Spyware Sheriff is an rogue antispyware application that uses Trojans and other malware into tricking or scaring you into purchasing it. If you are infected with this malware, your Internet Explorer home page will be reset to about:blank and display a fake Windows Security Center alert stating that you are possibly infected.
When you click on the button on this page it will bring you to the site antispylab.com which attempts to sell you either Spyware Sheriff, Adware Sheriff, or Regfreeze Antispy.This program will also create fake security alerts in the Windows taskbar stating that there are various security risks with your computer ranging from spam and hack attempts to Trojan infections. When you click on these alerts they will bring you to the antispylab.com site as well. There have also been reports of this infection crashing the legitimate Microsoft process lsass.exe.
When this process crashes, your computer will begin a countdown which at the end will shutdown your computer.
Read more about Spyware Sheriff: New rogue antispyware – SpywareSheriff
As your first step, please download HijackThis.
Important: Create a specific folder on your hard drive called HijackThis to keep its backups.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HijackThis.
Download HijackThis.exe into this folder.
Print out these instructions as we will need to close every window that is open later in the fix.
Download SmitfraudFix. Extract the content (a folder named SmitfraudFix) to your Desktop.
Download and unzip Avenger to your desktop.
Download CCleaner. Double click on the file for install.
Next, Download, install, and update the free version of Ewido security suite:
1. When installing, under “Additional Options” uncheck “Install background guard” and “Install scan via context menu”.
2. Run Ewido.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display “Update successful”)
5. Exit Ewido. DO NOT scan yet.
Reboot your computer in Safe Mode by doing the following:
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd. Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).
You will be prompted : “Registry cleaning – Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.
The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.
Reboot again your computer in Safe Mode.
Start up Avenger.
Check the ‘Input script manually’ option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste the following bold text:
Files to delete:
C:\WINDOWS\system32\winapi32.dll
Then click on ‘Done’.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.
Reboot your PC again in Safe mode.
Run HijackThis, Choose “Do a system scan only” and checkmark the box next to the following entries:
O2 – BHO: winapi32.MyBHO – {26C43C19-A1CE-456E-9CBF-77FFB9E92681} – C:\WINDOWS\system32\winapi32.dll (file missing)
O2 – BHO: (no name) – {77701e16-9bfe-4b63-a5b4-7bd156758a37} – (no file)
close all other windows and browsers, then click “Fix Checked”.
Reboot your computer .
Run Ewido
1. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
2. If Ewido finds anything, it will pop up a notification. Please select “clean” and check the boxes “Perform action with all infections” and “Create encrypted backup” before clicking on OK.
3. When the scan finishes, click on “Save Report“. This will create a text file. Make sure you know where to find this file again.
Run CCleaner.
Click Analyze button. After scan your system, click Run Cleaner.
Restart your computer in normal mode.
Run the Panda online virus scan.
– Once you are on the Panda site click the Scan your PC button
– A new window will open…click the Check Now button
– Enter your Country
– Enter your State/Province
– Enter your e-mail address and click send
– Select either Home User or Company
– Click the big Scan Now button
– If it wants to install an ActiveX component allow it
– It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
– When download is complete, click on Local Disks to start the scan
– When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Your computer should now be free of the Spyware Sheriff and Antispylab.com infection.
If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topic linked below:
Spyware removal – Read Before Posting
Last update: 06/15/06
