SpySheriff, also known as BraveSentry, SpyDawn, SpywareBot, SpyAxe, SpywareSheriff, Pest Trap, SpyTrooper, Spywareno, and MalwareAlarm, is malware that disguises itself as an anti-spyware program, which attempts to mislead a user into buying the program by repeatedly informing them of false threats to their system. The software is particularly difficult to remove from machines, since it nests its components in System Restore folders, and also blocks some system management tools. Compared to most rogue antiviruses, SpySheriff prompts the user to register when an attempt to "Remove found threats" is made. However, SpySheriff can be removed if the user already has anti-malware tools on the machine, or, if not sufficient, owns a rescue disk.
SpySheriff was formerly hosted at www.spy-sheriff.com, which operated from 2005 until it was shut down in 2008. Several typosquatted websites have also attempted to automatically install SpySheriff, including a fake version of Google.com (called Goggle.com), or spysherrif.com. Also, websites named after the alternative names of Spysheriff also hosted it before they too were shut down. As of 2015, Goggle.com, which had changed ownership due to a lawsuit by Google, was a survey scam. The website displayed links to Amazon.com items but as of 2017 the domain is no longer accessible as there is nothing on its HTML data other than the word "goggle". At the beginning of 2018, the site redirected to the scam site tango-deg.com, but as of October of 2018, it has a simple HTML markup with a top-level heading written "Goggle.com Inc."
Known symptoms caused by SpySheriff
- SpySheriff reports fake malware infections and impersonates itself to detect real malware infections.
- Attempts to remove SpySheriff have been reported to be unsuccessful as SpySheriff will reinstall itself.
- The desktop background may be replaced with an image resembling a Blue Screen of Death, or a notice reading, "SPYWARE INFECTION! Your system is infected with spyware. Windows recommends that you use a spyware removal tool to prevent loss of data. Using this PC before having it cleaned of spyware threats is highly discouraged."
- Attempts to remove SpySheriff via the Add or Remove Programs control panel either causes the computer to restart unexpectedly or does not remove all components.
- Attempts to connect to the Internet in any web browser is blocked by SpySheriff, which replaces the user's desktop background with a blue warning screen saying that the system has been stopped to protect the user from spyware. Spy-Sheriff.com is the only accessible website than can be opened through the program's control panel.
- Attempt to remove SpySheriff via a System Restore is blocked, via causing the calendar and restore points to not load. Because of this, users cannot restore their system to an earlier state. However, a loophole has been discovered, in that if the user undoes the last restore operation, the system will restore itself, allowing a chance to remove SpySheriff.
- SpySheriff can detect certain antispyware and antivirus programs running on the machine, and disable them by ending their processes as soon as it detects them, thus preventing its detection and removal by these programs as long as it is active on the system.
- SpySheriff can disable the Task Manager and Registry Editor tools to keep the user from ending its active process or removing its registry entries from Windows. Renaming the 'regedit' and 'taskmgr' executables will fool it, however.
- "SpySheriff Technical Details". Symantec. Retrieved 2009-11-01.
- "SpywareNo!". Retrieved 2009-11-11.
- "Spyware tunnels in on Winamp flaw". Joris Evers, CNET News.com, February 6, 2006. Retrieved 2009-11-01.
- "Top 10 rogue anti-spyware". Suze Turner, ZDNet, December 19, 2005. Retrieved 2009-11-01.
- "SunBelt Security Blog". Sunbelt Security. Retrieved 2009-11-01.
- Vincentas (18 October 2012). "spysheriff.exe in SpyWareLoop.com". Spyware Loop. Archived from the original on 2016-01-18. Retrieved 27 July 2013.
- "SpySheriff - CA". CA. Archived from the original on April 5, 2007. Retrieved 2009-11-01.