Spy Sheriff Removal

Adware.SpySheriff is an adware program that may give exaggerated reports about potential risks on the computer. The program then prompts the user to purchase a registered version of the software in order to remove the reported risks.

This Adware is manually downloaded and installed, or it may be installed through the use of exploits.

When Adware.SpySheriff is executed, it performs the following actions:

Downloads and creates the following files:
- %ProgramFiles%\SpySheriff\base.avd
- %ProgramFiles%\SpySheriff\base001.avd
- %ProgramFiles%\SpySheriff\base002.avd
- %ProgramFiles%\SpySheriff\found.wav
- %ProgramFiles%\SpySheriff\heur000.dll
- %ProgramFiles%\SpySheriff\heur001.dll
- %ProgramFiles%\SpySheriff\heur002.dll
- %ProgramFiles%\SpySheriff\heur003.dll
- %ProgramFiles%\SpySheriff\IESecurity.dll
- %ProgramFiles%\SpySheriff\notfound.wav
- %ProgramFiles%\SpySheriff\ProcMon.dll
- %ProgramFiles%\SpySheriff\removed.wav
- %ProgramFiles%\SpySheriff\SpySheriff.dvm
- %ProgramFiles%\SpySheriff\SpySheriff.exe
- %ProgramFiles%\SpySheriff\Uninstall.exe
- %UserProfile%\Desktop\SpySheriff.lnk
- %UserProfile%\Start Menu\Programs\SpySheriff.lnk

Creates the following registry subkeys:

HKEY_CURRENT_USER\Software\SpySheriff HKEY_CURRENT_USER\Software\SNO2 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpySheriff

Adds the value:

"SpySheriff" = "%ProgramFiles%\SpySheriff\SpySheriff.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

so that the risk runs every time Windows starts.

Scans parts of the registry and several system locations in order to detect risks.

Note: The program may falsely report the presence of risks due to the detection techniques used, such as detection based solely on file names.

Directs the user to the program's Web site to purchase the full version of the product in order to remove any discovered risks.

Periodically displays the following window:

Removal Steps: Boot in Safe mode with networking and Turn Off System Restore and Perform the Steps Below.

Step 1 : Delete the value from the registry

Click Start > Run.

Type regedit

Navigate to the subkey:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the following:

"SpySheriff" = "%ProgramFiles%\SpySheriff\SpySheriff.exe"

Navigate to and delete the following registry subkeys:

HKEY_CURRENT_USER\Software\SpySheriff HKEY_CURRENT_USER\Software\SNO2 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SpySheriff

Exit the registry editor.

Step 2 : Download CCleaner and Run it to Remove all Crap files.

Step 3 : Uninstall Spy Sheriff from Add/Remove Programs.

Step 4: Manually Delete the Following Folders

C:\Documents and Settings\user account\Start Menu\Programs\SpySheriff <-whole folder
C:\Documents and Settings\user account\Application Data\Install.dat
C:\Program Files\SpySheriff <-whole folder
C:\Windows\Desktop.html
C:\winstall.exe
C:\Program Files\Daily Weather Forecast\

Step 5: Run a Spy sweeper Scan and Remove all infections. To verify removal Run a AdawareSE Scan. ( Update Definations Before Running a Scan. )

Step 6: Download and Run Hijack This and Remove the Following.

O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe

Step 7: Download SmitFraud.reg from link http://www.bleepingcomputer.com/files/reg/smitfraud.reg and save it on Dektop. Double-click smitfraud.reg on your desktop. When asked if you want to merge with the registry click YES. After the merged successfully prompt, using Windows Explorer, navigate to the following folder:
C:\Windows\Prefetch
If there are any files inside the Prefetch folder, delete ALL of them. (Do NOT delete the folder. Just delete the files inside.)
Reboot your computer.

Your System Should be Normal Now and Spy Sheriff Free.

Turn On System Restore and Create New Restore Points.