Welcome to the Computer Security Wiki! You can help us by expanding stubs, create new articles and improve current articles.
You can also help us by logging-in or creating an account!


From Malware Wiki
Jump to: navigation, search
SSSS - SpySheriffScreenShot.jpg
TypeRogue Antivirus, Adware
DateDecember 2nd, 2005-2009
OriginLondon, United Kingdom
PlatformMicrosoft Windows
File TypeWin32 PE executable (.EXE)
Alias(es)Symantec - Adware.SpySheriff

SUPERAntiSpyware - Trojan.SpySheriff

AhnLab-V3 - Win-Trojan/Spyshe.412672
This box: view  talk  edit

SpySheriff is Malware and a rogue antivirus on Microsoft Windows that pretends to be antivirus software when it is actually a piece of very severe malware itself.


It provides exaggerated and false details about malware on the computer. As a way of so-called "protection", it locks Internet Explorer to prevent "severe malware" from infecting the computer and also locks System Restore to prevent the compromised computer from using normal procedures to protect itself.

It also corrupts the system so that when supposedly removed from the computer, the computer crashes. Even if it is removed, it manages to restore itself. It has been commonly implemented in pirated versions of Norton AntiVirus.<ref name="winampflaw">Spyware tunnels in on Winamp flaw" by Joris Evers, CNET News.com, February 6, 2006</ref> <ref>"Top 10 rogue anti-spyware" by Suze Turner, ZDNet, December 19, 2005</ref> " It also spots out fake viruses. Essentially, it is a scam that infects one's computer.

As of 2008, the servers for SpySheriff and its clones were shut down, and the site can no longer be accessed, essentially neutering the virus, though it has been archived.

Websites promoting SpySheriff

Spysheriff.com in 2005
  • The typo squatted version of google.com/google.ca (goggle.com/goggle.ca) used to redirect to SpySheriff's website and automatically download the malware to the computer without consent. Now goggle.com does not infect anymore. It had its own website at spysheriff.com, which has now been removed.

Problems caused by SpySheriff

Most of the payloads are very similar to Vundo:

  • SpySheriff cannot simply be deleted, as it re-installs itself through hidden components on the computer. Trying to remove it with the Add/Remove Programs feature has similar results, or may result in a blue screen of death.
  • The program will stop the computer from connecting to the Internet or limit what webpages the user can access, and will display an error message reading "The system has been stopped to protect you from Spyware."
  • The desktop background can also be replaced with a blue screen of death, or a notice reading: "SPYWARE INFECTION! Your system is infected with spyware. Windows recommends that you use a spyware removal tool to prevent loss of data. Using this PC before having it cleaned of spyware threats is highly discouraged." sometimes it may display a red (possibly blinking) icon in the system tray.
  • SpySheriff has been known to create one or more administrator accounts, to block access to programs and utilities for other users. If logged in as an administrator, it is sometimes possible to delete the SpySheriff account(s).
  • It also acts to stop any attempt to do a system restore by preventing the calendar from being edited and restore points from loading. This prevents the user from being able to revert their computer to an earlier usable state. A system restore is, however, often possible after booting into safe mode.
  • It blocks several websites, including the ones that have downloadable anti-spyware software, locks the user's Internet Explorer options.

These payloads will likely create the need for the use of a recovery disk to restore original factory specs.

SpySheriff clones

The company known for developing SpySheriff knew that people have become aware of SpySheriff being malware, so they have created several clones that have different names but share the same interface and behave in similar ways. Adware Sheriff, Pest Trap, MalwareAlarm, SpywareNo, Spylocked, SpywareQuake, SpyTrooper, Spydawn, AntiVirGear, Brave Sentry, System Security, SpywareStrike, SpyShredder, Alpha Cleaner, SpyBot, SpySentry, SpyMarshal, and SpyAxe are the best known of these.


SpySheriff is difficult to remove manually. Attempting to remove it using the Add/Remove Programs feature may sometimes work, but it is highly unlikely; SpySheriff has a tendency to re-install itself due to hidden components in files on the user's computer. The simplest solution is to try genuine spyware removal tools in the hopes that it can be cleaned, but there are also possibilities for manual removal. Since System Restore is locked by SpySheriff, it is very hard to remove it through it; however, using System Restore in Safe Mode might work. There is a possible chance that the SpySheriff's components may be inside the System Restore folders.

Tools called SmitFraudFix and SmitRem are said to get rid of SpySheriff; they work by deleting all of SpySheriff's components and if the desktop wallpaper had been changed, the removal tool replaces it with a plain solid color (by setting the desktop settings to None). Ad-Aware and Vundo-Fix can remove SpySheriff components by removing trojans associated with the program. HijackThis is sometimes recommended to remove registry entries by SpySheriff. IOBit Uninstaller may also work on mild infections. AdwCleaner should clean any remaining pop-ups or corrupt files. HitMan Pro can find programs or registry keys that might be infected. Malwarebytes can catch some components of infection. Sometimes the only way to completely remove the virus is by saving all documents on a hard drive and re-installing Windows/reformatting if the above removal solutions do not seem to work. Using antivirus can prevent this infection from entering the computer.

Old variants of SpySheriff had an uninstaller. Which claims to uninstall SpySheriff, Some variants of SpySheriff were actually different. Unlike some variants of SpySheriff, Other variants like SpyAxe had an uninstaller.

See also


<references />

External links