It provides exaggerated and false details about malware on the computer. As a way of so-called "protection" it locks Internet Explorer to prevent "severe malware" from infecting the computer and also locks System Restore to prevent the compromised computer from using normal procedures to protect itself. It also corrupts the system so that when supposedly removed from the computer, the computer crashes. Even if it is removed, it manages to restore itself. It has been commonly implemented in pirated versions of Norton AntiVirus.  " It also spots out fake viruses. Essentially, it is a scam that infects one’s computer.
Websites promoting SpySheriff
- The typosquatted version of google.com/google.ca (goggle.com/goggle.ca) used to redirect to SpySheriff's website and automatically download the malware to the computer without consent. Now goggle.com does not infect anymore, and is instead replaced with fake polls. It had its own website at www(dot)spysheriff(dot)com, which has now been removed.
- When users download stuff from Softonic, SpySheriff is often bundled with the software. Also on Android if a user wants to download something and searches for it, a result for Softonic will usually come first.
Problems caused by SpySheriffMost of the payloads are very similar to Trojan Vundo:
- SpySheriff cannot simply be deleted, as it re-installs itself through hidden components on the computer. Trying to remove it with the Add/Remove Programs feature has similar results, or may result in a blue screen of death.
- The program will stop the computer from connecting to the Internet or limit what webpages the user can access, and will display an error message reading "The system has been stopped to protect you from Spyware."
- The desktop background can also be replaced with a blue screen of death, or a notice reading: "SPYWARE INFECTION! Your system is infected with spyware. Windows recommends that you use a spyware removal tool to prevent loss of data. Using this PC before having it cleaned of spyware threats is highly discouraged."
- SpySheriff has been known to create one or more administrator accounts, to block access to programs and utilities for other users. If logged in as an administrator, it is sometimes possible to delete the SpySheriff account(s).
- It also acts to stop any attempt to do a system restore by preventing the calendar from being edited and restore points from loading. This prevents the user from being able to revert their computer to an earlier usable state. A system restore is, however, often possible after booting into safe mode.
- It blocks several websites, including the ones that have downloadable anti-spyware software, locks the user's Internet Explorer options.
These payloads will likely create the need for the use of a recovery disk to restore original factory specs.
The company known for developing SpySheriff knew that people have become aware of SpySheriff being malware , so they have created several clones that have different names but share the same interface and behave in similar ways. Adware Sheriff, Pest Trap, MalwareAlarm, SpywareNo, Spylocked, SpywareQuake, SpyTrooper, Spydawn, AntiVirGear, Brave Sentry, System Security, SpywareStrike, SpyShredder, Alpha Cleaner, SpyBot, SpySentry, SpyMarshal, and SpyAxe are the best known of these.