Help to recover from SpySheriff

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

My PC is running on W2K and it's infected with SpySheriff.
Suddenly it displayed a message saying that my PC is infected and started
scanning my PC. I wasn't happy and tried to kill it, but couldn't as it has
disabled the Task Manager.

Rebooted the PC, On start up it made a lot of beep noise continuously and
slowed down the whole thing. I have turned the power off and restarted the PC
again, but, boot (startup) failed. Since then, every time I reboot the PC it
fails to boot and hangs on startup.

Every time I reboot the PC,
1. It's going the boot sequence, trying to start windows, desktop is get
loaded, suddenly the whole thing hangs (freezes). If I type [Ctl+Alt+Del]
task manager is disabled.
2. Cursor stays as hourglass.
3. Same thing happens, if I boot in safe mode,
4. Same thing happens, if I select 'Last successful' boot.

a) I am wondering what's causing all this hell and how do I manually remove
SpySheriff through command line, as I can't run any Windows programs, as
Windows is NOT loading (booting) successfully.
b) I got a registry backup from about a month ago. How do I restore that
through command line, if that solve this problem.


Any help will be appreciated
 
Hi Silva

This is going to be very difficult as win2k doesnt have system restore and
you cannot boot up so its hard to know what to suggest as they would all need
you to be able to boot to work, I know there is a number to contact Microsoft
about Virus & Security issues but Im not sure of the number, Hopefully a MVP
can post that as It may be needed here.

Do you get time to press the start menu then run and type regedit ?

If you can Navigate to these area's and set the dword value to 0
(Smitrem will remove them later if you can download it)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy
Objects\LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\System]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]

"DisableTaskMgr"=dword:00000000

If you can get to these area's then left click system to open the values on
the right pane and then right click DisableTaskMgr, choose modify and set
that to 0 then press OK.

Try Rebooting and start tapping the F8 key to access the windows advanced
menu, When this appears select 'Safe Mode with Networking' and see if you can
then boot up, Try accessing Task Manager if you can perform the above steps
and end the process on any of these names that show in the list :

SpySheriff.exe
zloader3.exe
mssearchnet.exe
nvctrl.exe
mscornet.exe
gunist.exe
intel32.exe
intell32.exe
popuper.exe
hookdump.exe
winnook.exe
intmon.exe
intmonp.exe
msmsgs.exe
helper.exe
ole32vbs.exe
msole32.exe
shnlog.exe

If you can boot to Safe mode with Networking you can still access the
internet to download the tools needed to fix your problem, The Smitrem tool
will remove the trojan files behind this infection and check if the genuine
wininet.dll file has been infected with a trojan, if it has Smitrem will
check other area's of your system for a clean copy and try to replace it,
Then it will repair Task Manager & also repair the desktop wallpaper and
perform a disk cleanup to remove temp files, Ewido is then usefull to search
for any other problems on your system and remove them and finally a online
Virus scan once you can reboot back to normal mode to confirm the system is
clean.

Download SmitRem

http://noahdfear.geekstogo.com/click counter/click.php?id=1

Save it to your desktop,Double click Smitrem.exe to extract it to it's own
folder on the desktop.

Please download, install, and update the free version of ewido security suite

http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background
guard" and "Install scan via context menu". Click on update in the left menu,
then click the Start update button. After the update finishes close Ewido

Reboot into safe mode (Reboot and keep tapping F8 then choose safe mode from
the list)

Open the smitRem folder, then double click the RunThis.bat file to start the
tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive,
eg; Local Disk C: or partition where your operating system is installed.

When thats finished run Ewido again.

From the main menu click on 'scanner' then click 'Complete System Scan'
When ewido finds something, it will pop up a notification. Select "Remove"
and check the boxes "Perform action with all infections" and "Create
encrypted backup" then click on ok.When the scan finishes, click on "Save
Report" and save it to your desktop or c:/drive incase you need it again.

Reboot Back To Normal Mode

Then do a full system scan with Panda's Activescan. Make sure the autoclean
box is checked and Save the scan log when its finished.

http://www.pandasoftware.com/activescan/

If you have problems let us know, If you are able to download and run the
tools post the log from Smitrem and Ewido to show everything has been
removed.

Regards

Andy
 
Hi Again Siva

I just noticed the support number for virus and security support so thought
Id post it,

No-Charge Support

1-866-PCSAFETY
or
1-866-727-2338

It is available 24 hours a day for the U.S. and Canada.

Andy
 
Andy,
thanks for your advice. Some how I have enabled the task manager as a start
by following your instructions. I am going to continue to restore.

Thanks,

AndyManchesta said:
Hi Silva

This is going to be very difficult as win2k doesnt have system restore and
you cannot boot up so its hard to know what to suggest as they would all need
you to be able to boot to work, I know there is a number to contact Microsoft
about Virus & Security issues but Im not sure of the number, Hopefully a MVP
can post that as It may be needed here.

Do you get time to press the start menu then run and type regedit ?

If you can Navigate to these area's and set the dword value to 0
(Smitrem will remove them later if you can download it)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy
Objects\LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\System]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]

"DisableTaskMgr"=dword:00000000

If you can get to these area's then left click system to open the values on
the right pane and then right click DisableTaskMgr, choose modify and set
that to 0 then press OK.

Try Rebooting and start tapping the F8 key to access the windows advanced
menu, When this appears select 'Safe Mode with Networking' and see if you can
then boot up, Try accessing Task Manager if you can perform the above steps
and end the process on any of these names that show in the list :

SpySheriff.exe
zloader3.exe
mssearchnet.exe
nvctrl.exe
mscornet.exe
gunist.exe
intel32.exe
intell32.exe
popuper.exe
hookdump.exe
winnook.exe
intmon.exe
intmonp.exe
msmsgs.exe
helper.exe
ole32vbs.exe
msole32.exe
shnlog.exe

If you can boot to Safe mode with Networking you can still access the
internet to download the tools needed to fix your problem, The Smitrem tool
will remove the trojan files behind this infection and check if the genuine
wininet.dll file has been infected with a trojan, if it has Smitrem will
check other area's of your system for a clean copy and try to replace it,
Then it will repair Task Manager & also repair the desktop wallpaper and
perform a disk cleanup to remove temp files, Ewido is then usefull to search
for any other problems on your system and remove them and finally a online
Virus scan once you can reboot back to normal mode to confirm the system is
clean.

Download SmitRem

http://noahdfear.geekstogo.com/click counter/click.php?id=1

Save it to your desktop,Double click Smitrem.exe to extract it to it's own
folder on the desktop.

Please download, install, and update the free version of ewido security suite

http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background
guard" and "Install scan via context menu". Click on update in the left menu,
then click the Start update button. After the update finishes close Ewido

Reboot into safe mode (Reboot and keep tapping F8 then choose safe mode from
the list)

Open the smitRem folder, then double click the RunThis.bat file to start the
tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive,
eg; Local Disk C: or partition where your operating system is installed.

When thats finished run Ewido again.

From the main menu click on 'scanner' then click 'Complete System Scan'
When ewido finds something, it will pop up a notification. Select "Remove"
and check the boxes "Perform action with all infections" and "Create
encrypted backup" then click on ok.When the scan finishes, click on "Save
Report" and save it to your desktop or c:/drive incase you need it again.

Reboot Back To Normal Mode

Then do a full system scan with Panda's Activescan. Make sure the autoclean
box is checked and Save the scan log when its finished.

http://www.pandasoftware.com/activescan/

If you have problems let us know, If you are able to download and run the
tools post the log from Smitrem and Ewido to show everything has been
removed.

Regards

Andy
Click to expand...
 
Back
Top