SpySheriff

[dalek]

SpySheriff spysheriff.com
spy-sheriff.com
spyware-cash.com
antispynow.com aggressive advertising, reported stealth-installs (1, 2); false positives work as goad to purchase; inadequate scan reporting; same app as SpyDemolisher, SpyTrooper, & SpywareNo [A: 6-1-05 / U: 6-1-05]

This is what Spyware Warrior says about spysheriff and other apps, you might want to bookmark this link for future reference before downloading programs that look flashy.

From Lavasoft:

Description:
SpywareNo! And SpySheriff claim to be antispyware solutions that offer free trials to the user that will detect content but not remove what is found (they also offer similar three day trial software that claims to remove the content discovered and shows that this was removed) before purchasing. Both applications detect and remove (as described) similar content that does not exist in an attempt to deceive the user into purchasing the software.

TAC (Threat Assessment Chart) Rating: 7.3* *Reported as a TAC of 7 in Ad-Aware

Behavior
- Program masks as doing one thing, but does another 1.8 points

As described, the software claims to be antispyware solutions that will detect and remove content discovered. The content detected is not present on the system and though they claim to uninstall the content detected (in the three day trial version) nothing is actually removed though the software claims that the removal was successful.

Lavasoft

Some more info on Spysheriff:

Sleazy

Ran your log over at Highjack Analyzer

It came back with some questionable content, but nothing overly serious.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
Internet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

These (R1) can be removed/fixed it does give your "02's" a clean bill of health, down to user pref if you want these removed.

Best bet is to submit your log to either AUMHA

Tomcoyote

and have someone have a look at it, and they will be able to determine what you should or shouldn't remove.

Luck

[Sjdoughboy]

my kid go spysheriff that one was a pain in the butt atleast on his computer got into his "hidden" Recycler file. after a few day of farting with it it wa just easer for me to wipe th edrav and start fresh.... all i say is keep a eye on it it might begone..... for me it keep coming back like a bad case of VD's have fun

[warriorfan808]

On the bright side. At least it got me to look at some programs I had installed and get rid of the programs that I don't use anymore. Took a bit of time, but things are looking good now.

[rapier57]

Just a heads up, that DHO for AcroIE-whatever. If you remove that, your Acrobat Reader will no longer open PDF files in your browser. If you already blew that away, you can download the current Acrobat Reader and reinstall.

Some helpers are OK, but you should know which ones are on your system and keep track of them.

[ShagDevil]

I just recently delt with a similar s.o.b. of a malware program known as SpyAxe. I checked everywhere for methods on how to remove it and none of them worked. This malware was even popping up in safe mode(for current user). I eventually removed it by logging on to the PC as a local admin in safe mode (this is a PC on a LAN) and ran ad-aware, ewido, and M$ AS and finally Norton Corp Edition AV. This method worked to remove it.

...has been using one of my computers for the last month and ended up installing kazaa...

I just assumed you've got some kind of network. Hopefully your sister is not setup for an admin account? Maybe you can boot into safemode, logon as a local admin and try your scans again?

[warriorfan808]

Originally posted here by ShagDevil
I just recently delt with a similar s.o.b. of a malware program known as SpyAxe. I checked everywhere for methods on how to remove it and none of them worked. This malware was even popping up in safe mode(for current user). I eventually removed it by logging on to the PC as a local admin in safe mode (this is a PC on a LAN) and ran ad-aware, ewido, and M$ AS and finally Norton Corp Edition AV. This method worked to remove it.

I just assumed you've got some kind of network. Hopefully your sister is not setup for an admin account? Maybe you can boot into safemode, logon as a local admin and try your scans again?

She isn't anymore. She saw me using ERD command a while back and then got her hands on it. Booted in and set herself a user. I hardly use the computer, so I really didn't know until everything was messed up.