TechSpot

How To Remove Spysherriff

By Tedster
Dec 16, 2005
  1. Spysheriff is malware and should not be used to clean a PC from spyware/ adware/ malware. It's pretty bad e.g. if you try to use System Restore you will find that Spysheriff erased your restore points, so that won't work.

    Instead follow these steps:

    1. Open task manager by pressing Ctrl-Alt-Del, and click on the "Processes" tab. Look for Spysheriff there and kill the process if you see it. If you see a process named "winstall" (winstall.exe) then delete this one also.
    2. In the control panel goto "Add/ Remove Programs" and remove the "SpySheriff" program. If it says that it cannot uninstall, then you still have it running. It will uninstall once it's not running.
    3. Your desktop background will not be restored by that uninstall. Go into the registry by starting RegEdit.exe from the start button
    4. Look for this key:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\A ctiveDesktop
    It will have about 6 values stored that disable certain things. Delete this whole branch ActiveDesktop - the system will work with default values afterwards.
    Also delete this branch in your registry:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\S ystem
    5. Look in your root directory for a file named winstall.exe. Mine was in c:\ and 24064 Bytes in size.
    This file is scheduled to execute each time you boot and it will re-install Spysheriff.
    Delete that file.
    Update:

    There may also be additional executable files that were created at the same time as winstall.exe. Those files may be named 'winstall.exe' and 'ibm00001.exe'. You should delete those files as well. If you have this file ibm0001.exe please see the other article regarding ibm0001.exe.
    6. Restart your system.
    Done.
     
  2. Eddy Rassy

    Eddy Rassy TS Rookie Posts: 69

    In addition to deleting the files mentioned by Tedster, which you can only delete in safe mode, spysherif will also hijack your web page with URL SECURE32.HTML. The only way to resolve this is by deleting this file in safe mode (it comes back if you try to delete otherwise) and also by removing this file from your registry.
     
  3. Ruder

    Ruder TS Rookie Posts: 98

    It loads a large number of files in the temp dirs to hijack IE and reinstall itself.
    It also creates various files in the prefetch (???.pf files) queues to reinstall itself on reboot.

    Adaware should be able to remove / clean it.

    Stop surfing crackz & serialz sites ... :)
     
  4. Shadowrunner

    Shadowrunner TS Rookie Posts: 106

    thank you for that desktop tip you sweet geek! lol
     
  5. Nelanthrope

    Nelanthrope TS Rookie

    A friend of mine got infected with this SpySheriff. I didn't know too much about it at the time. She was having a problem with her IE page being hijacked and her background changed. So rather than do any of the steps above I told her to run Ad-Aware and Spybot S+D. She deleted the spy and adaware it count and her computer was running fine. For about a day it was fine. But now something new is happening. Her internet is completely knocked out, as in, nothing that uses the internet is running. It happened hours later. I know some spyware reinstalls, but the fact that it's acting differently makes me wonder what could have happened and what's wrong now. Anything that the two spyware programs missed that should be removed? Any help would be appreciated.
     
  6. Eddy Rassy

    Eddy Rassy TS Rookie Posts: 69

    Adaware and spybot will detect them amd temporary remove them, but will not clean the registry files forever.
    You have to follow the steps outlined in previous posts. Make sure you remove the files: 1)ibm00002.dll 2)secure32.html from various folders in your pc. and in your registry and you have to do it after booting in SAFE mode. NOT IN NORMAL MODE
     
  7. Tedster

    Tedster Techspot old timer..... Topic Starter Posts: 6,000   +15

    read the instructions posted.
     
  8. Fenunn

    Fenunn TS Rookie Posts: 27

    Virus

    I think I got a virus on my computer, what would be the best thing to do to remove it? And there's lots of pop-ups.
     
  9. Tedster

    Tedster Techspot old timer..... Topic Starter Posts: 6,000   +15

    read the instructions posted. run your anti-virus and several different anti-trojan horse programs and post the results.
    then ask your question.
     
  10. Luvholic

    Luvholic TS Rookie

    I have this spysherrif on my computer, I stopped it on my process, it wasnt on my add or remove programs to uninstall, but I got to c:/program files and its in a folder I click uninstall but it doesnt do anything, I also went to the registry But I couldnt find any of the keys they said to delete.
     
  11. Eddy Rassy

    Eddy Rassy TS Rookie Posts: 69

    It looks like you stopped it on time before getting into your registry and damaging your IE and freezing your desktop. If you did not find the files named: secure32.dll and ibm00002.dll in the registry, it means it did not do any damage. But if you are getting error messages naming spysherif as the cause, try to post these messages and any other issues and any file names it gives.
    I still think you should boot the computer in safe mode, search and delete any reference files to the spysherif and uninstall it there.
    Good Luck
     
  12. faith_01

    faith_01 TS Rookie

    Spysheriff/Adware Sheriff are they the same?

    I have a question, I had spysheriff on my computer but I think I got rid of it. However now I have this pop up and other stuff going on. My background is black and a maroon box in the middle saying Warning! my comp. is infected with spyware...ect... On the bottom right hand side there are two icons that are similar yet different. One is a circle and one is a triangle and they both have a "!" in the middle. Ex. /!\ (!) When I click on the pop up which says to get something to get rid of spyware it takes me to adware sheriff. Is it spysheriff taking on a different name or something completly different? I did my homework however I cant seem to find much about adware sheriff.
     
  13. Eddy Rassy

    Eddy Rassy TS Rookie Posts: 69

    Try this first:
    Do a wild card search on sheriff, that is *sheriff* and delete every file that you see sheriff in it.
    Search for a file called: SECURE32.DLL and delete it from everywhere including your registry (while in safe mode) this is the one that changes and locks your desktop background and creates the maroon window.
    Search for the file winstall.exe and delete it It sounds like the old spysheriff got another name for itself like you said
    Good Luck
     
  14. vidall

    vidall TS Rookie

    Hello!
    I’ve been using a soft, which could be of some help to you.Although im not 100% sure. I like it for it’s speed and for the fact that it doesn’t overload the computer. Why don’t you try it? link in my sygnature
    _____________________
    http://killspy.net
     
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Before recommending Killspy. Take a look HERE. and HERE.

    Doesn`t look quite as good as you think.

    Regards Howard :)
     
  16. vidall

    vidall TS Rookie

    Thank you very much!
    But yesturday i bought this soft :zzz:
    oh my money!
     
  17. fretti2003

    fretti2003 TS Rookie

    about the spy sherrif

    hi people i got the spy sherrif thingy all it really is is a fake virus so im told, anywasy i got it a few moth back an was tryin for days to free my system of it, wow how frustraitin was that i looked around on different forums and the things i tried diddnt seem to work till i downloaded spy doctor, that programm was pretty good it cleared just about all of it so i thought, adn just last night i went to change my wallpaper and realised that it was still locked i searched around an found this handy little tool http://www.downloads.subratam.org/smitRem.exe
    i used this and it works great now im free of the bloody pest my system works fine now. fretti
     
  18. cook

    cook TS Rookie

    spysheriff super sticky

    First off I would like to thank you all for the provided tips. how ever I have tried every singel hint and tip and program that is on this entire page but still I reboot everything seems fine and after several minutes the bubbels reapear and my wallpaper changes back to the black image.
    I have cheked but their are no processes running mentioned on anny of the previous posts. I also cheked the software list and it is no longer in their either.
    I also tried to remove the files in the save mode and this did not change anything.
    Anny more suggestions to get rid of this pest without formating the entire PC?
     
  19. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.


    Go HERE and follow the instructions.

    Please let us know if it helps.

    Regards Howard :wave: :wave:
     
  20. Tedster

    Tedster Techspot old timer..... Topic Starter Posts: 6,000   +15

    here is the link in case it disappears:


    These infections change your desktop to say an alert which acts as a goad to use the antispyware software it installs (SpySheriff).






    SpySheriff Image




    Tools Needed for this fix:

    * HijackThis
    * Killbox
    * Smitfraud.reg
    * Ewido Security Suite
    * Cleanup!




    Related Tutorials:

    * How to use HijackThis to remove Browser Hijackers & Spyware



    Symptoms in a HijackThis Log:

    O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe



    Removal Instructions:Update: New automated procedure can be found here. Try that automated procedure first and fall back to this manual one if it fails.



    In order to remove this infection we will need to use HijackThis to manually remove the infection:

    1. Print out these instructions as we will need to shutdown every window that is open later in the fix.

    2. Download and install CleanUp! but do not run it yet.

    *NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

    3. Download, install, and update Ewido Security Suite

    1. Install Ewido security suite

    2. Launch Ewido, there should be a big E icon on your desktop, double-click it.

    3. The program will prompt you to update click the OK button

    4. The program will now go to the main screen

    5. On the left hand side of the main screen click on Update

    6. Click on Start. The update will start and a progress bar will show the updates being installed.


    4. After the updates are installed, exit Ewido

    5. Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

    6. Once in Safe Mode, Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:

    1. Click Options...

    2. Move the arrow down to Custom CleanUp!

    3. Put a check next to the following:

    * Empty Recycle Bins

    * Delete Cookies

    * Delete Prefetch files

    * Scan local drives for temporary files

    * Cleanup! All Users

    4. Click the OK button

    5. Press the CleanUp! button to start the program.

    7. After Cleanup! is finished start Ewido Security Suite

    1. Click on scanner

    2. Click on Complete System Scan.

    3. Let the program scan the machine

    4. While the scan is in progress you will be prompted to clean the first infected file it finds. Choose clean, then put a check next to Perform action on all infections in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

    8. When the scan is complete, exit the program and reboot back to normal mode.

    9. Click on Start, then Control Panel, and double-click on the Add/Remove Programs icon.

    10. Uninstall the SpySheriff program and then exit Add/Remove Programs.

    11. Delete the following, in bold, if found:

    C:\Documents and Settings\user account\Start Menu\Programs\SpySheriff <-whole folder
    C:\Documents and Settings\user account\Application Data\Install.dat
    C:\Program Files\SpySheriff <-whole folder
    C:\Windows\Desktop.html
    C:\winstall.exe
    C:\Program Files\Daily Weather Forecast\

    *NOTE* user account is not the actual name of that folder. The name of that folder will be the name of your computer profile.
    12. Download HijackThis and save it to your C:\ folder. Extract the hijackthis.zip file to c:\hijackthis. We will use this program later.

    13. Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HijackThis and press the Scan button. Place a check next to the following items, if found, and click FIX CHECKED:


    O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe

    14. Close HiJackThis.

    15. RIGHT-CLICK HERE and go to Save As (in IE it's Save Target As) in order to download the smitfraud reg to your desktop.

    16. Double-click smitfraud.reg on your desktop. When asked if you want to merge with the registry click YES.

    17. After the merged successfully prompt, using Windows Explorer, navigate to the following folder:

    C:\Windows\Prefetch

    18. If there are any files inside the Prefetch folder, delete ALL of them. (Do NOT delete the folder. Just delete the files inside.)

    19. Reboot your computer.

    20. You should be able to change your desktop back to normal now.




    Your computer should now be free of the SpySheriff infection.
     
  21. cook

    cook TS Rookie

    Thank you verry much you smart fellers.
    I tried it, and now it has been been 2 days I seen anny of all the pop ups.
    So I am indeed verry gratefull to you people. Muchos gracias, thenk you verry much, dank u, wreed mercie, mercie beacoups. (or some spelling variations they need in the respective language)
    Anny way I know now where to find the computer wisses of the 22 century.
    I hope to ever be able to help you gys with annything else.
     
  22. tomahawk

    tomahawk TS Rookie

    spy sheriff

    i have the same problem but its with adware sheriff???

    is the procedure the same????????

    thanks tom d
     
  23. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Please open a new thread in the security and the web forum, after following these instructions.

    Go and have your computer scanned HERE.

    Then, go and read both these threads by RBS. Follow all the instructions exactly.

    How to remove Trojans and its ilk! and How to remove Begin2search / coolwebsearch and other nasties.

    Then see. How to post your Hijackthis log-file as an ATTACHMENT.

    Only post a HJT log in your new thread, after doing the above.

    Regards Howard :wave: :wave:
     
  24. blackdahlia

    blackdahlia TS Rookie

    The instructions Tedster gave to remove spysheriff didn't include the links to download the tools needed nor did he include the spysheriff image that was mentioned in his post :suspiciou






     
  25. Tedster

    Tedster Techspot old timer..... Topic Starter Posts: 6,000   +15

    the original message in this thread doesn't have links!

    I don't have the time to post pictures.

    That's the price you pay for FREE help.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...