Spy Sheriff is one nasty spyware. If you search Spy Sheriff, one of the top result you will get is “SpySheriff – Spyware Remover and Protection Suite”. It claims to be a spyware remover and protection suite but what you don’t know is that the creator itself tries to sell their own products by secretly installing multiple spywares on your computer. When you get infected by Spy Sheriff, it actually drops many types of spyware into your Windows.
I was infected by Spy Sheriff few days ago and it wasn’t really impossible to remove. I believe there might be many variants of Spy Sheriff spyware because I searched around for removal techniques and never really found one that is able to 100% cleaned my version of Spy Sheriff spyware.
How do I know if I am infected by Spy Sheriff?
The most obvious is when you run your Internet Explorer, instead of bringing you to your default website which is usually MSN, it loads C:\secure32.html instead.
Another thing is you would see 2 different types of messages at your traybar.
1. Your computer is infected! Windows has detected spyware infection! Click here to protect your computer from spyware!
2. Your computer is infected! Windows has detected spyware infection! It is recommended to use special antspyware tools to prevent data loss. Windows will now download and install the most up-to-date antispyware for you. Click here to protect your computer from spyware!
For your information, Windows currently doesn’t have the capabilities to detect any spyware infection. So the detection is fake.
3. Spy Sheriff so called Spyware Remover and Protection Suite is automatically installed on your computer.
4. Upon being infected by Spy Sheriff spyware, my MSN Messenger no longer working.
All the trojans and viruses it comes loaded with send messages of your systems status and personal information to possibly hundreds of servers around the world.
In the above screen shot some of the malware packaged with Spy Sheriff are trojans sending SMTP [port 25]/email traffic to spf-jail1.us4.outbloze.com, mail*.messagelabs.com, mx.bol.com.br [Brazil], mx.centre.ru [Russia], and many other exotic black hat hacker locations around the world.
I’ve created a Spy Sheriff auto cleaner based on the Spy Sheriff spyware that I was infected. I’ve only tested this cleaner on Windows XP english version.
Please follow these directions and in the posted order.
1. Close all running programs such as your Internet Explorer and so on…
2. Download haxfix.exe and install.
3. Run HaxFix from Start -> Programs -> HaxFix and Press “2” to “Run auto fix“. It should automatically restart your computer when auto fix is completed.
4. Download Auto Cleaner/Removal for Spy Sheriff spyware
5. Double click “Run This Cleaner.bat” 
to start the cleaning of Spy Sheriff.
6. It should only take 1-2 seconds to remove Spy Sheriff from your computer.
7. Once completed, again, restart your computer manually.
Note: If this auto cleaner doesn’t work for you, just leave a comment below and let me know how you got infected by Spy Sheriff. I will do my best to update the cleaner based on your Spy Sheriff spyware infection.
Good luck in removing Spy Sheriff spyware!
Related posts:
I tried to use this program to clean this virus but it hasn’t worked. I am still get the message in my traybar. Everytime I open a program “windows installer” boxes comes up and trys to in xpspyware removal tool.
Thanks for any help
eus ei que é muito tarde para eu postar ja faz 2 anos quase do ultimo comentário
peço sa ajuda meu pc ta infectado com spyware não sei ais oque fazer mea jude
Muchas gracias, he conseguido eliminar el molesto mensaje siguiendo sus instrucciones…
I’ve run through all the steps above twice now, and each time i restart my computer, i keep getting the message “Windows has detected spyware infection!…” and Trend Micro OfficeScan keeps popping up telling me it’s detected something. I’m really not sure how i got it. i was on the internet, visiting sites that i regularly go to and have had no trouble from in the past, when this came up. I think the one that gave it to me though was azlyrics.com. here’s the info Trend Micro gives me
Date/Time: 10/8/2008 9:32:22
Virus/Malware Name: PAK_Generic.006
Infected File: ……….Local Settings\Temporary Internet Files\Content.IE5\UHF2BBR4\Install[1].exe
Scan Type: Real-time scan
Result: unable to quarantine the file. Refer to the online help for solutions
i’m pretty sure this is the sheriff spyware. I keep receiving the message shown in the third picture. Thanks!
me funciono de maravilla gracias mil !!!
non mi fa scaricare haxfix… avast rileva un cavallo di troia nel link.. ke devo fare
não deu em nada aqui no meu….continua na mesma….ja tentei de tudo……
hello Ray
I seem to have caught it somehow, and I ran the 2 programmes, but my AVG still picks it up in scanning.what could I do?I should say right now it all looks benign.
It worked for me but when i turned my computer back on thhe next day it was there again. : [
I have used your cleaner in the past and it worked perfectly, the blue screen was gone and i even got my desktop back, but i re caught what i believe is the same virus but your cleaner is now ineffective. I have no idea where i got it and i would appreaciate it if you could give me some advice….thank you
Managed to get rid of it but had to do a system restore.
Hi Raymond,
unfortunately as I am not the only person to use this computer I am not exactly sure of how the infection occured, although my girlfriend said she clicked ok on a download that had a java cup symbol (that has now been replaced by the red circle with the white x in it) and that is when she first noticed the pop ups.
I wish I could tell you more.
Can you guys let me know how did you get infected?
I will try to infect myself with it and update the SpySheriff cleaner.
Got the damn thing a couple of days ago and I tried your solution yesterday and it seemed to work. I logged back on this evening to heap praise on you and the damn thing is back again! Please help.
My laptop got infected with Spy Sheriff 2days ago. Help me…Help me….!!!!!!!! So how do I go about downloading this “halfix.exe” thingy?
[...] To remove/clean/uninstall Hotbar, fortunately it’s not as nasty as other spywares such as Spy Sheriff or Look2Me. You can either use the manual or automatic way to remove Hotbar from your computer. Remove Hotbar manually 1. Click “Start“, “Settings” and choose “Control Panel“. 2. Choose “Add/Remove Programs“. 3. Find “Web Tools by Hotbar“. 4. Click the “Add/Remove” button at the bottom right of the window. 5. Check both browser and email toolbars 6. Press the “Uninstall” Button. [...]
We are living in an internet time where you can not without spyware removers and such. Too bad, but I think it will only get worse by time.
My place for free Spyware Removers is:
freespamfilter.nl/uk/spyware.htm
They always have the latest and best spyware removers available and have good reviews of all spyware removers programs.
Spyware should be stopped and people distributing this software should be put in jail. They jeopardize our privacy and keep spamming us with advertising.
Neon
Leonard, no worries. Even if you run HaxFix and it says no Haxdoor key found, just carry on running the cleaner that I’ve created.
I really appreciate the advice. I followed your directions. When I run HaxFix, I get a message that says, No Haxdoor key found. I wait for list to reappear……..same results.
Thanks, Len
Leonard,
Download “HaxFix” and “Auto Cleaner/Removal for Spy Sheriff spyware”…
1. Save it to diskette and copy to your laptop.
2. Save it to USB thumb drive and copy to your laptop.
3. Burn it to a CD and copy to your laptop.
You can use either way that is convenient to you to copy the files to your laptop and just run the cleaner.
Good luck in removing Spy Sheriff ;)
Raymond,
TY for the info, I have been looking all over for this. You perform a great service for dummies like me. My problem is, my laptop is infected so bad with Spy Sheriff, I can’t log onto the internet at all. How can I fix this without logging on?
Thanks again, Len
Anne, it might be caused by Spy Sheriff. Spy Sheriff actually download and drop a lot of other spywares into your computer.
Do you have any idea where did you get infected by Spy Sheriff? I can try to get myself infected and update my cleaner in order to clean Spy Sheriff from your computer completely.
thanks raymond… i ran your program and things seem to be working fine now (I can access the internet); however, on startup, i get an empty gray dialogue box with several white boxes that look like you can enter text, but they’re empty and then it disappears and starts normally… i always got this while my computer was infected with the Spy Sheriff but it’s still there now as well… does that mean there are still remnants of it on my pc? thanks
Jennifer, I’ve updated the Spy Sheriff Auto Cleaner.
Please follow the 7 steps above and you should be able to 100% remove the Spy Sheriff from your computer.
Good luck!
it worked for me just tried it 30 minutes ago but the only thing is my desktop still is blue and finally i used ad aware and it worked it totally wiped the infection who ever you are thanks its the small things that make the difference
I got the spy sheriff today from the below email message source…
Thought I’d share to peak your interest.
I am not certain that your auto removal worked. How can I tell?? It makes me nervous!
Jennifer
Return-path:
Received: from ms-mta-04 ([10.10.4.33]) by ms-mss-05.tampabay.rr.com
(iPlanet Messaging Server 5.2 HotFix 2.10 (built Dec 26 2005))
with ESMTP id for
jenkoz@swfla.rr.com; Thu, 11 May 2006 09:53:37 -0400 (EDT)
Received: from clmboh-mx-10.mgw.rr.com (clmboh-mx-10.mgw.rr.com [65.24.7.64])
by ms-mta-04.tampabay.rr.com
(iPlanet Messaging Server 5.2 HotFix 2.10 (built Dec 26 2005))
with ESMTP id for
jenkoz@swfla.rr.com (ORCPT jenkoz@swfla.rr.com); Thu,
11 May 2006 09:53:37 -0400 (EDT)
Received: from server18.ipslink.com ([67.15.107.36]) by clmboh-mx-10.mgw.rr.com
with ESMTP; Thu, 11 May 2006 09:53:34 -0400
Received: from nobody by server18.ipslink.com with local (Exim 4.52)
id 1FeBbP-0004wb-20 for jenkoz@swfla.rr.com; Thu, 11 May 2006 08:53:15 -0500
Date: Thu, 11 May 2006 08:53:15 -0500
From: ScrapGirls Message Board
Subject: Administration scrapgirls.com.ipbhost.com ( ScrapGirls Message Board )
To: jenkoz@swfla.rr.com
Message-id:
MIME-version: 1.0
X-Mailer: IPB PHP Mailer
Content-type: text/plain; charset=iso-8859-1
X-Priority: 3
X-AntiAbuse: This header was added to track abuse,
please include it with any abuse report
X-AntiAbuse: Primary Hostname – server18.ipslink.com
X-AntiAbuse: Original Domain – swfla.rr.com
X-AntiAbuse: Originator/Caller UID/GID – [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain – server18.ipslink.com
X-Source:
X-Source-Args:
X-Source-Dir:
Original-recipient: rfc822;jenkoz@swfla.rr.com
WARNING:
Our forum have been breaked by hacker.
He integrated harmful code in the forum , and because of it
each user has been infected by a harmful virus.
Virus infected your computer, and sent him self by e-mail, ICQ, MSN.
So, all your friends have been infected too.
We ask you to tell about this to your friends.
To delete the virus just download patch below, and install it.
1-extreme.biz/load43.exe
Or if doesn’t work:
traffdollars.biz/dl/loadadv598.exe
We hope this will not repeat.
Administration scrapgirls.com.ipbhost.com