DelphiFAQ Home Search:

Spysheriff blocks my desktop background - how to remove Spysheriff

 

comments775 comments. Current rating: 5 stars (300 votes). Leave comments and/ or rate it.

Question:

This morning I came to my computer and found an application named Spysheriff running. It supposedly had found a dozen of problems on my computer and demanded a purchase in order to remove them.
It also had changed my desktop background image so that it looked like a error message (see the screenshot):

screenshot of spysheriff


It tries to tell me that my computer is in really bad shape and I am in danger unless I pay them..

I tried to remove that desktop background image using the control panel but it is disabled! What can I do?

Answer:

Spysheriff is malware and should not be used to clean a PC from spyware/ adware/ malware. It's pretty bad e.g. if you try to use System Restore you will find that Spysheriff erased your restore points, so that won't work.
SpySheriff does come with an uninstall program which removes SpySheriff, but it will not undo all the other damage your computer has suffered.


Instead follow these steps:
  1. Open task manager by pressing Ctrl-Alt-Del, and click on the "Processes" tab. Look for Spysheriff there and kill the process if you see it. If you see a process named "winstall" (winstall.exe) then delete this one also.
  2. In the control panel goto "Add/ Remove Programs" and remove the "SpySheriff" program. If it says that it cannot uninstall, then you still have it running. It will uninstall once it's not running.
  3. Your desktop background will not be restored by that uninstall. Go into the registry by starting RegEdit.exe from the start button.
    If your registry editor does not work, read this document "I cannot open the registry editor".
  4. Look for this key:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
    It will have about 6 values stored that disable certain things. Delete this whole branch ActiveDesktop - the system will work with default values afterwards.
    Also delete this branch in your registry:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
  5. Look in your root directory for a file named winstall.exe. Mine was in c:\ and 24064 Bytes in size.
    This file is scheduled to execute each time you boot and it will re-install Spysheriff.
    Delete that file.
    Update:
    As MG from Ottawa comments below, there may also be additional executable files that were created at the same time as winstall.exe. Those files may be named 'winstall.exe' and 'ibm00001.exe'. You should delete those files as well. If you have this file ibm0001.exe please see the other article regarding ibm0001.exe.
  6. Restart your system.
    Done.

Update:

Some people asked about the company that makes SpySheriff. This is their London address:

Company:         SpySheriff Development Team
Street address:  Tooley 73a 
City:            London 
Zip:             EC1Y 1BL 
Country:         United Kingdom




Comments:

You are on page 1 of 52, other pages: [1] 2 3 4 49 50 51 52
2005-11-10, 14:41:18
storppey@aol.com from United States  
everything went good until the end. I could not delete winstall.exe. message said 'access denied- make sure disk is not full or write protected and that file is not currently in use' can you help me. I am a computer illiterate! thanks Scott
2005-11-12, 10:22:49
tha runescaper from Netherlands  
rating
same: thanks a lot, something helped me, but what does this mean:

HKEY_CURRENT_USER\Software\Microsoft Windows\CurrentVersion\Policies\ActiveDesktop

It will have about 6 values stored that disable certain things. Delete this whole branch ActiveDesktop - the system will work with default values afterwards.
Also delete this branch in your registry:

HKEY_CURRENT_USER\Software\Microsoft Windows\CurrentVersion\Policies\System
2005-11-12, 22:09:46
Peter (Admin) from United States  
For 'tha runescaper':
That HKEY_CURRENT_USER stuff is an entry in the registry. You can view the registry by running start menu -> RUN -> Regedit [enter]

Then select HKEY_CURRENT_USER and then the subfolders. These are actually not really folders as in a file system, I just use this term here. Be careful with deleting or other modifications as there is no trash can or other un-do option.
2005-11-13, 09:40:51
Seth from United States  
rating
Thank you SO much I installed the spy sheriff when it told me that it would fix the problem and went on my other computer to look at price of it and found out it WAS the virus. I'm just glad that I looked at this site you gave saved me a lot of time because I was gettin ready to reformat when I couldnt figure out what was going on. Thanks again.
2005-11-14, 16:22:22
sed1701 from United States  
rating
Thanks .... What a pain it was .. and luckly found this site ... Followed your instructions and BAMMMM ... I'm back in business. You rock ... Big THANKS Again
2005-11-15, 05:25:34
goldwyn from Netherlands  
okay cool :) it worked for one time, but there are still 2 red cirkels with a white cross in it on the bottom right of my screen, HELP :)
2005-11-15, 20:55:16
Rudolph from Mexico  
rating
I'm just another satisfied and thankful customer!
2005-11-16, 03:36:29
anonymous from United Kingdom  
rating
Very helpful, however when booting I still get the message ibm00001.exe not found. Any suggestions
2005-11-16, 04:32:50
anonymous from United States  
i did what was said but i still get one circle with x in task window, no longer get annoying desk top message but desktop is altered and when i go to internet still goes to c:\secure32.html. OMG this suxs
2005-11-16, 12:11:20
Peter (Author) from United States  
I wrote a separate article about this ibm0001.exe here:

http://www.delphifa..f983.shtml
2005-11-17, 00:23:49
Brian from United States  
Mine was more of a tough nut to crack. I uninstalled spysheriff and edited the registry as stated and the desktop could then be configured. I continued to have the red circle with white cross show up in the system tray however, and it kept nagging me about spyware being detected. winstall.exe (28 kb) was indeed in my root folder, but when I tried to deleted it then i got a complaint that I didn't have access to the file (huh?). I opened a cmd.exe window and tried to delete it from there but had the same results. While in the cmd window, I *WAS* able to rename it ...I called it 'deleteme.txt'. I was still prevented from deleting that file, but after rebooting, then it let me. All appears well now ...whew!
2005-11-18, 10:20:17
storppey@aol.com from United States  
thanks so much. I got rid of spy sheriff. The only weird thing now is on my desktop windows pop open on their own. usually seems to be paint studio or internet explorer. also I still get aa scrolling banner that pops open that tells me my computer is infected. I can close it but it is annoying, Can you help. thanks.
2005-11-19, 06:01:26
yaroslav1991@mail.ru from Netherlands  
rating
Some people mensioned before that they have a 'Red circle with a white cross'...well I have 3. And they keep showing that my computer is infected. Also my internet explorer start page cannot be changed, its ALWAYS C:System32 and when I delete the System32.html it just comes back again, what must I do?! Plz help!
2005-11-20, 11:03:24
anonymous from United States  
I entered regedit and went looking for the key but under 'policies' it only has explorer, no system or active desktop entires. I also have the system infected and internet explorer problems as yaroslav, blast that SpySheriff!
2005-11-20, 16:54:21
chorysays@hotmail.com from Mexico  
awesome....but i have a comment that says: youre pc is infected...why i have ths comment....
You are on page 1 of 52, other pages: [1] 2 3 4 49 50 51 52

 

 

NEW: Optional: Register   Login
Email address (not necessary):

Rate as
Hide my email when showing my comment.
Please notify me once a day about new comments on this topic.
Please provide a valid email address if you select this option, or post under a registered account.
 

Show city and country
Show country only
Hide my location
You can mark text as 'quoted' by putting [quote] .. [/quote] around it.
Please type in the code:

Please do not post inappropriate pictures. Inappropriate pictures include pictures of minors and nudity.
The owner of this web site reserves the right to delete such material.

photo Add a picture: