From Wikipedia, the free encyclopedia
Jump to: navigation, search
SpySheriff interface.

SpySheriff, also known as Brave Sentry, Pest Trap, SpyTrooper,[1] Spywareno, and MalwareAlarm,[2] is malware that disguises itself as an anti-spyware program. SpySheriff attempts to mislead a user into buying the program by repeatedly informing them of false threats to their system.[3] It is very difficult to remove SpySheriff from machines,[4] since it nests its components in System Restore folders, and also blocks some system management tools. However, SpySheriff can be removed if the user has anti-malware tools on the machine, or owns a rescue disk.


SpySheriff used to be hosted at www.spy-sheriff.com from 2005 to late 2008 and is now defunct. [5] Several typosquatted websites have also attempted to automatically install SpySheriff, including a version of Google.com (Goggle.com), and MCreator, a program used to make mods for Minecraft. As of 2007, these sites are no longer active.

Problems caused by SpySheriff[edit]

Another version of SpySheriff.
A fake infection warning pop-up.
  • SpySheriff reports false malware infections and pretends to detect real malware infections.[1][6]
  • Attempts to remove SpySheriff have been reported to be unsuccessful as SpySheriff will reinstall itself.
  • The desktop background may be replaced with an image resembling a blue screen of death, or a notice reading: "SPYWARE INFECTION! Your system is infected with spyware. Windows recommends that you use a spyware removal tool to prevent loss of data. Using this PC before having it cleaned of spyware threats is highly discouraged."
  • Going to add/remove programs to remove SpySheriff either causes the computer to crash or does not remove all components.[7]
  • Any attempt to connect to the Internet via a web browser is blocked by SpySheriff, which replaces the user's desktop background with a blue warning screen saying that the system has been stopped to protect the user from spyware.
  • SpySheriff stops any attempt to do a system restore by causing the calendar and restore points to not load. This causes the user to be unable to revert their computer to an earlier state. A loop hole has been discovered, in that if the user undoes the last restore operation, the system will restore itself, allowing a chance to remove SpySheriff.[7]


The company that developed SpySheriff, knowing that people have become aware of SpySheriff being malware/rogue software, has created several SpySheriff clones that have different names and styles than SpySheriff, but share the same interface and similar behaviors of SpySheriff. Adware Sheriff, Pest Trap, SpywareNo, Spylocked, SpywareQuake, SpyTrooper, Spydawn, AntiVirGear, Brave Sentry, System Security, SpywareStrike, SpyShredder, Alpha Cleaner, SpyBot SpyMarshal, and SpyAxe are the best known variants of SpySheriff.


SpySheriff is difficult to remove manually. Attempting to remove it using the "Add/Remove Programs" control panel may sometimes work, but it is highly unlikely; SpySheriff has a tendency to reinstall itself due to hidden components in files on the infected computer. The simplest solution is to try genuine spyware removal tools in the hopes that it can be cleaned, but there are also possibilities for manual removal. Since System Restore is locked by SpySheriff, it is very hard to remove it through it; however, using System Restore in Safe Mode might work, but there is a possible chance that the SpySheriff's components may be inside the System Restore folders. Tools called SmitFraudFix and SmitRem are said to get rid of SpySheriff; they work by deleting all of SpySheriff's components and if the desktop wallpaper had been changed, the removal tool replaces it with a plain blue screen (by setting the desktop settings to None). Ad-Aware and Vundo-Fix can remove SpySheriff components by removing trojans associated with the program. HijackThis is sometimes recommended to remove registry entries by SpySheriff. Sometimes the only way to completely remove the virus is by saving all files on a hard drive and re-installing Windows/reformatting if the above removal solutions do not seem to work. Using antivirus and/or anti-spyware software can prevent this infection from entering the computer.

See also[edit]


  1. ^ a b "SpySheriff Technical Details". Symantec. Retrieved 2009-11-01. 
  2. ^ "SpywareNo!". Retrieved 2009-11-11. 
  3. ^ "Spyware tunnels in on Winamp flaw". Joris Evers, CNET News.com, February 6, 2006. Retrieved 2009-11-01. 
  4. ^ "Top 10 rogue anti-spyware". Suze Turner, ZDNet, December 19, 2005. Retrieved 2009-11-01. 
  5. ^ "SunBelt Security Blog". Sunbelt Security. Retrieved 2009-11-01. 
  6. ^ Vincentas (18 October 2012). "spysheriff.exe in SpyWareLoop.com". Spyware Loop. Retrieved 27 July 2013. 
  7. ^ a b "SpySheriff - CA". CA. Retrieved 2009-11-01. [dead link]

External links[edit]