TechSpot

SpySheriff and a few other gems

By misswriter
Jun 29, 2008
Topic Status:
Not open for further replies.
  1. Hi,

    Seems I've got a few nasties going on. It began with a (red circle with a white X in the system tray) Then followed with a popup telling me I need to download a antispyware app, then shuts down my system.

    Kim

    I run 2003 as my main OS. I also run XP. I'm having the problems in 2003. I also just noticed that my task manager has disappeared.

    I followed the instructions as per the sticky on the forum.

    FYI: No rootkits were found.

    I've attached the following logs files as well.


    Thanks Kim

    So, sorry. I meant to post the superantispyware log...not the other one.

    Kim
  2. captaincranky

    captaincranky TechSpot Addict Posts: 10,674   +879

    SpySheriff

    I had a dose of this nonsense a couple of years ago. Norton died while trying to remove it. It got some, (believe it or not) , then left some. I found a couple of 0 byte folders in, I think, program files. It used to leave folders named "tool 1", tool 2, like that. Boot into Safe Mode maybe?
  3. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,214

    open my computer and in the top address bar typ this in
    c:\temp

    Delete this folder
    Rar$EX00.844

    now * Click here to download HJTsetup.exe
    • Save HJTsetup.exe to your desktop.
    • Doubleclick on the HJTsetup.exe icon on your desktop.
    • By default it will install to C:\Program Files\Hijack This.
    • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    • Put a check by Create a desktop icon then click Next again.
    • Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and Paste the log in your next reply.
    • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
  4. misswriter

    misswriter TS Rookie Topic Starter Posts: 26

    Hi,

    The folder you asked me to delete wasn't there anymore. :)

    The HJT log is pasted below: Looks like there are still a few problems? I can boot 2003 again, which is a start. lol

    Thanks Kim
    ------------------------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:50:08 PM, on 6/29/2008
    Platform: Windows 2003 (WinNT 5.02.3790)
    MSIE: Internet Explorer v6.00 (6.00.2900.2180)
    Boot mode: Normal


    Moderator Edit
    Pasted log removed


    Hi,

    Yeah, this isn't fun. lol I checked my program files to see if there were any funky folder names etc...found nothing.

    Thanks Kim
  5. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,214

    download SDFix from the link below to your desktop then run it SDFix will create a folder in your C drive boot into safe mode and go to C:\SDFix and run --->RunThis.bat. Post the log it creates here. to boot into safe mode reboot computer and start tapping the F8 key until you get to a menu select safe mode. Please post a fresh hijackthis log after running the software

    SDFix:
    http://www.bleepingcomputer.com/files/sdfix.php
  6. misswriter

    misswriter TS Rookie Topic Starter Posts: 26

    Hi,

    SDFix log is below.

    Thanks Kim
    -------------------------------------------------------

    SDFix: Version 1.199
    Run by Administrator on Mon 06/30/2008 at 07:49 AM

    Microsoft Windows XP [Version 5.1.2600]
    Running From: C:\SDFix

    Moderator Edit:
    Pasted log removed


    i just ran S&D again. The only things that came up were the following;

    Microsoft Active Desktop
    Mircosoft Internet Explorer
    Microsoft Sercurity Center Registry Tools
    Microsoft Task Manager

    I didn't fix them at this point, afraid I might screw things up more, but should I hit Fix?

    I can't use regedit because its says, it's been disabled by my administer. lol Oh, the fun. Task manager is disabled as well.

    UPDATE: I have regedit AND task manager working again.

    Thanks Kim
  7. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,214

    Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

    Please re-open HiJackThis and scan.**Check the boxes next to all the entries listed below.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
    O1 - Hosts: 216.107.250.194 nprotect.lineage2.com
    O1 - Hosts: 85.145.187.70 L2authd.lineage2.com
    O2 - BHO: (no name) - {27cd45bb-a79b-4573-a4ed-459ab63e440f} - C:\WINDOWS\system32\fccaWmMG.dll (file missing)
    O3 - Toolbar: gxvpsafm - {B1E0C6DC-BBEA-4DE1-BFCA-70362CD86579} - C:\WINDOWS\gxvpsafm.dll (file missing)
    O4 - HKCU\..\Run: [jdgf894jrghoiiskd] C:\temp\winlogan.exe
    O4 - HKCU\..\Run: [WindowsManager] c:\xmorg.exe
    O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
    O20 - Winlogon Notify: byXRKawT - byXRKawT.dll (file missing)

    Now close all windows other than HiJackThis, then click Fix Checked.**Close HiJackThis.**Reboot into safe mode.

    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

    Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

    C:\WINDOWS\system32\fccaWmMG.dll
    C:\WINDOWS\gxvpsafm.dll
    C:\temp\winlogan.exe
    C:\xmorg.exe
    C:\windows\system32\tscupgrd.exe

    then reboot

    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    After that, Reboot, and post a new HijackThis log here in a reply
  8. misswriter

    misswriter TS Rookie Topic Starter Posts: 26

    Hi,

    Okay, I did all that. The HJT log is posted below.

    Thanks Kim
    ------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:53:16 PM, on 6/30/2008
    Platform: Windows 2003 (WinNT 5.02.3790)
    MSIE: Internet Explorer v6.00 (6.00.2900.2180)
    Boot mode: Normal

    Moderator Edit
    Pasted log removed
  9. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,214

    let me double check

    oh you jump the gun i tried to change it looks like that file was legit but should not hurt you check to see if you get internet on that computer also

    Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
    • 1. Turn off System Restore.
      • On the Desktop, right-click My Computer.
        Click Properties.
        Click the System Restore tab.
        Check Turn off System Restore.
        Click Apply, and then click OK.
      2. Restart your computer.

      3. Turn ON System Restore.
      • On the Desktop, right-click My Computer.
        Click Properties.
        Click the System Restore tab.
        UN-Check Turn off System Restore.
        Click Apply, and then click OK.
    System Restore will now be active again.
  10. misswriter

    misswriter TS Rookie Topic Starter Posts: 26

    Okay, done. :)

    Thanks for all the help. It's greatly appreciated.

    Kim
  11. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,214

    check if your computer is running better if you have any further problem post it in this thread
     
  12. misswriter

    misswriter TS Rookie Topic Starter Posts: 26

    Hi,

    The system is running much better but...I can't connect to the internet via my main OS 2003, but I can through XP. Looks like i shouldn't delete those .dll

    Kim
  13. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,214

    Open LSP is there anything in the remove panel

    go to start run type cmd then type

    netsh winsock reset

    click enter then restart
  14. misswriter

    misswriter TS Rookie Topic Starter Posts: 26

    I opened LSP and no there weren't any files under the remove section.

    I ran the command in 2003 and the file wasn't found.

    I do have my 2003 cd if there are files I need to install again.

    Kim
  15. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,214

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.