How To Remove Spysherriff

Spysheriff is malware and should not be used to clean a PC from spyware/ adware/ malware. It's pretty bad e.g. if you try to use System Restore you will find that Spysheriff erased your restore points, so that won't work.

Instead follow these steps:

1. Open task manager by pressing Ctrl-Alt-Del, and click on the "Processes" tab. Look for Spysheriff there and kill the process if you see it. If you see a process named "winstall" (winstall.exe) then delete this one also.
2. In the control panel goto "Add/ Remove Programs" and remove the "SpySheriff" program. If it says that it cannot uninstall, then you still have it running. It will uninstall once it's not running.
3. Your desktop background will not be restored by that uninstall. Go into the registry by starting RegEdit.exe from the start button
4. Look for this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\A ctiveDesktop
It will have about 6 values stored that disable certain things. Delete this whole branch ActiveDesktop - the system will work with default values afterwards.
Also delete this branch in your registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\S ystem
5. Look in your root directory for a file named winstall.exe. Mine was in c:\ and 24064 Bytes in size.
This file is scheduled to execute each time you boot and it will re-install Spysheriff.
Delete that file.
Update:

There may also be additional executable files that were created at the same time as winstall.exe. Those files may be named 'winstall.exe' and 'ibm00001.exe'. You should delete those files as well. If you have this file ibm0001.exe please see the other article regarding ibm0001.exe.
6. Restart your system.
Done.

In addition to deleting the files mentioned by Tedster, which you can only delete in safe mode, spysherif will also hijack your web page with URL SECURE32.HTML. The only way to resolve this is by deleting this file in safe mode (it comes back if you try to delete otherwise) and also by removing this file from your registry.

It loads a large number of files in the temp dirs to hijack IE and reinstall itself.
It also creates various files in the prefetch (???.pf files) queues to reinstall itself on reboot.

Adaware should be able to remove / clean it.

Stop surfing crackz & serialz sites ... :)

thank you for that desktop tip you sweet geek! lol

A friend of mine got infected with this SpySheriff. I didn't know too much about it at the time. She was having a problem with her IE page being hijacked and her background changed. So rather than do any of the steps above I told her to run Ad-Aware and Spybot S+D. She deleted the spy and adaware it count and her computer was running fine. For about a day it was fine. But now something new is happening. Her internet is completely knocked out, as in, nothing that uses the internet is running. It happened hours later. I know some spyware reinstalls, but the fact that it's acting differently makes me wonder what could have happened and what's wrong now. Anything that the two spyware programs missed that should be removed? Any help would be appreciated.

Adaware and spybot will detect them amd temporary remove them, but will not clean the registry files forever.
You have to follow the steps outlined in previous posts. Make sure you remove the files: 1)ibm00002.dll 2)secure32.html from various folders in your pc. and in your registry and you have to do it after booting in SAFE mode. NOT IN NORMAL MODE

read the instructions posted.

I think I got a virus on my computer, what would be the best thing to do to remove it? And there's lots of pop-ups.

I think I got a virus on my computer, what would be the best thing to do to remove it? And there's lots of pop-ups.
read the instructions posted. run your anti-virus and several different anti-trojan horse programs and post the results.
then ask your question.

I have this spysherrif on my computer, I stopped it on my process, it wasnt on my add or remove programs to uninstall, but I got to c:/program files and its in a folder I click uninstall but it doesnt do anything, I also went to the registry But I couldnt find any of the keys they said to delete.

It looks like you stopped it on time before getting into your registry and damaging your IE and freezing your desktop. If you did not find the files named: secure32.dll and ibm00002.dll in the registry, it means it did not do any damage. But if you are getting error messages naming spysherif as the cause, try to post these messages and any other issues and any file names it gives.
I still think you should boot the computer in safe mode, search and delete any reference files to the spysherif and uninstall it there.
Good Luck

I have a question, I had spysheriff on my computer but I think I got rid of it. However now I have this pop up and other stuff going on. My background is black and a maroon box in the middle saying Warning! my comp. is infected with spyware...ect... On the bottom right hand side there are two icons that are similar yet different. One is a circle and one is a triangle and they both have a "!" in the middle. Ex. /!\ (!) When I click on the pop up which says to get something to get rid of spyware it takes me to adware sheriff. Is it spysheriff taking on a different name or something completly different? I did my homework however I cant seem to find much about adware sheriff.

Try this first:
Do a wild card search on sheriff, that is *sheriff* and delete every file that you see sheriff in it.
Search for a file called: SECURE32.DLL and delete it from everywhere including your registry (while in safe mode) this is the one that changes and locks your desktop background and creates the maroon window.
Search for the file winstall.exe and delete it It sounds like the old spysheriff got another name for itself like you said
Good Luck

Hello!
I’ve been using a soft, which could be of some help to you.Although im not 100% sure. I like it for it’s speed and for the fact that it doesn’t overload the computer. Why don’t you try it? link in my sygnature
_____________________
http://killspy.net

Before recommending Killspy. Take a look HERE. (http://www.spywarewarrior.com/rogue_anti-spyware.htm) and HERE. (http://www.2-spyware.com/review-killspy.net.html)

Doesn`t look quite as good as you think.

Regards Howard :)

Thank you very much!
But yesturday i bought this soft :zzz:
oh my money!

hi people i got the spy sherrif thingy all it really is is a fake virus so im told, anywasy i got it a few moth back an was tryin for days to free my system of it, wow how frustraitin was that i looked around on different forums and the things i tried diddnt seem to work till i downloaded spy doctor, that programm was pretty good it cleared just about all of it so i thought, adn just last night i went to change my wallpaper and realised that it was still locked i searched around an found this handy little tool http://www.downloads.subratam.org/smitRem.exe
i used this and it works great now im free of the bloody pest my system works fine now. fretti

First off I would like to thank you all for the provided tips. how ever I have tried every singel hint and tip and program that is on this entire page but still I reboot everything seems fine and after several minutes the bubbels reapear and my wallpaper changes back to the black image.
I have cheked but their are no processes running mentioned on anny of the previous posts. I also cheked the software list and it is no longer in their either.
I also tried to remove the files in the save mode and this did not change anything.
Anny more suggestions to get rid of this pest without formating the entire PC?

Hello and welcome to Techspot.


First off I would like to thank you all for the provided tips. how ever I have tried every singel hint and tip and program that is on this entire page but still I reboot everything seems fine and after several minutes the bubbels reapear and my wallpaper changes back to the black image.
I have cheked but their are no processes running mentioned on anny of the previous posts. I also cheked the software list and it is no longer in their either.
I also tried to remove the files in the save mode and this did not change anything.
Anny more suggestions to get rid of this pest without formating the entire PC?

Go HERE (http://www.bleepingcomputer.com/forums/topic22402.html) and follow the instructions.

Please let us know if it helps.

Regards Howard :wave: :wave:

here is the link in case it disappears:


These infections change your desktop to say an alert which acts as a goad to use the antispyware software it installs (SpySheriff).






SpySheriff Image




Tools Needed for this fix:

* HijackThis
* Killbox
* Smitfraud.reg
* Ewido Security Suite
* Cleanup!




Related Tutorials:

* How to use HijackThis to remove Browser Hijackers & Spyware



Symptoms in a HijackThis Log:

O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe



Removal Instructions:Update: New automated procedure can be found here. Try that automated procedure first and fall back to this manual one if it fails.



In order to remove this infection we will need to use HijackThis to manually remove the infection:

1. Print out these instructions as we will need to shutdown every window that is open later in the fix.

2. Download and install CleanUp! but do not run it yet.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

3. Download, install, and update Ewido Security Suite

1. Install Ewido security suite

2. Launch Ewido, there should be a big E icon on your desktop, double-click it.

3. The program will prompt you to update click the OK button

4. The program will now go to the main screen

5. On the left hand side of the main screen click on Update

6. Click on Start. The update will start and a progress bar will show the updates being installed.


4. After the updates are installed, exit Ewido

5. Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

6. Once in Safe Mode, Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:

1. Click Options...

2. Move the arrow down to Custom CleanUp!

3. Put a check next to the following:

* Empty Recycle Bins

* Delete Cookies

* Delete Prefetch files

* Scan local drives for temporary files

* Cleanup! All Users

4. Click the OK button

5. Press the CleanUp! button to start the program.

7. After Cleanup! is finished start Ewido Security Suite

1. Click on scanner

2. Click on Complete System Scan.

3. Let the program scan the machine

4. While the scan is in progress you will be prompted to clean the first infected file it finds. Choose clean, then put a check next to Perform action on all infections in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

8. When the scan is complete, exit the program and reboot back to normal mode.

9. Click on Start, then Control Panel, and double-click on the Add/Remove Programs icon.

10. Uninstall the SpySheriff program and then exit Add/Remove Programs.

11. Delete the following, in bold, if found:

C:\Documents and Settings\user account\Start Menu\Programs\SpySheriff <-whole folder
C:\Documents and Settings\user account\Application Data\Install.dat
C:\Program Files\SpySheriff <-whole folder
C:\Windows\Desktop.html
C:\winstall.exe
C:\Program Files\Daily Weather Forecast\

*NOTE* user account is not the actual name of that folder. The name of that folder will be the name of your computer profile.
12. Download HijackThis and save it to your C:\ folder. Extract the hijackthis.zip file to c:\hijackthis. We will use this program later.

13. Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HijackThis and press the Scan button. Place a check next to the following items, if found, and click FIX CHECKED:


O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe

14. Close HiJackThis.

15. RIGHT-CLICK HERE and go to Save As (in IE it's Save Target As) in order to download the smitfraud reg to your desktop.

16. Double-click smitfraud.reg on your desktop. When asked if you want to merge with the registry click YES.

17. After the merged successfully prompt, using Windows Explorer, navigate to the following folder:

C:\Windows\Prefetch

18. If there are any files inside the Prefetch folder, delete ALL of them. (Do NOT delete the folder. Just delete the files inside.)

19. Reboot your computer.

20. You should be able to change your desktop back to normal now.




Your computer should now be free of the SpySheriff infection.

Thank you verry much you smart fellers.
I tried it, and now it has been been 2 days I seen anny of all the pop ups.
So I am indeed verry gratefull to you people. Muchos gracias, thenk you verry much, dank u, wreed mercie, mercie beacoups. (or some spelling variations they need in the respective language)
Anny way I know now where to find the computer wisses of the 22 century.
I hope to ever be able to help you gys with annything else.

i have the same problem but its with adware sheriff???

is the procedure the same????????

thanks tom d

Hello and welcome to Techspot.

i have the same problem but its with adware sheriff???

is the procedure the same????????

thanks tom d

Please open a new thread in the security and the web forum, after following these instructions.

Go and have your computer scanned HERE. (http://uk.trendmicro-europe.com/consumer/housecall/housecall_launch.php)

Then, go and read both these threads by RBS. Follow all the instructions exactly.

How to remove Trojans and its ilk! (www.techspot.com/vb/topic30213.html) and How to remove Begin2search / coolwebsearch and other nasties. (www.techspot.com/vb/topic17297.html)

Then see. How to post your Hijackthis log-file as an ATTACHMENT. (www.techspot.com/vb/topic19133.html)

Only post a HJT log in your new thread, after doing the above.

Regards Howard :wave: :wave:

The instructions Tedster gave to remove spysheriff didn't include the links to download the tools needed nor did he include the spysheriff image that was mentioned in his post :suspiciou






here is the link in case it disappears:



These infections change your desktop to say an alert which acts as a goad to use the antispyware software it installs (SpySheriff).






SpySheriff Image




Tools Needed for this fix:

* HijackThis
* Killbox
* Smitfraud.reg
* Ewido Security Suite
* Cleanup!




Related Tutorials:

* How to use HijackThis to remove Browser Hijackers & Spyware



Symptoms in a HijackThis Log:

O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe



Removal Instructions:Update: New automated procedure can be found here. Try that automated procedure first and fall back to this manual one if it fails.



In order to remove this infection we will need to use HijackThis to manually remove the infection:

1. Print out these instructions as we will need to shutdown every window that is open later in the fix.

2. Download and install CleanUp! but do not run it yet.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

3. Download, install, and update Ewido Security Suite

1. Install Ewido security suite

2. Launch Ewido, there should be a big E icon on your desktop, double-click it.

3. The program will prompt you to update click the OK button

4. The program will now go to the main screen

5. On the left hand side of the main screen click on Update

6. Click on Start. The update will start and a progress bar will show the updates being installed.


4. After the updates are installed, exit Ewido

5. Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

6. Once in Safe Mode, Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:

1. Click Options...

2. Move the arrow down to Custom CleanUp!

3. Put a check next to the following:

* Empty Recycle Bins

* Delete Cookies

* Delete Prefetch files

* Scan local drives for temporary files

* Cleanup! All Users

4. Click the OK button

5. Press the CleanUp! button to start the program.

7. After Cleanup! is finished start Ewido Security Suite

1. Click on scanner

2. Click on Complete System Scan.

3. Let the program scan the machine

4. While the scan is in progress you will be prompted to clean the first infected file it finds. Choose clean, then put a check next to Perform action on all infections in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

8. When the scan is complete, exit the program and reboot back to normal mode.

9. Click on Start, then Control Panel, and double-click on the Add/Remove Programs icon.

10. Uninstall the SpySheriff program and then exit Add/Remove Programs.

11. Delete the following, in bold, if found:

C:\Documents and Settings\user account\Start Menu\Programs\SpySheriff <-whole folder
C:\Documents and Settings\user account\Application Data\Install.dat
C:\Program Files\SpySheriff <-whole folder
C:\Windows\Desktop.html
C:\winstall.exe
C:\Program Files\Daily Weather Forecast\

*NOTE* user account is not the actual name of that folder. The name of that folder will be the name of your computer profile.
12. Download HijackThis and save it to your C:\ folder. Extract the hijackthis.zip file to c:\hijackthis. We will use this program later.

13. Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HijackThis and press the Scan button. Place a check next to the following items, if found, and click FIX CHECKED:


O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe

14. Close HiJackThis.

15. RIGHT-CLICK HERE and go to Save As (in IE it's Save Target As) in order to download the smitfraud reg to your desktop.

16. Double-click smitfraud.reg on your desktop. When asked if you want to merge with the registry click YES.

17. After the merged successfully prompt, using Windows Explorer, navigate to the following folder:

C:\Windows\Prefetch

18. If there are any files inside the Prefetch folder, delete ALL of them. (Do NOT delete the folder. Just delete the files inside.)

19. Reboot your computer.

20. You should be able to change your desktop back to normal now.




Your computer should now be free of the SpySheriff infection.

the original message in this thread doesn't have links!

I don't have the time to post pictures.

That's the price you pay for FREE help.

Thanks to this thread and forum for helping me with this issue. I managed to remove the spysheriff virus without having to call my brother or ex-boyfriend!

I followed the instructions here and on spyany.com and compiled them. These were my steps

1. Reboot the computer to Safe Mode (Press F8 when Windows start)
2. Delete the following files ( Before doing this make sure you can see hidden files and folders):

C:\Windows\Desktop.html
C:\Winstall.exe

3. Delete the folder 'C:\Program Files\SpySherrif\' and all the contents within it.
4. Click Start > Run, type 'regedit' to open the Registry Editor.
5. Navigate to and delete the following registry subkey (if exist):

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
-here I deleted 1 value
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\A ctiveDesktop
-here I deleted 6 values
Exit Registry Editor.

6. Search for and delete the following files
Ibm00001.exe – I didn’t have this one
Ibm00002.dll
Secure32.html
All files containing sheriff

7. Delete the following, if found:

C:\Documents and Settings\user account\Start Menu\Programs\SpySheriff <-whole folder
C:\Documents and Settings\user account\Application Data\Install.dat
C:\Program Files\SpySheriff <-whole folder
C:\Windows\Desktop.html
C:\winstall.exe
C:\Program Files\Daily Weather Forecast\

*NOTE* user account is not the actual name of that folder. The name of that folder will be the name of your computer profile.

7. Go to Start > Run, type %temp% to open the %temp% folder. Delete all the files with the %temp% folder.

8. Reboot the computer.

After all this, the virus seemed to be gone, but I could not run my xp firewall. I got an error that said “Windows cannot display windows firewall settings” when I tried to open the firewall in my control panel.

My fix for that was easy once I found this link http://windowsxp.mvps.org/sharedaccess.htm

BUT you must use IE. Mozilla won’t display the download properly.

And now everything works great!

Thanks again!

this spysherriff caused me loads of grief this last couple days.. i knew it was spyware instantly when it told me in the alert box that spysheriff had detected a trojan.. well i knew for a fact that i had never installed spysheriff.. i know what anti-spyware soft i had installed.. but hell it takes some getting rid of..

i might add that it also allowed other spyware thru that my av, and firewall didn't detect because for some reason it had disabled the firewall and av..

i spent 14hrs in dos mode killing everything and removing locked files.. and scanning and rescanning with different av software..

i've had to install a different firewall, as it has rendered windows sp2 firewall useless.. it keeps saying unable to start firewall due to unknown problem.. winsockfix failed to solve it.. so i'm using kerio now..

now i have to repair my network somehow, as the attack somehow screwed that up and non of my home computers can connect except for limited accessibility. damn i hate malware.. (if the software i use mainly was available on linux, i wouldn't touch microsoft ever again)

Simple and easy (I haven't read this one only the tittle sry but i need my nappy)

System Restore the computer to time it did not have SPyWare Sherif

i don't use system restore, i think reaslly it's a waste of space because malware and viruses also copy themselves to the restore folders.. so even restoring to previous time will not get rid of them because they'll just re infect from their stealthy installers that were copied to the restore section..

which is why when running virus checks and stuff you should disable system restore because windows actually prevents the av software from modifying the protected restore files ;) hence any viruses in the restore section can't be cleaned or killed..

which is why when running virus checks and stuff you should disable system restore because windows actually prevents the av software from modifying the protected restore files hence any viruses in the restore section can't be cleaned or killed..

Absolutely spot on m0nty.

Regards Howard :)

To the wizards of the Computerworld.
Once again congratulations on the fine instruction in removing all the comercial malarcie from the poor pc amoeba's like myself.
How ever I got another question relating the Spysherrif problem.
I got All the stuff of and the pc has been running fine up to now.
How ever when everything was removed I am still not been able to turn on the windows firewall. I cheked the win site and the help in the pc but no real help here.
I also followed the instructions provided by windows to go true the config screen but also no go.
Does anny of you have anny advice? Or is it just bvest to leave it off and work with a free Firewall? (curently using zone allarm)
Thanks in advance for the enlightenment.

stellar posted:

After all this, the virus seemed to be gone, but I could not run my xp firewall. I got an error that said “Windows cannot display windows firewall settings” when I tried to open the firewall in my control panel.

My fix for that was easy once I found this link http://windowsxp.mvps.org/sharedaccess.htm

BUT you must use IE. Mozilla won’t display the download properly.


the above fixes the windows firewall.

ideally you should actually fix it, as a broken file may give problems later on elsewhere..

but disable windows built in firewall if you are using any other firewall product, there's no reason to use 2, and they could conflict with each other at some point.