This site is temporarily down. Please come back. Content-type: text/html; charset=utf-8 Spysheriff blocks my desktop background - how to remove Spysheriff
DelphiFAQ Home Search:

Spysheriff blocks my desktop background - how to remove Spysheriff

 

comments766 comments. Current rating: 5 stars (299 votes). Leave comments and/ or rate it.

Question:

This morning I came to my computer and found an application named Spysheriff running. It supposedly had found a dozen of problems on my computer and demanded a purchase in order to remove them.
It also had changed my desktop background image so that it looked like a error message (see the screenshot):

screenshot of spysheriff


It tries to tell me that my computer is in really bad shape and I am in danger unless I pay them..

I tried to remove that desktop background image using the control panel but it is disabled! What can I do?

Answer:

Spysheriff is malware and should not be used to clean a PC from spyware/ adware/ malware. It's pretty bad e.g. if you try to use System Restore you will find that Spysheriff erased your restore points, so that won't work.
SpySheriff does come with an uninstall program which removes SpySheriff, but it will not undo all the other damage your computer has suffered.


Instead follow these steps:
  1. Open task manager by pressing Ctrl-Alt-Del, and click on the "Processes" tab. Look for Spysheriff there and kill the process if you see it. If you see a process named "winstall" (winstall.exe) then delete this one also.
  2. In the control panel goto "Add/ Remove Programs" and remove the "SpySheriff" program. If it says that it cannot uninstall, then you still have it running. It will uninstall once it's not running.
  3. Your desktop background will not be restored by that uninstall. Go into the registry by starting RegEdit.exe from the start button.
    If your registry editor does not work, read this document "I cannot open the registry editor".
  4. Look for this key:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
    It will have about 6 values stored that disable certain things. Delete this whole branch ActiveDesktop - the system will work with default values afterwards.
    Also delete this branch in your registry:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
  5. Look in your root directory for a file named winstall.exe. Mine was in c:\ and 24064 Bytes in size.
    This file is scheduled to execute each time you boot and it will re-install Spysheriff.
    Delete that file.
    Update:
    As MG from Ottawa comments below, there may also be additional executable files that were created at the same time as winstall.exe. Those files may be named 'winstall.exe' and 'ibm00001.exe'. You should delete those files as well. If you have this file ibm0001.exe please see the other article regarding ibm0001.exe.
  6. Restart your system.
    Done.

Update:

Some people asked about the company that makes SpySheriff. This is their London address:

Company:         SpySheriff Development Team
Street address:  Tooley 73a 
City:            London 
Zip:             EC1Y 1BL 
Country:         United Kingdom




Content-type: text/html

Comments:

You are on page 5 of 52, other pages: 1 2 3 4 [5] 6 7 8 49 50 51 52
2005-12-01, 05:09:19
roval from Denmark  
rating
I follow the recomended 6 steps, it works!!!
I have uset at the same time a file list at the homepage : spywaredb.com/remove-spy-sheriff

thanks a lot !
2005-12-01, 17:58:29
mrkayy from United Kingdom  
yo nice 1 came home from uni 2 find my computer all fuckd up turned out it was a zonealarm process useing all my memory n pushin my cpu 2 the max got round this problem afta coupla hours then got the message that i had spyware from spysherif, was kinda confused wher the hel it came from thought it was from new firewall i installed called outpost took me a long time 2 realise it was f**kin me around and eventually found this site n got rid of it and got my pc bak 2 normal after about 5 hours!!

i would really like to know how it got 2 in my pc if anyone knows and if it waas the cause of my zonealarm process (vsmon) fucking up
any info on this would be much appreciated!! and the instructions 2 delete were very simple and effective, thanx agen,
mr kayy
2005-12-01, 19:21:41
anonymous from United States  
Thanks a lot i hate stupid pop ups like that.
2005-12-01, 21:11:14
David from United States  
rating
I woke up and found this spyware crap on my computer. Searched the web and found this solution and I'll be darned it really worked. I appreciate the info. Glad you take the time to help computer dummies like me. Thanks again

Oh, this is what i did. I went to control panel and deleted spysheriff and then ran microsoft antispyware. it deleted 2 files. Still had black warning screen and could change desktop. Read this and followed the instructions and it worked. Only i didnt find the winstall.exe file or the other files. Rebooted and it seems to be working great. Thanks again
2005-12-01, 21:26:12
Tom from Australia  
Hey Team,

I've noticed a couple of people are discussing the trojan reappearing - take MG in ottowa's advice (the third reply above) and make sure they are disabled in the STARTUP as well as in the registry. Do this by clicking RUN, typing MSCONFIG, then clicking STARTUP and UNCHECKING Winstall.
I also had another TROJAN appear at the same time called 'WEATHER' - get rid of that one at the same time
2005-12-02, 05:21:53
tim from United Kingdom  
rating
Thanks, easy to do, and worked!!
2005-12-02, 16:36:02
kaushal from United States  
rating
GUYS AND GALS,

YOU ALSO NEED TO GO TO THE PROCESSES AND STOP THE WINSTALL.EXE FROM RUNNING SO THAT YOU CAN DELETE WINSTALL.EXE....

KEEP UP THE GOOD WORK
2005-12-03, 05:17:27
Rudy from Belgium  
thx, worked great!!
2005-12-03, 22:32:49
ken@amrsonline.com.au from Australia  
my problem is called spyaxe it just appeared and wnot go away - sound just like spysherrif - should I follow the same procedure to get rtid of it?
2005-12-04, 09:13:04
hispano1987@hotmail.com from Spain  
rating
Thank you for solve my problem. Good work!!
2005-12-04, 09:13:26
ahh from Sweden  
to those who hav problems deleting winstall.exe and ibm0001.exe
hav u tried going in safe mode and loggin in as administrator and delete from there..cause that worked for me
2005-12-04, 09:18:42
ahh from Sweden  
and use that msconfig tip it really worked
2005-12-04, 09:19:28
ahh from Sweden  
i forgot to say tnx for the help:D
tnx guys
2005-12-05, 11:25:25
anonymous from Hungary  
also close tool2.exe after pressing ctrl alt del
2005-12-05, 13:36:41
Dutchman from Netherlands  
Hi there.
that sheriff was installed on my pc too, but I followed the instuctions here -great!- and I shot the sheriff, my desktop is normal again, but unfortunelately that sob is not dead yet, he's on the ground bleeding: when I hit the internet explorer button I get the following: 'cannot find file://c:/secure32.html. make sure the path or internet adress is correct.' I hit ok and the browser opens a blank page and I can use the internet. not a big problem, but annoying. Can anyone help me? Thanks!
You are on page 5 of 52, other pages: 1 2 3 4 [5] 6 7 8 49 50 51 52

 

 

NEW: Optional: Register   Login
Email address (not necessary):

Rate as
Hide my email when showing my comment.
Please notify me once a day about new comments on this topic.
Please provide a valid email address if you select this option, or post under a registered account.
 

Show city and country
Show country only
Hide my location
You can mark text as 'quoted' by putting [quote] .. [/quote] around it.
Please type in the code:

Please do not post inappropriate pictures. Inappropriate pictures include pictures of minors and nudity.
The owner of this web site reserves the right to delete such material.

photo Add a picture: