Antispylab | My Anti Spyware

Do you have pop-ups or your computer infected with trojan or spyware ? Learn how to ask us for help, click here!

How to remove Spyware Sheriff and Antispylab

Spyware Sheriff is an rogue antispyware application that uses Trojans and other malware into tricking or scaring you into purchasing it. If you are infected with this malware, your Internet Explorer home page will be reset to about:blank and display a fake Windows Security Center alert stating that you are possibly infected.

When you click on the button on this page it will bring you to the site antispylab.com which attempts to sell you either Spyware Sheriff, Adware Sheriff, or Regfreeze Antispy.This program will also create fake security alerts in the Windows taskbar stating that there are various security risks with your computer ranging from spam and hack attempts to Trojan infections. When you click on these alerts they will bring you to the antispylab.com site as well. There have also been reports of this infection crashing the legitimate Microsoft process lsass.exe.

lsass

When this process crashes, your computer will begin a countdown which at the end will shutdown your computer.

Read more about Spyware Sheriff: New rogue antispyware – SpywareSheriff

As your first step, please download HijackThis.

Important: Create a specific folder on your hard drive called HijackThis to keep its backups.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HijackThis.
Download HijackThis.exe into this folder.

Print out these instructions as we will need to close every window that is open later in the fix.
Download SmitfraudFix. Extract the content (a folder named SmitfraudFix) to your Desktop.

Download and unzip Avenger to your desktop.

Download CCleaner. Double click on the file for install.

Next, Download, install, and update the free version of Ewido security suite:

1. When installing, under “Additional Options” uncheck “Install background guard” and “Install scan via context menu”.
2. Run Ewido.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display “Update successful”)
5. Exit Ewido. DO NOT scan yet.

Reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd. Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).

You will be prompted : “Registry cleaning – Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.

The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.

Reboot again your computer in Safe Mode.

Start up Avenger.
Check the ‘Input script manually’ option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste the following bold text:

Files to delete:
C:\WINDOWS\system32\winapi32.dll

Then click on ‘Done’.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Reboot your PC again in Safe mode.

Run HijackThis, Choose “Do a system scan only” and checkmark the box next to the following entries:

O2 – BHO: winapi32.MyBHO – {26C43C19-A1CE-456E-9CBF-77FFB9E92681} – C:\WINDOWS\system32\winapi32.dll (file missing)
O2 – BHO: (no name) – {77701e16-9bfe-4b63-a5b4-7bd156758a37} – (no file)

close all other windows and browsers, then click “Fix Checked”.

Reboot your computer .

Run Ewido

1. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
2. If Ewido finds anything, it will pop up a notification. Please select “clean” and check the boxes “Perform action with all infections” and “Create encrypted backup” before clicking on OK.
3. When the scan finishes, click on “Save Report“. This will create a text file. Make sure you know where to find this file again.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

Restart your computer in normal mode.

Run the Panda online virus scan.

- Once you are on the Panda site click the Scan your PC button
- A new window will open…click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Your computer should now be free of the Spyware Sheriff and Antispylab.com infection.

If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topic linked below:

Spyware removal – Read Before Posting

Last update: 06/15/06

May 18, 2006 on 8:05 am | In Rogue Anti Spyware, Tutorials - HowTo | No Comments |

New rogue antispyware – SpywareSheriff

SpywareSheriff, a new rogue antispyware application that is starting to infect a lot of users. This particular infection is harder to remove than other variants such as SpywareQuake and SpyFalcon. This is because it uses a lot of random names for the files. It is, though, easy to tell when you are infected with this malware.

spyware sheriff

When infected your Internet Explorer home page will be set to about:blank that opens the screen shown below. If you attempt to change your home page to another site, it will reset it to the one below.

Then when you click on the page, it will take you to the url http://antispylab.com/
You will also periodically get fake taskbar messages that state the following among others:

Alert! Trojan.Virus.Z.32.exe launch attempt detected…
It is recommended that you run a full system scan now to
reveal other possible threats. Click here to download spyware
remover.

Internet attack attempt detected…
Somebody’s trying to infect your system with spyware or
harmful viruses. Run system scan now to secure your PC from Internet
attacks and hijacking attempts!
Click here to download spyware remover now…

Alert!
Trojan.Virus.Z.32.exe launch attempt detected and blocked!
It is recommended that you run a full system scan to reveal other
possible threats.
Click here to visit Security Center web site and protect your system
against spyware and harmful viruses…

Credit card hijacking attempt detected…
This is a result of harmful spyware activity.
Scan your PC now to reveal and remove malicious spyware.
Visit Windows Security site to download antispyware…

The application is distributed at antispylab(dot)com or spywaresheriff(dot)com.

If you can`t uninstall or remove, we can help, post in the Spyware Removal Forum about that.

Thanks to Bleeping Computer Blog