Spysheriff - The Spyware Causing Anti-Spyware...

SpySheriff is a corrupt illegally distributed anti-spyware program. It is secretly installed to victim computers by various trojans and through certain web browser exploits. Once executed, SpySheriff registers itself in the system and runs a payload. It changes the desktop background to a fake warning message, forbids access to some web sites and may even block any attempts to connect to the Internet. The parasite can also disable some Windows essential components and tools such as the System Restore and the Date and Time application. In some cases SpySheriff may attempt to delete certain installed anti-spyware programs, crash the system and display bogus system error reports. This malware is able to prevent the user from uninstalling. It can also restore its removed components. SpySheriff automatically runs on every Windows startup.

In order to remove this infection we will need to use HijackThis to manually remove the infection:

1. Print out these instructions as we will need to shutdown every window that is open later in the fix.
2.Download and install CleanUp! but do not run it yet.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
3. Download, install, and update Ewido Security Suite
1. Install Ewido security suite
2. Launch Ewido, there should be a big E icon on your desktop, double-click it.
3. The program will prompt you to update click the OK button
4. The program will now go to the main screen
5. On the left hand side of the main screen click on Update
6. Click on Start. The update will start and a progress bar will show the updates being installed.
4. After the updates are installed, exit Ewido
5. Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.
6. Once in Safe Mode, Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
1. Click Options...
2. Move the arrow down to Custom CleanUp!
3. Put a check next to the following:
Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Scan local drives for temporary files
Cleanup! All Users
4. Click the OK button
5. Press the CleanUp! button to start the program.
7. After Cleanup! is finished start Ewido Security Suite
1. Click on scanner
2. Make sure the following boxes are checked before scanning:
Binder
Crypter
Archives
3. Click on Start Scan
4. Let the program scan the machine
5. While the scan is in progress you will be prompted to clean the first infected file it finds. Choose clean, then put a check next to Perform action on all infections in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.
8. When the scan is complete, exit the program and reboot back to normal mode.
9. Click on Start, then Control Panel, and double-click on the Add/Remove Programs icon.
10. Uninstall the SpySheriff program and then exit Add/Remove Programs.
11. Delete the following, in bold, if found:

C:\Documents and Settings\user account\Start Menu\Programs\SpySheriff <-whole folder
C:\Documents and Settings\user account\Application Data\Install.dat
C:\Program Files\SpySheriff <-whole folder
C:\Windows\Desktop.html
C:\winstall.exe
C:\Program Files\Daily Weather Forecast\

*NOTE* user account is not the actual name of that folder. The name of that folder will be the name of your computer profile.
12. Download HijackThis and save it to your C:\ folder. Extract the hijackthis.zip file to c:\hijackthis. We will use this program later.
13. Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HijackThis and press the Scan button. Place a check next to the following items, if found, and click FIX CHECKED:
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
14. Close HiJackThis.
15. RIGHT-CLICK HERE and go to Save As (in IE it's Save Target As) in order to download the smitfraud reg to your desktop.
16. Double-click smitfraud.reg on your desktop. When asked if you want to merge with the registry click YES.
17. After the merged successfully prompt, using Windows Explorer, navigate to the following folder:
C:\Windows\Prefetch
18. If there are any files inside the Prefetch folder, delete ALL of them. (Do NOT delete the folder. Just delete the files inside.)
19. Reboot your computer.
20. You should be able to change your desktop back to normal now.

Your computer should now be free of the SpySheriff infection.