Program:Win32/SpySheriff

(?)

Encyclopedia entry
Updated: Dec 04, 2007 | Published: Sep 12, 2006

Aliases

Win32.TrojanDownloader.IEDefender

Ad-Aware

MagicAntiSpy (Sunbelt Software)
Adware.SpySheriff (Symantec)
SpyShredder (Symantec)
IEDefender (other)
Malware Destructor (other)
SpySheriff (other)
SpyShredder (other)

Alert Level (?)
High

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.

Detection last updated:
Definition: 1.101.892.0
Released: Apr 05, 2011

Detection initially created:
Definition: 1.45.287.0
Released: Oct 07, 2008

Summary

SpySheriff is the Microsoft scanner detection name for a product called SpySheriff and several similar products, including SpyShredder, BraveSentry, DiaRemover, MalwareAlarm, Mr. Antispy, PestTrap, PestWiper, SpyTrooper, SpyDemolisher, and SpyMarshal. SpySheriff may be installed without user consent, and may then display a dialog box suggesting malware has been found, and prompting the user to purchase the software in order to remove the malware (that in actuality, is not present). SpySheriff may download and install program updates without notifying the user.

Top

Symptoms

The following symptoms may be indications of a SpySheriff installation:

A SpySheriff-related product name appearing in the registry, such as value name: BraveSentry
in registry subkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

An application shortcut with a SpySheriff-related product name (such as BraveSentry or DiaRemover) on the affected user's desktop or under All Programs on the affected user's Start menu.
An uninstaller entry for a SpySheriff-related product (such as DiaRemover or MalwareAlarm) in Add or Remove Programs in Control Panel.

The appearance of a dialog box that resembles the following graphic. The dialog box warns that the computer is infected with spyware and prompts the user to purchase a SpySheriff-related product (such as PestTrap, as in the following image) to remove the spyware.

Top

Technical Information (Analysis)

The SpySheriff products may use similar or identical reference database files. Some of the products may also use the same dynamic link libraries (DLLs), although the file names may vary. Each product may also:

Modify the registry to cause the program to run automatically whenever the affected user logs on.
Register an uninstaller to list the product by name in Add or Remove Programs in Control Panel.
Place application shortcuts on the affected user's desktop and under All Programs on the affected user's Start menu.

Below are system changes that may be occur during installation of various SpySheriff-related products.

BraveSentry

BraveSentry may make the following system changes:

Drop the following files under %ProgramFiles%\BraveSentry:
bravesentry.exe
bravesentry.lic
bravesentry0.bs
bravesentry1.bs
bravesentry0.dll
bravesentry1.dll
bravesentry2.dll
bravesentry3.dll
uninstall.exe
(Note: By default, the Windows environment variable %ProgramFiles% denotes the folder "C:\Program Files".)
Modify the registry:

Add subkeys:
HKEY_CURRENT_USER\Software\BraveSentry
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\currentversion\uninstall\BraveSentry
Add value name: BraveSentry
in subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Place a BraveSentry application shortcut on the affected user's desktop, and on the affected user's Start menu under All Programs > BraveSentry.

DiaRemover

DiaRemover may make the following system changes:

Drop the following files under %ProgramFiles%\DiaRemover:
base001.avd
base.avd
Diaremover.dvm

DiaRemover.exe
found.wav
heur000.dll
heur001.dll
heur002.dll
IESecurity.dll
notfound.wav

ProcMon.dll
removed.wav
Uninstall.exe

Modify the registry:

Add subkeys:
HKEY_CURRENT_USER\Software\DiaRemover
HKEY_CURRENT_USER\Software\SNO
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\currentversion\uninstall\DiaRemover
Add value name: DiaRemover
in subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Place a DiaRemover application shortcut on the affected user's desktop, and on the affected user's Start menu under All Programs > DiaRemover.

MalwareAlarm

MalwareAlarm may make the following system changes:

Drop the following files under %ProgramFiles%\MalwareAlarm:
malwarealarm.exe
malwarealarm.lic
malwarealarm0.dll
malwarealarm1.dll
malwarealarm2.dll
malwarealarm3.dll
malwarealarm0.ma
malwarealarm1.ma
uninstall.exe
Modify the registry:

Add subkeys:
HKEY_CURRENT_USER\Software\MalwareAlarm
HKEY_CURRENT_USER\Software\BraveSentry
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MalwareAlarm
Add value name: MalwareAlarm
in subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Place a MalwareAlarm application shortcut on the affected user's desktop, and on the affected user's Start menu under All Programs > MalwareAlarm.

Mr AntiSpy

Mr. AntiSpy may make the following system changes:

Drop the following files under %ProgramFiles%\MrAntispy:
MrAntispy0.dll
MrAntispy0.ms
MrAntispy1.dll
MrAntispy1.ms
MrAntispy2.dll
MrAntispy3.dll
MrAntispy.exe
MrAntispy.lic
MrAntispy.ms
Uninstall.exe
Modify the registry:

Add subkeys:
HKEY_CURRENT_USER\Software\MrAntispy
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\MrAntispy
Add value name: MrAntispy
in subkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Place a MrAntispy application shortcut on the affected user's desktop, and on the affected user's Start menu under All Programs > MrAntispy.

PestTrap

PestTrap may make the following system changes:

Drop the following files under %ProgramFiles%\PestTrap:
base001.avd
base002.avd
base.avd
found.wav
heur000.dll
heur001.dll
heur002.dll
heur003.dll
notfound.wav
removed.wav
PestTrap.dvm
PestTrap.exe
Uninstall.exe
Modify the registry:

Add subkeys:
HKEY_CURRENT_USER\Software\SNO2
HKEY_CURRENT_USER\Software\PestTrap
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\Pest Trap
Add value name: PestTrap
in subkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Place a PestTrap application shortcut on the affected user's desktop, and on the affected user's Start menu under All Programs > PestTrap.

PestWiper

PestWiper may make the following system changes:

Drop the following files under %ProgramFiles%\PestWiper:
base001.avd
base002.avd
base.avd
found.wav
heur000.dll
heur001.dll
heur002.dll
heur003.dll
MalwareAlarm0.dll
notfound.wav
removed.wav
PestWiper.dvm
PestWiper.exe
Uninstall.exe
Modify the registry:

Add subkeys:
HKEY_CURRENT_USER\Software\SNO2
HKEY_CURRENT_USER\Software\PestWiper

HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\PestWiper

Add value name: PestWiper
in subkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Place a PestWiper application shortcut on the affected user's desktop, and on the affected user's Start menu under All Programs > PestWiper.

SpyMarshal

SpyMarshal may make the following system changes:

Drop the following files under %ProgramFiles%\SpyMarshal:
SpyMarshal0.dll
SpyMarshal0.sm
SpyMarshal1.dll
SpyMarshal1.sm
SpyMarshal2.dll
SpyMarshal3.dll
SpyMarshal.exe
SpyMarshal.lic
Uninstall.exe

Modify the registry:

Add subkeys:
HKEY_CURRENT_USER\Software\SpyMarshal
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\SpyMarshal
Add value name: SpyMarshal
in subkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Place a SpyMarshal application shortcut on the affected user's desktop, and on the affected user's Start menu under All Programs > SpyMarshal.

SpySheriff

SpySheriff may make the following system changes:

Drop the following files under %ProgramFiles%\SpySheriff:
base001.avd
base002.avd
base.avd
found.wav
heur000.dll
heur001.dll
heur002.dll
heur003.dll
notfound.wav
removed.wav
SpySheriff.dvm
SpySheriff.exe
Uninstall.exe
Modify the registry:

Add subkeys:
HKEY_CURRENT_USER\Software\SNO2
HKEY_CURRENT_USER\Software\SpySheriff
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\Spy Sheriff
Add value name: SpySheriff
in subkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Place a SpySheriff application shortcut on the affected user's desktop, and on the affected user's Start menu under All Programs > SpySheriff.

SpyTrooper

SpyTrooper may make the following system changes:

Drop the following files under %ProgramFiles%\SpyTrooper:
base001.avd
base002.avd
base.avd
found.wav
heur000.dll
heur001.dll
heur002.dll
heur003.dll
notfound.wav
removed.wav
SpyTrooper.dvm
SpyTrooper.exe
Uninstall.exe
Modify the registry:

Add subkeys:
HKEY_CURRENT_USER\Software\SNO2
HKEY_CURRENT_USER\Software\SpyTrooper
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\Spy Trooper
Add value name: SpyTrooper
in subkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Place a SpyTrooper application shortcut on the affected user's desktop, and on the affected user's Start menu under All Programs > SpyTrooper.

Top

Prevention

Follow these general security tips to better protect your computer.

Top

Recovery

SpySheriff may place an uninstaller entry in Add or Remove Programs in Control Panel. However, if an uninstaller is not available or if you do not want to use one that is provided, use Microsoft Windows Defender or another up-to-date scanning and removal tool to detect and remove SpySheriff and other potentially unwanted software from your computer. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx

Top


	Provide feedback Please note: While your feedback is very important to us, we do not respond to individual submissions through this channel. Feedback, requests, or questions submitted through this form are monitored, however responses are not generated. If you require support, please visit the Safety & Security Center.