This site is temporarily down. Please come back. Content-type: text/html; charset=utf-8 Spysheriff blocks my desktop background - how to remove Spysheriff
DelphiFAQ Home Search:

Spysheriff blocks my desktop background - how to remove Spysheriff

 

comments766 comments. Current rating: 5 stars (299 votes). Leave comments and/ or rate it.

Question:

This morning I came to my computer and found an application named Spysheriff running. It supposedly had found a dozen of problems on my computer and demanded a purchase in order to remove them.
It also had changed my desktop background image so that it looked like a error message (see the screenshot):

screenshot of spysheriff


It tries to tell me that my computer is in really bad shape and I am in danger unless I pay them..

I tried to remove that desktop background image using the control panel but it is disabled! What can I do?

Answer:

Spysheriff is malware and should not be used to clean a PC from spyware/ adware/ malware. It's pretty bad e.g. if you try to use System Restore you will find that Spysheriff erased your restore points, so that won't work.
SpySheriff does come with an uninstall program which removes SpySheriff, but it will not undo all the other damage your computer has suffered.


Instead follow these steps:
  1. Open task manager by pressing Ctrl-Alt-Del, and click on the "Processes" tab. Look for Spysheriff there and kill the process if you see it. If you see a process named "winstall" (winstall.exe) then delete this one also.
  2. In the control panel goto "Add/ Remove Programs" and remove the "SpySheriff" program. If it says that it cannot uninstall, then you still have it running. It will uninstall once it's not running.
  3. Your desktop background will not be restored by that uninstall. Go into the registry by starting RegEdit.exe from the start button.
    If your registry editor does not work, read this document "I cannot open the registry editor".
  4. Look for this key:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
    It will have about 6 values stored that disable certain things. Delete this whole branch ActiveDesktop - the system will work with default values afterwards.
    Also delete this branch in your registry:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
  5. Look in your root directory for a file named winstall.exe. Mine was in c:\ and 24064 Bytes in size.
    This file is scheduled to execute each time you boot and it will re-install Spysheriff.
    Delete that file.
    Update:
    As MG from Ottawa comments below, there may also be additional executable files that were created at the same time as winstall.exe. Those files may be named 'winstall.exe' and 'ibm00001.exe'. You should delete those files as well. If you have this file ibm0001.exe please see the other article regarding ibm0001.exe.
  6. Restart your system.
    Done.

Update:

Some people asked about the company that makes SpySheriff. This is their London address:

Company:         SpySheriff Development Team
Street address:  Tooley 73a 
City:            London 
Zip:             EC1Y 1BL 
Country:         United Kingdom




Content-type: text/html

Comments:

You are on page 2 of 52, other pages: 1 [2] 3 4 5 49 50 51 52
2005-11-20, 19:30:39
anonymous from United States  
rating
Brian knows where it's at! If you can't delete the file after the registry modifications, then you have to rename the file (just right click and hit rename), reboot, and then delete the renamed file.
2005-11-20, 21:02:34
jazzie142 from United States  
You saved my hyde as well. Thank you so much.
2005-11-20, 21:16:18
jazzie142 from United States  
I just rebooted my system now everything on the desktop is highlighted in blue. Any addvice? Thanks
2005-11-21, 02:58:46
tina from Malaysia  
rating
thanks a lot
my pc went crazy
2005-11-21, 03:44:06
lydia from Netherlands  
same problem here, but it keeps on coming back...

What I've done:
Run Regedit, removed 'winstall.exe' and 'ibm00001', removed 'HKEY_CURRENT_USERSoftwareMicrosoft WindowsCurrentVersionPoliciesActiveDesktop' and 'HKEY_CURRENT_USERSoftwareMicrosoft WindowsCurrentVersionPoliciesSystem
' too.
Also did I run msconfig, and unchecked 'ibm00001.exe' and some other suspected files.
Rebooted.

The msconfig helped me to get rid of the 3 crosses that say the pc is infected.

But... every time I reboot the pc, the files winstall.exe and the file secure.html are back... :'(
I still have secure.html coming up as homepage when I start up the explorer... And I keep getting very annoying popups in mozilla firefox...

What did I do wrong???

Please help me, I'm going mad... just like my pc...



2005-11-21, 04:20:27
Elaine from Malaysia  
When I press Ctrl-alt-del , it says 'task manager had been disable by your administrator'

What should I do ?!
2005-11-21, 05:11:59
tina from Malaysia  
im having the same problem as lydia
what shall i do? plz help..the rest worked..but stupid pop-ups keep coming and when ever i open up a page..it keeps goin to someother advertisement page..plz helppppppp
also my pc is saying your computer is infected again and again even thou i scanned it already
and the file secure82 and winstall is till on my c:// even thou i deleted it..plz help me..im also goin maddddd
2005-11-21, 08:06:09
pimjong_cool@hotmail.com from Netherlands  
rating
Thank you very, very much!
I have SpySweeper, and used it to delete SpySheriff.
It deleted SpySheriff, but i had to delete the register items myself, because they ARENT Spysheriff key's, but they ARE key's made by SpySheriff. It is really stupid.
But thanks, really, it worked for me!
2005-11-21, 12:57:54
Lydia from Netherlands  
Ok, by renaming the files winstall and ibm00001 and then removing those I solved that part of the problem. The files are not coming back :) (Maybe that'll work for you too, Tina?)

But... I ran Antivir, Ad-aware and Spybot, and still the pop-ups and the advertisement page keep on coming... :(

What to do?

2005-11-21, 15:31:43
Vinh from United States  
If you search for ibm0000 in the registry, if it comes up Shell > explorer.exe, there is MORE information than that. If you go and modify it, highlight the whole string. The rest of it should say ......ibm.exe.
2005-11-21, 15:50:37
m4d from Croatia/Hrvatska  
thank you.. finally.. -.-
2005-11-21, 17:45:36
Richard from United States  
rating
yes finally it gone . Thanx for the advice worked wonders. Jus a minor problem thoguh when i load up my pc My computer opens. Any suggestions how to stop this happening?
2005-11-21, 22:20:36
sandranu@comcast.net from United States  
rating
Hello all...love this Spy Sheriff NOT! I'm still getting the 'Privacy Violation in Progress' when opening internet explorere. What to do? I've done everything else and it seems to have worked except for opening Internet Exploer. Hmmmm
2005-11-22, 00:12:31
anonymous from United States  
still getting the taskbar at the top that says 'warning your computer is infected press her for help... I did everthing else to remove it.. any ideas?
2005-11-22, 08:46:38
M@kyzd from Croatia/Hrvatska  
You are the best, man!!!!
You are on page 2 of 52, other pages: 1 [2] 3 4 5 49 50 51 52

 

 

NEW: Optional: Register   Login
Email address (not necessary):

Rate as
Hide my email when showing my comment.
Please notify me once a day about new comments on this topic.
Please provide a valid email address if you select this option, or post under a registered account.
 

Show city and country
Show country only
Hide my location
You can mark text as 'quoted' by putting [quote] .. [/quote] around it.
Please type in the code:

Please do not post inappropriate pictures. Inappropriate pictures include pictures of minors and nudity.
The owner of this web site reserves the right to delete such material.

photo Add a picture: