From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
SpySheriff interface.

SpySheriff, also known as Brave Sentry, SpyAxe, SpywareSheriff, Pest Trap, SpyTrooper,[1] Spywareno, and MalwareAlarm,[2] is malware that disguises itself as an anti-spyware program. SpySheriff attempts to mislead a user into buying the program by repeatedly informing them of false threats to their system.[3] It is very difficult to remove SpySheriff from machines,[4] since it nests its components in System Restore folders, and also blocks some system management tools. Similar to most rogue antiviruses, SpySheriff asks the user to register when they click "Remove found threats". However, SpySheriff can be removed if the user already has anti-malware tools on the machine, or owns a rescue disk.


SpySheriff used to be hosted at www.spy-sheriff.com from 2005 to late 2008 and is now defunct.[5] Several typosquatted websites have also attempted to automatically install SpySheriff, including a fake version of Google.com (called Goggle.com). As of 2015, Goggle.com, which had changed ownership due to a lawsuit by Google, was a survey scam. It was a website that showed links to Amazon.com items but as of 2017 the domain is dead as there is nothing on its HTML data other than the word "goggle" anymore.

Problems caused by SpySheriff[edit]

Another version of SpySheriff.
A fake infection warning pop-up.
  • SpySheriff reports false malware infections and pretends to detect real malware infections.[1][6]
  • Attempts to remove SpySheriff have been reported to be unsuccessful as SpySheriff will reinstall itself.
  • The desktop background may be replaced with an image resembling a blue screen of death, or a notice reading: "SPYWARE INFECTION! Your system is infected with spyware. Windows recommends that you use a spyware removal tool to prevent loss of data. Using this PC before having it cleaned of spyware threats is highly discouraged."
  • Going to add/remove programs to remove SpySheriff either causes the computer to crash or does not remove all components.[7]
  • Any attempt to connect to the Internet via a web browser is blocked by SpySheriff, which replaces the user's desktop background with a blue warning screen saying that the system has been stopped to protect the user from spyware. However, users are still able to connect to Spy-Sheriff.com through the program's control panel.
  • SpySheriff stops any attempt to do a system restore by causing the calendar and restore points to not load. This causes the user to be unable to revert their computer to an earlier state. A loop hole has been discovered, in that if the user undoes the last restore operation, the system will restore itself, allowing a chance to remove SpySheriff.[7]
  • SpySheriff can detect certain running anti-spyware and anti-virus programs and disable them by ending their processes as soon as it detects them, preventing its detection and removal by these programs as long as it is active on the system.
  • SpySheriff can disable the taskmgr or regedit tools that a user may attempt to bring up to end its active process or to remove its registry entries from Windows. Renaming the regedit and taskmgr executables will fool it, however.

See also[edit]


  1. ^ a b "SpySheriff Technical Details". Symantec. Retrieved 2009-11-01. 
  2. ^ "SpywareNo!". Retrieved 2009-11-11. 
  3. ^ "Spyware tunnels in on Winamp flaw". Joris Evers, CNET News.com, February 6, 2006. Retrieved 2009-11-01. 
  4. ^ "Top 10 rogue anti-spyware". Suze Turner, ZDNet, December 19, 2005. Retrieved 2009-11-01. 
  5. ^ "SunBelt Security Blog". Sunbelt Security. Retrieved 2009-11-01. 
  6. ^ Vincentas (18 October 2012). "spysheriff.exe in SpyWareLoop.com". Spyware Loop. Archived from the original on 2016-01-18. Retrieved 27 July 2013. 
  7. ^ a b "SpySheriff - CA". CA. Archived from the original on April 5, 2007. Retrieved 2009-11-01. 

External links[edit]