SpySheriff and a few other gems

[misswriter]

Hi,

Seems I've got a few nasties going on. It began with a (red circle with a white X in the system tray) Then followed with a popup telling me I need to download a antispyware app, then shuts down my system.

Kim

I run 2003 as my main OS. I also run XP. I'm having the problems in 2003. I also just noticed that my task manager has disappeared.

I followed the instructions as per the sticky on the forum.

FYI: No rootkits were found.

I've attached the following logs files as well.


Thanks Kim

So, sorry. I meant to post the superantispyware log...not the other one.

Kim

 

[captaincranky]

SpySheriff

I had a dose of this nonsense a couple of years ago. Norton died while trying to remove it. It got some, (believe it or not) , then left some. I found a couple of 0 byte folders in, I think, program files. It used to leave folders named "tool 1", tool 2, like that. Boot into Safe Mode maybe?

 

[xxdanielxx]

open my computer and in the top address bar typ this in
c:\temp

Delete this folder
Rar$EX00.844

now * Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
• Put a check by Create a desktop icon then click Next again.
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

 

[misswriter]

Hi,

The folder you asked me to delete wasn't there anymore.

The HJT log is pasted below: Looks like there are still a few problems? I can boot 2003 again, which is a start. lol

Thanks Kim
------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:08 PM, on 6/29/2008
Platform: Windows 2003 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)
Boot mode: Normal


Moderator Edit
Pasted log removed

I had a dose of this nonsense a couple of years ago. Norton died while trying to remove it. It got some, (believe it or not) , then left some. I found a couple of 0 byte folders in, I think, program files. It used to leave folders named "tool 1", tool 2, like that. Boot into Safe Mode maybe?

Hi,

Yeah, this isn't fun. lol I checked my program files to see if there were any funky folder names etc...found nothing.

Thanks Kim

 

[xxdanielxx]

download SDFix from the link below to your desktop then run it SDFix will create a folder in your C drive boot into safe mode and go to C:\SDFix and run --->RunThis.bat. Post the log it creates here. to boot into safe mode reboot computer and start tapping the F8 key until you get to a menu select safe mode. Please post a fresh hijackthis log after running the software

SDFix:
http://www.bleepingcomputer.com/files/sdfix.php

 

[misswriter]

Hi,

SDFix log is below.

Thanks Kim
-------------------------------------------------------

SDFix: Version 1.199
Run by Administrator on Mon 06/30/2008 at 07:49 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Moderator Edit:
Pasted log removed

i just ran S&D again. The only things that came up were the following;

Microsoft Active Desktop
Mircosoft Internet Explorer
Microsoft Sercurity Center Registry Tools
Microsoft Task Manager

I didn't fix them at this point, afraid I might screw things up more, but should I hit Fix?

I can't use regedit because its says, it's been disabled by my administer. lol Oh, the fun. Task manager is disabled as well.

UPDATE: I have regedit AND task manager working again.

Thanks Kim

 

[xxdanielxx]

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Please re-open HiJackThis and scan.**Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
O1 - Hosts: 216.107.250.194 nprotect.lineage2.com
O1 - Hosts: 85.145.187.70 L2authd.lineage2.com
O2 - BHO: (no name) - {27cd45bb-a79b-4573-a4ed-459ab63e440f} - C:\WINDOWS\system32\fccaWmMG.dll (file missing)
O3 - Toolbar: gxvpsafm - {B1E0C6DC-BBEA-4DE1-BFCA-70362CD86579} - C:\WINDOWS\gxvpsafm.dll (file missing)
O4 - HKCU\..\Run: [jdgf894jrghoiiskd] C:\temp\winlogan.exe
O4 - HKCU\..\Run: [WindowsManager] c:\xmorg.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O20 - Winlogon Notify: byXRKawT - byXRKawT.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.**Close HiJackThis.**Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\WINDOWS\system32\fccaWmMG.dll
C:\WINDOWS\gxvpsafm.dll
C:\temp\winlogan.exe
C:\xmorg.exe
C:\windows\system32\tscupgrd.exe
then reboot

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• 
  Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

After that, Reboot, and post a new HijackThis log here in a reply

 

[misswriter]

Hi,

Okay, I did all that. The HJT log is posted below.

Thanks Kim
------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:16 PM, on 6/30/2008
Platform: Windows 2003 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)
Boot mode: Normal

Moderator Edit
Pasted log removed

 

[xxdanielxx]

let me double check

oh you jump the gun i tried to change it looks like that file was legit but should not hurt you check to see if you get internet on that computer also

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

• 1. Turn off System Restore.
  • On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.
  2. Restart your computer.
  
  3. Turn ON System Restore.
  • On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check Turn off System Restore.
    Click Apply, and then click OK.

System Restore will now be active again.

 

[misswriter]

Okay, done.

Thanks for all the help. It's greatly appreciated.

Kim

 

[xxdanielxx]

check if your computer is running better if you have any further problem post it in this thread

 

[misswriter]

Hi,

The system is running much better but...I can't connect to the internet via my main OS 2003, but I can through XP. Looks like i shouldn't delete those .dll

Kim

 

[xxdanielxx]

Open LSP is there anything in the remove panel

go to start run type cmd then type

netsh winsock reset

click enter then restart

 

[misswriter]

I opened LSP and no there weren't any files under the remove section.

I ran the command in 2003 and the file wasn't found.

I do have my 2003 cd if there are files I need to install again.

Kim

 

[xxdanielxx]

hey ok been at work the link below should get this fix

http://support.microsoft.com/kb/325356