Originally Posted by tomahawk

i have the same problem but its with adware sheriff???

is the procedure the same????????

thanks tom d

Originally Posted by Tedster

here is the link in case it disappears:



These infections change your desktop to say an alert which acts as a goad to use the antispyware software it installs (SpySheriff).






SpySheriff Image




Tools Needed for this fix:

* HijackThis
* Killbox
* Smitfraud.reg
* Ewido Security Suite
* Cleanup!




Related Tutorials:

* How to use HijackThis to remove Browser Hijackers & Spyware



Symptoms in a HijackThis Log:

O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe



Removal Instructions:Update: New automated procedure can be found here. Try that automated procedure first and fall back to this manual one if it fails.



In order to remove this infection we will need to use HijackThis to manually remove the infection:

1. Print out these instructions as we will need to shutdown every window that is open later in the fix.

2. Download and install CleanUp! but do not run it yet.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

3. Download, install, and update Ewido Security Suite

1. Install Ewido security suite

2. Launch Ewido, there should be a big E icon on your desktop, double-click it.

3. The program will prompt you to update click the OK button

4. The program will now go to the main screen

5. On the left hand side of the main screen click on Update

6. Click on Start. The update will start and a progress bar will show the updates being installed.


4. After the updates are installed, exit Ewido

5. Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

6. Once in Safe Mode, Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:

1. Click Options...

2. Move the arrow down to Custom CleanUp!

3. Put a check next to the following:

* Empty Recycle Bins

* Delete Cookies

* Delete Prefetch files

* Scan local drives for temporary files

* Cleanup! All Users

4. Click the OK button

5. Press the CleanUp! button to start the program.

7. After Cleanup! is finished start Ewido Security Suite

1. Click on scanner

2. Click on Complete System Scan.

3. Let the program scan the machine

4. While the scan is in progress you will be prompted to clean the first infected file it finds. Choose clean, then put a check next to Perform action on all infections in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

8. When the scan is complete, exit the program and reboot back to normal mode.

9. Click on Start, then Control Panel, and double-click on the Add/Remove Programs icon.

10. Uninstall the SpySheriff program and then exit Add/Remove Programs.

11. Delete the following, in bold, if found:

C:\Documents and Settings\user account\Start Menu\Programs\SpySheriff <-whole folder
C:\Documents and Settings\user account\Application Data\Install.dat
C:\Program Files\SpySheriff <-whole folder
C:\Windows\Desktop.html
C:\winstall.exe
C:\Program Files\Daily Weather Forecast\

*NOTE* user account is not the actual name of that folder. The name of that folder will be the name of your computer profile.
12. Download HijackThis and save it to your C:\ folder. Extract the hijackthis.zip file to c:\hijackthis. We will use this program later.

13. Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HijackThis and press the Scan button. Place a check next to the following items, if found, and click FIX CHECKED:


O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe

14. Close HiJackThis.

15. RIGHT-CLICK HERE and go to Save As (in IE it's Save Target As) in order to download the smitfraud reg to your desktop.

16. Double-click smitfraud.reg on your desktop. When asked if you want to merge with the registry click YES.

17. After the merged successfully prompt, using Windows Explorer, navigate to the following folder:

C:\Windows\Prefetch

18. If there are any files inside the Prefetch folder, delete ALL of them. (Do NOT delete the folder. Just delete the files inside.)

19. Reboot your computer.

20. You should be able to change your desktop back to normal now.




Your computer should now be free of the SpySheriff infection.

Originally Posted by m0nty

which is why when running virus checks and stuff you should disable system restore because windows actually prevents the av software from modifying the protected restore files hence any viruses in the restore section can't be cleaned or killed..