis and press the Scan button. Place a check next to the following items, if found, and click FIX CHECKED:
O4 - HKCU\..\Run: [spySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
14. Close HiJackThis.
15. RIGHT-CLICK HERE and go to Save As (in IE it's Save Target As) in order to download the smitfraud reg to your desktop.
16. Double-click smitfraud.reg on your desktop. When asked if you want to merge with the registry click YES.
17. After the merged successfully prompt, using Windows Explorer, navigate to the following folder:
C:\Windows\Prefetch
18. If there are any files inside the Prefetch folder, delete ALL of them. (Do NOT delete the folder. Just delete the files inside.)
19. Reboot your computer.
20. You should be able to change your desktop back to normal now.

Your computer should now be free of the SpySheriff infection.

[ProtoMan 0]

Whoa , I didn't know about SpySheriff could infect my computer before . Thank you . But be careful , I know some products named " Pest trap " and " Spy Trooper " , they are the same as SpySheriff , I visited thheir hamepage and I was surprised that there is no change from SpySheriff 's page except the name of the products .

[iGuest 3]

Replying to ShrikeDo not click on the spysheriff.Com link it's dangerous avg search-shield blocked site!