DelphiFAQ Home Search:

Spysheriff blocks my desktop background - how to remove Spysheriff

 

comments774 comments. Current rating: 5 stars (299 votes). Leave comments and/ or rate it.

Question:

This morning I came to my computer and found an application named Spysheriff running. It supposedly had found a dozen of problems on my computer and demanded a purchase in order to remove them.
It also had changed my desktop background image so that it looked like a error message (see the screenshot):

screenshot of spysheriff


It tries to tell me that my computer is in really bad shape and I am in danger unless I pay them..

I tried to remove that desktop background image using the control panel but it is disabled! What can I do?

Answer:

Spysheriff is malware and should not be used to clean a PC from spyware/ adware/ malware. It's pretty bad e.g. if you try to use System Restore you will find that Spysheriff erased your restore points, so that won't work.
SpySheriff does come with an uninstall program which removes SpySheriff, but it will not undo all the other damage your computer has suffered.


Instead follow these steps:
  1. Open task manager by pressing Ctrl-Alt-Del, and click on the "Processes" tab. Look for Spysheriff there and kill the process if you see it. If you see a process named "winstall" (winstall.exe) then delete this one also.
  2. In the control panel goto "Add/ Remove Programs" and remove the "SpySheriff" program. If it says that it cannot uninstall, then you still have it running. It will uninstall once it's not running.
  3. Your desktop background will not be restored by that uninstall. Go into the registry by starting RegEdit.exe from the start button.
    If your registry editor does not work, read this document "I cannot open the registry editor".
  4. Look for this key:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
    It will have about 6 values stored that disable certain things. Delete this whole branch ActiveDesktop - the system will work with default values afterwards.
    Also delete this branch in your registry:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
  5. Look in your root directory for a file named winstall.exe. Mine was in c:\ and 24064 Bytes in size.
    This file is scheduled to execute each time you boot and it will re-install Spysheriff.
    Delete that file.
    Update:
    As MG from Ottawa comments below, there may also be additional executable files that were created at the same time as winstall.exe. Those files may be named 'winstall.exe' and 'ibm00001.exe'. You should delete those files as well. If you have this file ibm0001.exe please see the other article regarding ibm0001.exe.
  6. Restart your system.
    Done.

Update:

Some people asked about the company that makes SpySheriff. This is their London address:

Company:         SpySheriff Development Team
Street address:  Tooley 73a 
City:            London 
Zip:             EC1Y 1BL 
Country:         United Kingdom




Content-type: text/html

Comments:

You are on page 51 of 52, other pages: 1 2 3 48 49 50 [51] 52
2007-10-27, 06:23:02
anonymous from United States  
Hey thank you so much, I was getting worried that I could never fix it!
2007-11-22, 09:57:20
anonymous from United States  
Hello Well Spysheriff is bad everybody knows that but you don't wanna download it my computer broke REALLY!!! IT WENT ON FIRE weird how strong is that spyware?
2007-12-03, 17:33:30
anonymous from United States  
rating
I have checked several strings and most said to restore which did not always solve problem. I deleted the branches indicated and it solved the problem. Thanks!
2007-12-07, 01:12:13
anonymous from India  
hey dude all the symptoms you have given for spysherif are matches with the problems that i am having. but i cudnt find the spysherif in add/remove, and also my task manager & regedit is not working. pls hlp me out. pls pls pls
2007-12-22, 14:20:54
anonymous from United Kingdom  
Love you!! lol this has been wrecking my head for weeks then I just gave up after months of searching for help then you sorted it ot. Thank You!! :)


Keywords:
2008-02-13, 16:54:36
anonymous from United States  
rating
Wonderful! I was lost but now I found the rat bastard malware w/your excellent tutelage!
Wiped it off my C drive & Reg and back to normal. This site rocks!
2008-04-05, 15:38:25
anonymous from United States  
rating
THANKS MATE! this worked perfectly but i am still unaware of what i did to have it happen. if you can plz email me at invade_da_chickens@yahoo.com and thanks again!
2008-04-08, 12:42:00
[hidden]  
testing 123
2008-04-20, 02:31:37
anonymous from United Kingdom  
this kind of help is very valuable and deeply appreciated. Respect to you all.
2008-07-29, 10:29:22   (updated: 2008-07-29, 10:57:27)
efespilsen@hotmail.co.uk from Wigan, United Kingdom  
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

In the \Policies on my Reg Editor, I cant find ActiveDesktop.

Alls there is in the policies file > [ComDlg32 , Explorer , Uninstall]

Anybody know any reason wHKEY_CURRENT_USER\ Software\Microsoft\Windows\CurrentVersion\P
2008-08-08, 22:33:13
anonymous  
rating
Excellent suggestion. It worked perfectly and didn't had a problem with the steps or anything. thank you very much.
2008-09-22, 14:49:22
anonymous from United States  
spysheriff was made in the uk WTF?!!!!
2008-10-16, 00:50:40
anonymous  
' HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop'

I had to use the search option but i found it and then deleted this whole strip {72267f6a-a6f9-11d0-bc94-00c04fb67863}

tyvm. for sharing your knowledgeHKEY_CURRENT_USER\ Software\Microsoft\Windows\CurrentVersion\P


Keywords:
2008-11-21, 08:56:04   (updated: 2008-11-21, 08:57:27)
anonymous  
rating
jgfkhkjkghgj67ygjyghlolololololololjkjkjkjlololOMFGPWNS!!!
2008-11-21, 08:57:55
anonymous from United States  
rating
You are on page 51 of 52, other pages: 1 2 3 48 49 50 [51] 52

 

 

NEW: Optional: Register   Login
Email address (not necessary):

Rate as
Hide my email when showing my comment.
Please notify me once a day about new comments on this topic.
Please provide a valid email address if you select this option, or post under a registered account.
 

Show city and country
Show country only
Hide my location
You can mark text as 'quoted' by putting [quote] .. [/quote] around it.
Please type in the code:

Please do not post inappropriate pictures. Inappropriate pictures include pictures of minors and nudity.
The owner of this web site reserves the right to delete such material.

photo Add a picture: