Spysheriff blocks my desktop background - how to remove Spysheriff

765 comments. Current rating: (299 votes). Leave comments and/ or rate it.

Question:

Answer:

1. Open task manager by pressing Ctrl-Alt-Del, and click on the "Processes" tab. Look for Spysheriff there and kill the process if you see it. If you see a process named "winstall" (winstall.exe) then delete this one also.
2. In the control panel goto "Add/ Remove Programs" and remove the "SpySheriff" program. If it says that it cannot uninstall, then you still have it running. It will uninstall once it's not running.
3. Your desktop background will not be restored by that uninstall. Go into the registry by starting RegEdit.exe from the start button.
   If your registry editor does not work, read this document "I cannot open the registry editor".
4. Look for this key:
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
   It will have about 6 values stored that disable certain things. Delete this whole branch ActiveDesktop - the system will work with default values afterwards.
   Also delete this branch in your registry:
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
5. Look in your root directory for a file named winstall.exe. Mine was in c:\ and 24064 Bytes in size.
   This file is scheduled to execute each time you boot and it will re-install Spysheriff.
   Delete that file.
   Update:
   As MG from Ottawa comments below, there may also be additional executable files that were created at the same time as winstall.exe. Those files may be named 'winstall.exe' and 'ibm00001.exe'. You should delete those files as well. If you have this file ibm0001.exe please see the other article regarding ibm0001.exe.
6. Restart your system.
   Done.

Some people asked about the company that makes SpySheriff. This is their London address:

Company:         SpySheriff Development Team
Street address:  Tooley 73a 
City:            London 
Zip:             EC1Y 1BL 
Country:         United Kingdom

Comments:

You are on page 48 of 51, other pages: 1 2 3 45 46 47 [48] 49 50 51

2006-11-24, 18:07:18

Sarah from Bahamas

Thanks for the information about the delete&ctrl&alt I don't think i have spysheriff But i certainly have winstall! I ended the process & put winstall in my receyle bin& delete! But these pops that says 'form 1' sometimes in blue i think keeps popping up then closing quickly.... Please help :S

2006-11-29, 15:07:52

anonymous from United States

hahahahaha great! thank you, i have had winstall on my computer since my friend clicked on a link, from using windows messenger, i had deleted many other files that had randomly appeared on my computer after clicking this link but i could not delete 'winstall'. now that i had found this site i was able to delete it

2006-11-30, 10:05:11

anonymous from United States

The address for Spysherriff in London is a fake. The postcode (zipcode) EC1Y 1BL does not exist. (Enter it into www.streetmap.co.uk to check)

2006-12-25, 19:21:12

anonymous from Thailand

Thanks a lot this really helped

2006-12-26, 23:09:02

[hidden] from Mexico

I'm really desperate... I don't have no idea whatsoever how I got this problem... And neither how to fix it as soon as possible and without any implications, because it's my friend's PC and I don't think it would be such a great gift for her when she's gonna be back from her vacation. Anyways, the thing is that the only file I could found on my PC, related to this problem, was system32, created today... I deleted it, but the only problem that persists is that the default home page when I start IE is the same, but as the file is deleted, there's a small window popping, saying that there was no such file found. The rest is 'normal', but I wiuld still love to know how I can get rid of it. Thank you very much!!! Diana

2006-12-28, 06:02:51

Morgan from Australia

yew i rule... i was wondering if anyone would find this solution and yer, im glad that ppl with the problem got it fixed... if u want help with anything ill try to help, email me at morgaen.l@gmail.com

2006-12-28, 14:12:32

anonymous from United Kingdom

Diana i had the same problem as you and I solved it in the following way. Run Regedit, then click the following; hkey_current_user, then click on software, once you are here you should see the spysheriff folder by scrolling down, you should delete all of its contents and the actual folder. once this is done you can change your homepage back to whatever homepage you had before. If you cannot see pictures, click on tools, options, advanced, then make sure the box show pictures is ticked. I hope this helps You.

2007-01-01, 07:31:24

[hidden] from Sweden

Hi! Now I really need your help,and please,Im SO SO not good on this computerthing...I´ve got a start-site with the blue warning-thing and IT so irritating! Want to get rid of It but I really can not... There Is no 'winstall thing to delete,neather any Spysherif to find...anywhere....!!? Now I have some problems understanding the forms and stuff In english...I dont know where you mean I should look!!...I understand swedish thow..Can anyone help me please?? thanx a lot!

2007-01-03, 23:35:33

anonymous from United States

It worked, it fix my desktop background. Thanks

2007-01-04, 06:54:23

anonymous from Mexico

Thanks for the help, 'anonymus' :D As soon as I'll do it I'll let you know if it worked or not :) Diana

2007-01-04, 07:33:07

Diana from Mexico

'Anonymus', I did as you said but there is no such 'spysheriff' folder there... The only thing that might be strange (or not...), is that in the Microsoft > Windows > Current Version > Policies > Explorer folder there are 2 archives: one has a little white icon with a red 'a' letter, which says 'by default' (REG_SZ); and another one, with a blue binary (I think) symbol or something (REG_DWORD). I think that I light have changed it's original name when I tried to do something around... so now it's simply 'c' :D I'm completely lost... And as if that wasn't enough, there's another tricky virus, or a trojan, which is a dialer... something that has in it's name win/bn/32... I don't know what to do with it either... The only solution I found to this one was to change the date on the computer, which helps me that this thing does not intempt connection each 15 minutes, driving the 'Avast' antivirus crazy... So what should I do now???? I'm quite scared, desperate... Thanks a lot to anyone who can help me with these two little bastards running around this PC... Thanks again, british 'anonymus' :)

2007-01-07, 19:22:02

anonymous from United States

Thank you so much. This thing has been such a pain in my mainframe.

2007-01-12, 05:31:25

anonymous from Vietnam

Thanks a ton! I wanted to break my computer because of this @#(*%#$*& thing!

2007-01-16, 02:21:18

anonymous from United States

wow I'm feeling fucked right now. I seem to have the more apparently modern version of spysherrif cause none of those things were in my registry and there was no program called wininstall.exe either....... it's showing up in my remove programs which I did... but it's still showing as a red x in my system tray. it says 'you computer is infected' luckily I dont give a fuck about this laptop but I'd sure like to get rid of this shit without a reinstall.,

2007-01-16, 14:39:04

robertheslop@verizon.net from Graham in North Carolina, United States

Whew! I just got rid of the ill effects of Spysheriff. When it first appeared, I was able to remove it from my computer but it left my wallpaper background blue and It could not be changed. I edited my registry and deleted the entriunder: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVerVersion\Policies\System and undeHKEY_LOCAL_MACHINE_\ Software\Microsoft|Windows\CurrentVersionion\System I did not find either the winstall.exe or the ibm00001.exe files. Even before I restarted my computer my wallpaper was back to it's original state. I want to thank you for your suggestions. It worked!

You are on page 48 of 51, other pages: 1 2 3 45 46 47 [48] 49 50 51

NEW: Optional: Register   Login Email address (not necessary): Rate as Off-topic Very Helpful Helpful Ok article Not useful Very bad	Hide my email when showing my comment. Please notify me once a day about new comments on this topic. Please provide a valid email address if you select this option, or post under a registered account.
	Show city and country Show country only Hide my location
You can mark text as 'quoted' by putting [quote] .. [/quote] around it.
Please type in the code:
Add a picture: Please do not post inappropriate pictures. Inappropriate pictures include pictures of minors and nudity. The owner of this web site reserves the right to delete such material.