McAfee > Theat Center > PUP Detail Page

Characteristics

McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan. It is detected as a "potentially unwanted program." This is an anti-spyware application claiming to remove unwanted malicious spyware programs but requires paid registration before any issues found can be fixed or any many other features enabled (on access protections, etc.) It creates a shortcut in the Start Menu Startup folder to ensure it is launched and performs a scan at each system startup. In order to clean or delete any elements identified as threats, the software requires you purchase the full version. If any elements are identified during a scan, an "always on top" warning window appears which cannot be dismissed without pressing the "Register" button, which opens a new browser window to the purchase page for the software. Additionally, neither AdwareSheriff buttons on the task bar (for the main application or the alert window) may be closed via right-click -> Close in the context menu (the menu simply doesn't appear).

This application does not display a license agreement when installed. No license agreement was found on the publisher website.

The software appears related to Adware-SpySheriff . Both the spysheriff.com and adwaresheriff.com domains are registered to "SheriffCash" in Las Vegas, Nevada (as of 2/4/06).

Privacy

No privacy policy is displayed during installation. However a policy is available on the publisher's website http://www.adwaresheriff.com/privacy.php .

System Changes

General defaults for typical path variables (although they may be different, they usually are not):
%WinDir% = \WINDOWS (Windows 9x/ME/XP), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM32 (Windows 9x/ME/XP), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

Files Added

• Installer: asheriffs.exe (2053 KB)
  MD5: A64E41DAC2AD031D4E5D28C836060B89
• c:\program files\adwaresheriff\unins000.exe (636 KB)
  
• c:\program files\adwaresheriff\unins000.dat (6 KB)
  
• c:\program files\adwaresheriff\sounds\crit.wav (5 KB)
  
• c:\program files\adwaresheriff\pkill.exe (44 KB)
  MD5: A251ECC3DFF43D9185552F836D983EBF
• c:\program files\adwaresheriff\interface\english.lng (27 KB)
  
• c:\program files\adwaresheriff\bz.dll (100 KB)
  MD5: EC4E6842366BA7D1FC6BF90C82E07EF0
• c:\program files\adwaresheriff\asheriff.url (1 KB)
  
• c:\program files\adwaresheriff\asheriff.exe (2819 KB)
  MD5: C4FF71C570E424A6F9D8277661BEACBA
• c:\documents and settings\all users\start menu\programs\adwaresheriff\uninstall adwaresheriff.lnk (1 KB)
  
• c:\documents and settings\all users\start menu\programs\adwaresheriff\adwaresheriff.lnk (1 KB)
  
• c:\documents and settings\all users\start menu\programs\adwaresheriff\adwaresheriff on the web.lnk (1 KB)
  
• c:\documents and settings\administrator\start menu\startup\asheriff.lnk (1 KB)
  
• c:\documents and settings\administrator\local settings\application data\adwaresheriff\
  
• c:\documents and settings\administrator\local settings\application data\adwaresheriff\quarantine\
  
• c:\documents and settings\administrator\local settings\application data\adwaresheriff\logs\
  
• c:\documents and settings\administrator\local settings\application data\adwaresheriff\db\
  Note: This folder contains many .list, .db and other files that appear related to the detection signatures.
• c:\documents and settings\administrator\desktop\adwaresheriff.lnk (1 KB)
  
• c:\documents and settings\administrator\application data\microsoft\internet explorer\quick launch\adwaresheriff.lnk (1 KB)
  

Registry

The following registry keys are created:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
  \Uninstall\AdwareSheriff_is1
  
• HKEY_CURRENT_USER\Software\ADV

Removal

Aliases

Aliases

N/A