SpySheriff is Malware and a rogue antivirus on Microsoft Windows that pretends to be antivirus software when it is actually a piece of severe malware itself.


It provides exaggerated and false details about malware on the computer. As a way of so-called "protection" it locks Internet Explorer to prevent "severe malware" from infecting the computer and also locks System Restore to prevent the compromised computer from using normal procedures to protect itself. It also corrupts the system so that when supposedly removed from the computer, the computer crashes. Even if it is removed, it manages to restore itself. It has been commonly implemented in pirated versions of Norton AntiVirus.[1] [2] " It also spots out fake viruses. Essentially, it is a scam that infects one’s computer.

Websites promoting SpySheriff

Spysheriff2005 in 2005

  • The typosquatted version of ( used to redirect to SpySheriff's website and automatically download the malware to the computer without consent. Now does not infect anymore, and is instead replaced with fake polls. It had its own website at www(dot)spysheriff(dot)com, which has now been removed.
  • When users download stuff from Softonic, SpySheriff is often bundled with the software. Also on Android if a user wants to download something and searches for it, a result for Softonic will usually come first.

Problems caused by SpySheriff


Another version of SpySheriff.


The popup advertisement that leads to the infection.

Most of the payloads are very similar to Trojan Vundo:
  • SpySheriff cannot simply be deleted, as it re-installs itself through hidden components on the computer. Trying to remove it with the Add/Remove Programs feature has similar results, or may result in a blue screen of death.
  • The program will stop the computer from connecting to the Internet or limit what webpages the user can access, and will display an error message reading "The system has been stopped to protect you from Spyware."
  • The desktop background can also be replaced with a blue screen of death, or a notice reading: "SPYWARE INFECTION! Your system is infected with spyware. Windows recommends that you use a spyware removal tool to prevent loss of data. Using this PC before having it cleaned of spyware threats is highly discouraged."
  • SpySheriff has been known to create one or more administrator accounts, to block access to programs and utilities for other users. If logged in as an administrator, it is sometimes possible to delete the SpySheriff account(s).
  • It also acts to stop any attempt to do a system restore by preventing the calendar from being edited and restore points from loading. This prevents the user from being able to revert their computer to an earlier usable state. A system restore is, however, often possible after booting into safe mode.
  • It blocks several websites, including the ones that have downloadable anti-spyware software, locks the user's Internet Explorer options.

These payloads will likely create the need for the use of a recovery disk to restore original factory specs.

SpySheriff clones

The company known for developing SpySheriff knew that people have become aware of SpySheriff being malware , so they have created several clones that have different names but share the same interface and behave in similar ways. Adware Sheriff, Pest Trap, MalwareAlarm, SpywareNo, Spylocked, SpywareQuake, SpyTrooper, Spydawn, AntiVirGear, Brave Sentry, System Security, SpywareStrike, SpyShredder, Alpha Cleaner, SpyBot, SpySentry, SpyMarshal, and SpyAxe are the best known of these.


Spysheriff Download Scan

Spysheriff Download Scan

SpySheriff is difficult to remove manually. Attempting to remove it using the Add/Remove Programs feature may sometimes work, but it is highly unlikely; SpySheriff has a tendency to re-install itself due to hidden components in files on the user's computer. The simplest solution is to try genuine spyware removal tools in the hopes that it can be cleaned, but there are also possibilities for manual removal. Since System Restore is locked by SpySheriff, it is very hard to remove it through it; however, using System Restore in Safe Mode might work. There is a possible chance that the SpySheriff's components may be inside the System Restore folders. Tools called SmitFraudFix and SmitRem are said to get rid of SpySheriff; they work by deleting all of SpySheriff's components and if the desktop wallpaper had been changed, the removal tool replaces it with a plain solid color (by setting the desktop settings to None). Ad-Aware and Vundo-Fix can remove SpySheriff components by removing trojans associated with the program. HijackThis is sometimes recommended to remove registry entries by SpySheriff. IOBit Uninstaller may also work on mild infections. AdwCleaner should clean any remaining pop ups or corrupt files. HitMan Pro can find programs or registry keys that might be infected. Malwarebytes can catch some components of infection. Sometimes the only way to completely remove the virus is by saving all documents on a hard drive and re-installing Windows/reformatting if the above removal solutions do not seem to work. Using antivirus can prevent this infection from entering the computer.

See also


  1. Spyware tunnels in on Winamp flaw" by Joris Evers, CNET, February 6, 2006
  2. "Top 10 rogue anti-spyware" by Suze Turner, ZDNet, December 19, 2005

External links

Community content is available under CC-BY-SA unless otherwise noted.