Manual removal of Spysheriff

There is a nasty piece of malware out there known as Spysheriff that I have had to remove for friends on several occasions. The last time I was asked to remove it was over the phone. This was a test for me because on previous attempts I had had to use an uninfected computer in order to make up a CDR containing the software I needed to remove Spysheriff from the infected computer off-line.

I will endeavour to update this article each time I have to deal with a Spysheriff infection. If you have any further information in regards to dealing with Spysheriff, please email me.

First, I recommend that you print out this page and take it with you to the infected computer. Sitting comfortably? Let's begin.

Your PC will probably not let you access the internet or to run Task Manager. To get Task Manager back do the following:

Click Start>Run and type in 'regedit'. The Registry Editor will start up.

Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\

If you have a folder called 'System' delete it.

You should now be able to start Task Manager (CTRL-ALT-DEL or right-click on the taskbar)

In Task Manager click on the 'Processes' tab and end the following processes if they exist:

spysheriff.exe
winstall.exe

Now we need to fix the registry. Run regedit again and remove the following keys if they exist:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SpySheriff
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SNInstall
HKEY_CURRENT_USER\Software\SpySheriff
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Uninstall\SpySheriff

Also search the registry for any occurrences of the string 'spysheriff' and delete any entries found.

Using Windows Explorer delete the following:

C:\Program Files\SpySheriff
C:\Documents and Settings\[Current User]\Start Menu\Programs\SpySheriff

Next click START>Search and search for the following files on all your hard drives/partitions and delete them if found:

spysheriff.exe
winstall.exe
heur000.dll
heur001.dll
heur002.dll
heur003.dll
iesecurity.dll
procmon.dll
uninstall.exe
desktop.html
wallpaper.html

Then finally empty your Recycle Bin so all deleted files are removed.

You should now have control back of your PC. See if you can access the internet and download some decent anti-Spyware software. Once downloaded, install it and scan your system and remove any malicious files found. I recommend the following tools:

Spyware Doctor, Spybot Search & Destroy, Ad-aware, Ewido.

It also pays to install a decent anti-virus tool like AVG and use a firewall like Zone Alarm or Windows XP Firewall.

Not got control of your PC back after the above? Drop me an email and I will see if I can help.

Dave

Article updated: 06-May-2006

Using only one anti-spyware tool

Whats in your index.dat files?

Protect yourself from Phishing

Protection against trojan web dialers

Protect yourself from Spam

Protect yourself from Browser Hijackers

Spyware and how to protect yourself from it

Cookies - What they are and what they do

How to secure Windows XP for internet access

Windows XP Registry notes

What Bluejacking is and how it works

Pro-active Computer Virus protection