McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.
for a list of Program detections added to the DATs.
for information about how to enable, disable, and exclude detection of legitimately installed programs.
This is not a virus or a trojan. It is detected as a "potentially unwanted program." This is an anti-spyware application claiming to remove unwanted malicious spyware programs but requires paid registration before any issues found can be fixed. In a further attempt to get you to purchase the full version of the product, it regularly displays an "always on top" alert warning of potential threats and urging the user to purchase the full software. It also creates an entry in the registry Run key to ensure it is launched and performs a scan at each system startup. In order to clean or delete any elements identified as threats, you must enter a valid serial number to activate the software, which requires purchase of the full version.
Beyond downloading the installer knowingly from the homepage, it is also known to be installed via CVE: 2005-1790 (a recent 0-day exploit).
There are multiple versions of this software, primarily involving only a name & domain change. Known versions include "SpyTrooper" and "SpywareNO!"
Example of the regularly-displayed warning alert:
Example of items found on clean system following a scan. In this trial each folder located under C:\WINDOWS\$hf_mig$ (which contains Windows hotfix and update files) was detected as "Complexel Trojan". Although the software may also detect some detected legitimate items, the fact that clearly benign items are cited as problems is questionable. The primary function of the free version appears to be to alarm the user into paying for registration, at least partially based on false or erroneous detections.
This application does not display a license agreement when installed. A URL is shown in the initial installation user interface, although it is not an active (clickable) link, and would need to be manually entered into a web browser to view.
The agreement appears to be a standard legal boilerplate and does not clearly indicate the funtionality of the software. The full text of the license agreement can be accessed on the author's website
As of 12/27/2005, Section 6 reads as follows:
General defaults for typical path variables (although they may be different, they usually are not):
%WinDir% = \WINDOWS (Windows 9x/ME/XP), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM32 (Windows 9x/ME/XP), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files
- Downloader/Installer: install.exe (48 KB)
- %ProgramFiles%\spysheriff\uninstall.exe (36 KB)
- %ProgramFiles%\spysheriff\spysheriff.exe (453 KB)
- %ProgramFiles%\spysheriff\spysheriff.dvm (1 KB)
- %ProgramFiles%\spysheriff\removed.wav (17 KB)
- %ProgramFiles%\spysheriff\procmon.dll (32 KB)
- %ProgramFiles%\spysheriff\notfound.wav (20 KB)
- %ProgramFiles%\spysheriff\iesecurity.dll (41 KB)
- %ProgramFiles%\spysheriff\heur003.dll (36 KB)
- %ProgramFiles%\spysheriff\heur002.dll (36 KB)
- %ProgramFiles%\spysheriff\heur001.dll (40 KB)
- %ProgramFiles%\spysheriff\heur000.dll (56 KB)
- %ProgramFiles%\spysheriff\found.wav (7 KB)
- %ProgramFiles%\spysheriff\base002.avd (18 KB)
- %ProgramFiles%\spysheriff\base001.avd (1 KB)
- %ProgramFiles%\spysheriff\base.avd (1014 KB)
- c:\documents and settings\(username)start menu\programs\spysheriff\spysheriff.lnk (1 KB)
- c:\documents and settings\(username)\desktop\spysheriff.lnk (1 KB)
The following registry keys are created:
Possible additional overhead in bandwidth due to download of updates or other components/software.