Threat Detail

  • Malware Type: Program
  • Malware Sub-type: Adware
  • Protection Added: 2005-07-20

This is a Potentially Unwanted Program (PUP) detection. It is not a virus or trojan. PUPs are any piece of software which a reasonably security-or privacy-minded computer user may want to be informed of.

Minimum Engine


File Length


Description Added


Description Modified


Malware Proliferation

fpo-ti-severity-legend logo-new-mcafee

McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See /content/dam/enterprise/en-us/threatcenter/vil/DATReadme.asp for a list of Program detections added to the DATs.

See /content/dam/enterprise/en-us/threatcenter/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.


This is not a virus or a trojan. It is detected as a "potentially unwanted program." This is an anti-spyware application claiming to remove unwanted malicious spyware programs but requires paid registration before any issues found can be fixed. In a further attempt to get you to purchase the full version of the product, it regularly displays an "always on top" alert warning of potential threats and urging the user to purchase the full software. It also creates an entry in the registry Run key to ensure it is launched and performs a scan at each system startup. In order to clean or delete any elements identified as threats, you must enter a valid serial number to activate the software, which requires purchase of the full version.

Beyond downloading the installer knowingly from the homepage, it is also known to be installed via CVE: 2005-1790 (a recent 0-day exploit).

There are multiple versions of this software, primarily involving only a name & domain change.  Known versions include "SpyTrooper" and "SpywareNO!"

Example of the regularly-displayed warning alert:


Example of items found on clean system following a scan. In this trial each folder located under C:\WINDOWS\$hf_mig$ (which contains Windows hotfix and update files) was detected as "Complexel Trojan". Although the software may also detect some detected legitimate items, the fact that clearly benign items are cited as problems is questionable. The primary function of the free version appears to be to alarm the user into paying for registration, at least partially based on false or erroneous detections.




This application does not display a license agreement when installed. A URL is shown in the initial installation user interface, although it is not an active (clickable) link, and would need to be manually entered into a web browser to view.


The agreement appears to be a standard legal boilerplate and does not clearly indicate the funtionality of the software. The full text of the license agreement can be accessed on the author's website .


A privacy policy is not displayed during installation. Though not referenced during the installation, a "Terms of Use" statement is also available online As of 12/27/2005, Section 6 reads as follows:

6. PRIVACY AND INFORMATION We believe the privacy of all our users is important. Please review our privacy policy relating to the collection and use of your personal information.

However, no privacy policy could be found on the SpySheriff website.

System Changes

General defaults for typical path variables (although they may be different, they usually are not):
%WinDir% = \WINDOWS (Windows 9x/ME/XP), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM32 (Windows 9x/ME/XP), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

Files Added

  • Downloader/Installer: install.exe (48 KB)
    MD5: F16CB3239D8F12FE3BCE398E7213337E
  • %ProgramFiles%\spysheriff\uninstall.exe (36 KB)
  • %ProgramFiles%\spysheriff\spysheriff.exe (453 KB)
    MD5: CB66106F7F10DAA0EB4BF531C58B95C1
  • %ProgramFiles%\spysheriff\spysheriff.dvm (1 KB)
  • %ProgramFiles%\spysheriff\removed.wav (17 KB)
  • %ProgramFiles%\spysheriff\procmon.dll (32 KB)
    MD5: 86B63B272C776A678A1EB70A60362866
  • %ProgramFiles%\spysheriff\notfound.wav (20 KB)
  • %ProgramFiles%\spysheriff\iesecurity.dll (41 KB)
    MD5: F8602AA521808ABB593FCEFA8385FA29
  • %ProgramFiles%\spysheriff\heur003.dll (36 KB)
    MD5: 16F41D5284517FA0C1D066B4FE36A464
  • %ProgramFiles%\spysheriff\heur002.dll (36 KB)
    MD5: 7234DBC218A72F2A81F00AC0886BB5B4
  • %ProgramFiles%\spysheriff\heur001.dll (40 KB)
    MD5: 160FC048DE94825DB5637BED2ED49E9D
  • %ProgramFiles%\spysheriff\heur000.dll (56 KB)
    MD5: 63A6712B20EDC466B7CA48DDE263ED6D
  • %ProgramFiles%\spysheriff\found.wav (7 KB)
  • %ProgramFiles%\spysheriff\base002.avd (18 KB)
  • %ProgramFiles%\spysheriff\base001.avd (1 KB)
  • %ProgramFiles%\spysheriff\base.avd (1014 KB)
  • c:\documents and settings\(username)start menu\programs\spysheriff\spysheriff.lnk (1 KB)
  • c:\documents and settings\(username)\desktop\spysheriff.lnk (1 KB)


The following registry keys are created:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    "SpySheriff"="C:\Program Files\SpySheriff\SpySheriff.exe"
  • HKEY_CURRENT_USER\Software\SpySheriff
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion

Network Impact

Possible additional overhead in bandwidth due to download of updates or other components/software.

N/A This is not a virus or trojan.
N/A This is not a virus or trojan.