DelphiFAQ Home Search:

Spysheriff blocks my desktop background - how to remove Spysheriff


comments774 comments. Current rating: 5 stars (299 votes). Leave comments and/ or rate it.


This morning I came to my computer and found an application named Spysheriff running. It supposedly had found a dozen of problems on my computer and demanded a purchase in order to remove them.
It also had changed my desktop background image so that it looked like a error message (see the screenshot):

screenshot of spysheriff

It tries to tell me that my computer is in really bad shape and I am in danger unless I pay them..

I tried to remove that desktop background image using the control panel but it is disabled! What can I do?


Spysheriff is malware and should not be used to clean a PC from spyware/ adware/ malware. It's pretty bad e.g. if you try to use System Restore you will find that Spysheriff erased your restore points, so that won't work.
SpySheriff does come with an uninstall program which removes SpySheriff, but it will not undo all the other damage your computer has suffered.

Instead follow these steps:
  1. Open task manager by pressing Ctrl-Alt-Del, and click on the "Processes" tab. Look for Spysheriff there and kill the process if you see it. If you see a process named "winstall" (winstall.exe) then delete this one also.
  2. In the control panel goto "Add/ Remove Programs" and remove the "SpySheriff" program. If it says that it cannot uninstall, then you still have it running. It will uninstall once it's not running.
  3. Your desktop background will not be restored by that uninstall. Go into the registry by starting RegEdit.exe from the start button.
    If your registry editor does not work, read this document "I cannot open the registry editor".
  4. Look for this key:
    It will have about 6 values stored that disable certain things. Delete this whole branch ActiveDesktop - the system will work with default values afterwards.
    Also delete this branch in your registry:
  5. Look in your root directory for a file named winstall.exe. Mine was in c:\ and 24064 Bytes in size.
    This file is scheduled to execute each time you boot and it will re-install Spysheriff.
    Delete that file.
    As MG from Ottawa comments below, there may also be additional executable files that were created at the same time as winstall.exe. Those files may be named 'winstall.exe' and 'ibm00001.exe'. You should delete those files as well. If you have this file ibm0001.exe please see the other article regarding ibm0001.exe.
  6. Restart your system.


Some people asked about the company that makes SpySheriff. This is their London address:

Company:         SpySheriff Development Team
Street address:  Tooley 73a 
City:            London 
Zip:             EC1Y 1BL 
Country:         United Kingdom

Content-type: text/html


You are on page 49 of 52, other pages: 1 2 3 46 47 48 [49] 50 51 52
2007-01-17, 19:35:29
anonymous from Philippines  
thanks a lot it works
2007-01-19, 16:19:35
anonymous from United States  
okay im in the registry all the way up to current vision except I went into Internet settings and I got all these weird things like EnableAutodial REG_DWORD 0x00000001 and stuff like that with the blue icon with the 1's and 0's on it.This REG_DWORD is there anythingfishy about it??
2007-01-20, 00:41:38
anonymous from United States  
check under explorer and system, sometimes other policies are there too
2007-01-20, 17:35:19
anonymous from United Kingdom  
REG_DWORD is microsoft stuff, dont delete that key
2007-01-22, 15:14:07   (updated: 2007-01-22, 15:14:40)
Professor Cunthor from United States  
You need to delete the REG_DWORD and REG_FWORD keys, because they are data files set up by spysheriff. If you also see a REG_SWORD keys, you should also delete them too. Also, delete any registry keys that have the words 'Windows Explorer', or 'Critical System Files'.

Finally, download the program 'MSBAG V1.02'. It tricks your computer into thinking its sexy, forgetting about such things as hidden virus exe files that regenerate winstall.exe.

Profesor Cunthor
2007-01-22, 15:16:50
anonymous from United States  
Sorry this is Cunthor again. I just heard that MSBAG V1.02 is unstable when run under a windows environment. I will update on latest. Meanwhile, why don't you stick your head inside the freezer for entertainment purposes (mine)
2007-01-26, 21:21:44
anonymous from United States  
My hat is off to you. I spent an hour on the phone with McAfee 'Tech Support' and they had no clue how to fix it
2007-01-27, 21:21:35
anonymous from United States  
Norton Antivirus removed spy sheriff, but it still says that there is an user called administrator that was created by spysheriff. I cannot find this Administrator under users, but the Norton Security Inspector says there is an adminstrator user still here nad it has a weak password, how do I find and remove it? As stated before, there is no Administrator under users.
2007-01-28, 08:06:33
anonymous from Canada  
I also had spy sheriff, but it has blocked me from seeing anything BUT my background. I do not have access to my task bar, desktop icons, or the start menu. THe only way to access limited items is by going through the Windows Task Manager. Any suggestions for this?? Thanks!!
2007-01-30, 15:40:20
anonymous from United States  
Hey I removed the program SpySheriff awhile back ago but I still can't change my wallpaper. I am computer illiterate and don't know what I am doing but is there anyway I can restore this feature?
2007-02-01, 19:13:32 from United Kingdom  
Spot on! Ta for the advice. All tickety-boo now :)
2007-02-02, 01:36:55 from Philippines  
to enable or disable the task manager, go to start menu and run, type gpedit.msc after that the group policy will appear. Open User configuration-administrative templates-system-ctrlAltdel options-remove task manager. If you choose Enabled the task manager is disable, and choosing Disabled will enable the task manager. Hope this will help.
2007-02-17, 13:55:47
anonymous from United States  
Thank you very much. I got this problem all of sudden when I started my computer.

All I had to do is stop the spysheriff process and remove the program from add/remove program and it was gone. I need to get rid of 211 infected files it got on my computer though.

I couldn't see the registry entries under policies folder though. Please post some comment about that.

2007-02-21, 05:36:18
[hidden] from Egypt  
Thank you so much, you saved me :)
2007-02-22, 13:58:19
anonymous from United States  
the one I have is:bravesentry (BS 2.0) does the same trick to my pc. my desktop background id desable, i am still fighting it, now i have to restore my Desktop bg, anyone have a suggestion let me know how to restore my desktop bg
You are on page 49 of 52, other pages: 1 2 3 46 47 48 [49] 50 51 52



NEW: Optional: Register   Login
Email address (not necessary):

Rate as
Hide my email when showing my comment.
Please notify me once a day about new comments on this topic.
Please provide a valid email address if you select this option, or post under a registered account.

Show city and country
Show country only
Hide my location
You can mark text as 'quoted' by putting [quote] .. [/quote] around it.
Please type in the code:

Please do not post inappropriate pictures. Inappropriate pictures include pictures of minors and nudity.
The owner of this web site reserves the right to delete such material.

photo Add a picture: