TGP. KISS-ME-MAN. Computer Shuts Down. SpySheriff and a world of another garbage.

First of all sorry for my English, I’ve read so much in this days in English but it’s the first or second time I write in English.
I hope it’s understandable, but if it’s not you are pleased ti ask me for explanations.

Second, thank you very much for all you do at this forum. It is impressive and I haven’t words to say how it positively surprised me. My best congratulations and gratefulness for you. Now go on.

My System:
The computer is an HP Omnibook xt1000s (HD 20 GB, RAM 256 Mb, CPU 1.333 GHz, DSL) with WinXP with the SP1 at the moment of infection (now SP2, normal you know).

My Simptoms now:
After variable time from boot automatically starts an IE window labeled TGP who says kiss-me-man and displays adults only photos.
Sometimes a popup warning of AV-Antivirus appears saying, normally, that C:\WINDOWS\SYSTEM32\Winacpi.dll is ……………………..
But I can’t see or find this file (hidden and system files view activate, hide know extensions disabled, and everything like you say in the READ ME FIRST BEFORE ASKING FOR A SUPPORT. Too System Restore Disabled, etc. etc, even virtual memory –pagefile I think you say- disabled).
Ever if I select ‘delete this file’ from de AV-Antivirus options there are no changes in next boot, and sometimes computer hangs on BEFORE I can reboot.
(It don’t hangs never if I select ‘Deny access’, but in this case the AV-Antivirus pop up warning appears repetitively and more frequently).
Spy Sheriff and many other garbage that I could identify appears to be gone out.

Now I have started the procedure from beginning again, but when Stinger running COMPUTER SUDDENLY AND ABRUPTLY SHUTS DOWN, without any previous warning or message (like if somebody pull off battery suddenly.

Now… what must I do? Restart AGAIN all procedure? (if you see below it was a torture for me to complete all steps). Or do you want I run any program and put the log online like attachment?

Any kind of help it’s very welcome.

NOTE: I have many logs of different previous attempts to clean the system related below, if you want I put it online like attachments.
NOTE: I’m writing and linking to internet from another computer, clean, near the infected one.

The background (my nightmare until now, if you think it may help, at now I’m not sure at all)
My nightmare starts Thursday 18 July.
Surfing the net... warning from avast Antivirus... panic and confusion and, obviously, some bad choice and mouse clicks.
Result: computer virus or spy-ware infection, desktop background with red letters over blue wallpaper that says my system it’s infected, browser favorites with many folder and links I don’t know, browser windows that pops up and go to adult sites or anti-spyware sites… only the beginning of the nightmare like I see later.

After some negative and frustrating attempts with Avast (I don’t like it at all) and very displeased, I uninstall it and install AV Antivirus (it seems better, very very better).
AV Antivirus finds malware and it seems to clean something, but the system appears infected anyway.
After searching in internet I find Majorgeeks, ¡a fresh bottle of hope!

After sometime reading… I go on with READ ME FIRST.
No problems for Getting Prepared Steps (only steps 1-3-4, because I don’t know if computer had the about:blank or home search hijack and I think not).
MANY problems to complete ‘Scanning And Cleaning Steps’.
1st time: online scan at RavAntivirus hangs all

2nd time: all OK until, running Stinger, computer suddenly and abruptly shuts down

3rd time: 1st of all I uninstalled SP2 previously not well installed (this is what ask me installation program day before when I tried to install it, the program finished saying that the system was unstable and SP2 was installed wrong). Then start the procedure and:

(a)IE hangs while I’m attempting to reach RavAntivirus web site. Anyway I continue the procedure in another IE window, with 2 IE blocked windows on desktop, until CWShredder runs and closed this windows.
(b)I realized I forget run Spybot, so I repeat procedure from step 3 (Ad-Aware...), now without blocked IE windows on the desktop. While running Spybot (it was finding SpySheriff, DSO.Exploit and a lot of another garbage) computer suddenly and abruptly shuts down without any previous warning or message (like if somebody pull off battery suddenly).
(c)Boot in safe mode (without network support), and repeat procedure from step 2 ‘Clean Your Hard Drive’’. Many garbage removed or fixed in every sub-step (Spybot for ex. says: Leftlovers, TNS.Search, Smitfraud-C, Haxdoor-H, MyWay. MyBar, FindSpy.A, Cydoor, Wareout, SpySheriff… and another until 52 troubles found, all fixed, and immunize. Procedure completed. Considering all the problems appeared I decided:​

4th time: Reboot in safe mode with network support, and restart all procedure ‘Scanning and Cleaning Steps’ from beginning. RavAntivirus finds winrar unistall like suspicious, but no viruses found. Spybot finds 2 entries DSO.Exploit. I realize that it’s selected ‘Only Spyware’ so I select ‘All modules’ and start again analysis with Spybot. It runs until COMPUTER SUDDENLY AND ABRUPTLY SHUTS DOWN another time!!!!.
You know I’m not superman I was killed out. So, I reboot in normal mode… hey! The wallpaper was right with my family again (happy to see them again like I can’t imagine). I go on with SP2 installation and seems to go on but:

IE pop up window with kiss-me-man and something like TGP or TPG in title bar continues appearing by itself (automatically after variable time form turn on computer).
AV-Antivirus still detects sometimes TR/Drop.Agen.bd.A.1 and often Windows\System32\Winacpi.DLL
IE automatically starts a window that wants connect at asdbiz.biz or so, (downloading from C:\Windows\System32\Shdoclc)
Spybot finds MZS.Spoolserver32​

¡And any step and sub-step was near 1 hour!!!!!!!! I was finished desperate.
From Thursday-18 at 17:00 until Sunday-21 late on night I slept an average of 4 hours, I did not go to sleep home one day (the computer isn’t at my home) and half of my summer holidays was put on a shredder, (my family did not know if kill me or jump them over a precipice)

(Sorry for the relief)

But anyway, (I think you’ll understand), prey of the desperation and frustration i could resist the temptation of throw the computer away (throught window of 7th floor obviusly) but not the temptation of delete anything the cleaning programs finding out. I readed Hijack This tutorial , Pacman list, fix things with it, says Spybot delete items, etc. etc. etc.

I don’t remember well what I do in this moment. But after a week of treatment in a clinica of de-poisoning (and two days writing this post with the help of BabelFish) the result it’s what you read above. I have may logs of this torture, if you want to see them i put it like attachments.

NOTE: infected computer has been off from sunday 21 until now.

Thank you again for any kind of help.

Saludos.

 

Wow!

It sounds like you have done quite a lot . . . Whether that is good or bad remains to be determined


I would like you to try the following:


1 -- Download the latest version of HijackThis ( HijackThis v1.99.1 )and Extract it from the ZIP to its own folder C:\Program Files\HijackThis

2 -- Run Panda ActiveScan -- Allow it to fix what it can and save the Log to attach to your next post.

3 -- Download and Install Ewido Security Suite

DoubleClick the Ewido Icon on your desktop and allow it to update to the latest malware definitions (Click Update > Start). Then, exit Ewido and boot to Safe Mode.
When in Safe Mode, open Ewido and click Scanner. Be sure the following boxes are checked (Binder - Crypter – Archives) and then Start Scan.

Allow Ewido to fix what it finds and click on Save Report. Save the log to where it can be easily found.

4 -- Scan with HijackThis. Please be sure to follow the instructions below:
Note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.


Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post back. Please attach the EWIDO Log and Panda Log as well. . . . (You'll need two posts to attach all three logs)


We'll see if there is anything we can do to help you. I will try to check back as time permits.

Best luck
PP

 

Tank you very very much for the answer.

i've been out for the weekend, and the infected computer isn't at my home.

So i start to do all you say and i post the results asap.

Thanks again.

Saludos.

(And about "Whether that is good or bad remains to be determined" i think the same).

 

OK!

I'll keep an eye open for your post.

PP

 

Hello PP,

I'm working now, but it's hard, Ewido Security Suite was running form 48 min and it's only at 3.6% (still scanning registry).

I don't know if i can finish it today, if not i must continue tomorrow at 14:00 local time.

In any case i tell you some strange things:

When i had booted in normal mode AV-Antivir pops a Warning message about TR!Drop.Agen.db.A.1 in WINACPI.DLL (repetitive many times).

At moment i always select 'Deny access' and go on with work.

After download, install and update Ewido and reboot in Safe Mode (without network support) and inside the program i can't find ‘Scanner’ option as you say (by the way program appears in Spanish and i don't know why).

So I go to ‘explorar’ and select settings, there aren’t boxes Binder-Crypter-Archives to check.

The checkboxes are all selected and they are
-Scan for malware that is attached to other files
-Scan inside archives and setup files
-Use heuristical analysis to detect unknown malware
-Scan inside compressed executables
-Scan in NTFS Alternate Data Streams
-Scan for Spyware
-Scan for tracking cookies
-Scan for riskware

And last the only one I change (not checkbox but radio button with two options ‘Scan every file’ instead ‘Choose files by extension’ that was selected by default before I change it).

I had go on with this. I hope it's OK.

As soon as Ewido Finish i post the attachments.

And again thank you very much.

Saludos

 

OK.

If you have trouble with the Panda and EWIDO scans, don't worry about it.

-- Just be sure to attach a fresh HijackThis Log as per the instructions I gave earlier.

There is no rush. We can take things slowly and try to figure out what is going on. A HJT Log is a good place to start, as it will give me an idea of the severity of the problem and whether I can be of assistance.

PP

 

Well here I am.

Ewido only spends 190 min, but I go home at approx 100.

I try to attach HJT log... (it was run in Safe Mode, as you don't say anything different in your instructions).

Once computer reboot in Normal Mode i have a lot of warnings from av-antivirus like my last post i said. (WINACPI.DLL)

And browsing internet to reach this forum was a torture, every click i was two warnings, and every page change (i answer sometimes 'deny access' and sometimes 'delete file').

 

Hey! it seems the attachment has gone and it's in the thread (the first time for me, you know, and last when something goes right i must to celebrate it, it's not frequent).

The log has an '02' end because i have old one from days before I opened this thread.

Now go on with Panda & Ewido Logs.

 

Hello again PP,

viewing logs i realize that there are things that are in spanish.

I leave here an 'attempt' of quick translations (if you need anything else you tell me pls)

Archivos: Files
Archivos de programa: Program Files
Limpio: Clean
Limpio con backup: Clean with backup
Fin: End
Creado: Created

I think that's all.

I must go, i check for answers asap.

Thank you again

(I view Shysheriff seems come back, and many CyDoor and... a lot of garbage. Ewido says it has cleaned, but it seems not true).

If you want a HJT log in Normal Mode... just you say it.

Saludos.

 

Happy to try to help!

You are not the first person from Spain that I have helped - I don't have too many problems with Spanish HJT Logs. If I do, I'll let you know!


-- I DO need a HijackThis log from Normal Windows Boot. It will tell me more of what I need to know.

-- I could not read the EWIDO log.

-- Have you looked at what Chaslang has posted here: Spysheriff Removal

-- I see SpySheriff in your Program Files Folder. Are you able to Uninstall it via Add/Remove Programs? Do you find WareOut there too?

-- Also, when trying to fix these items, did you turn System Restore OFF?



Lets try this for now:


FIRST:
Please unzip Pocket KillBox to its own folder. Leave it there for the time being.

Please print out or save these instructions locally so that you can Disconnect from the Internet and operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled.

NEXT:
Look in Add/Remove Programs and try to Uninstall SpySheriff. Also, note any other suspicious entries that you find there.


NOW, please open Pocket KillBox.

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” and “End Explorer Shell While Killing File ” Options. Enter or Copy&Paste each of the following into the box one by one, making sure Delete on Reboot and End Explorer Shell While Killing File are Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be Rebooted until the last item has been entered:

C:\DOCUMENTS AND SETTINGS\GIUSEPPE\CONFIGURACIN LOCAL\TEMP\pi.sys
C:\WINDOWS\SYSTEM32\loadctr32.exe
C:\WINDOWS\ms1.exeC:\WINDOWS\NDNuninstall5_40.exe
C:\WINDOWS\SYSTEM32\AdCache
C:\ARCHIVOS DE PROGRAMA\MyWay
C:\Program Files\SpySheriff
C:\WINDOWS\NDNuninstall5_40.exe
C:\WINDOWS\system32\explorer6s4.exe
C:\WINDOWS\system32\ntfsnlpa.exe
C:\WINDOWS\system32\vxgame4.exe

When the last item has been entered and you are prompted to reboot, ALLOW Pocket KillBox to Reboot your computer. If Killbox fails to Reboot your machine, do it manually.


NEXT:
Run CCleaner and Spybot S&D (from the READ ME FIRST Sticky Post ) and have Spybot fix what it finds.


Reboot to Normal Windows and Scan with HijackThis and attach that log.

Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back when time permits and we can continue.


Also, read the post by Chaslang that I linked and see how much of it applies to your situation and let me know.

Best luck
PP

 

Well, by the way this is worst month from last twelve at work (and perhaps in so many aspects of my life) so sorry again for time between answers.

I'm trying to see inside add/remove programs (the warnings form AV-Antivir and the time computer seems to hang makes it very very hard difficult, near 30 minutes and still not reached).

(NOTE: I had must to activate program manager to kill warning window from AV Antivirus that says ‘not responding’. Perhaps doing this in Safe mode would be better)

Main difficult i find to follow correctly your instructions it's to know if i must be in Safe mode, in Safe mode with network support or in Normal mode at any step.

So this time I've boot in Normal mode, and i think I must to do all steps in Normal mode.

I can read Ewido log on line, i don't know why you not.

I try to upload it again in this post (i've seen that was two .txt extensions in file, i don't know why, but I try to rename it to only one extension).

 

Wow, near an hour and i can see now the add/remove programs list on screen.

I don't know if list it's complete because there are warning windows from AV-Antivir everywhere (someone not responding), but rearrange them and scrolling add/remove programs list (I think it's complete but I'm not sure) i can't see SpySheriff or WareOut.

Note than SpySheriff was uninstalled from here BEFORE I opened this thread, following instructions in chaslang post 'SpySheriff Removal'.

I've follow this instructions, after READ ME FIRST instructions (that i try to follow completly, like explained in 1st post), perhaps until step 6 -in that nightmare i can't remember very well- . I think my resistence was break down at this point.

So I go on with Pocket Killbox in Normal Mode and let you know asap.

Thank you.

Saludos.

Note: and here you have the same ewido log with another name, i hope it will be better for opening.

 

That is OK! I, too, am busy with work and other matters.

Yes - You can do any of theses steps in Safe Mode if that is easier. But, when you scan with HijackThis, it must be from Normal Windows boot.

Again, at this point in the process, if it is easier to be in Safe mode, then that is fine.

It is a bit jumbled and hard to follow. Don't worry about it.

That is OK. I did not think it would give you that much trouble. Sorry!

I know - I wanted to see if it was back in Add/Remove.

If you need to do this in Safe Mode, you can. But the Hijackthis log must be from Normal Windows boot. I really need to see a HJT Log before we can continue.


Hang in there! I know that this is extremely frustrating. Also, a suppport forum setting can sometimes be difficult since we have to communicate by single messages.
Normally, this malware does not affect a machine as severely as it has affected your computer. I would very much like to see that Hijackthis log!

Best Luck
PP

 

Well, in Safe mode it’s all very very better.
I have done this:

-Boot in Safe Mode with network
-Open IE and Pocket KillBox downloaded and unzipped
-SpySheriff and WareOut not found at Add/Remove programs
-System Restore OFF and view Hidden & System files enabled (hide extensions disabled) confirmed (was right)
-Run PocketKillBox

not found these files/folders

C:\WINDOWS\NDNuninstall5_40.exe
C:\WINDOWS\SYSTEM32\AdCache
C:\WINDOWS\NDNuninstall5_40.exe
C:\WINDOWS\system32\explorer6s4.exe
C:\WINDOWS\system32\ntfsnlpa.exe
C:\WINDOWS\system32\vxgame4.exe

This other was directories (folders) and i have said PKB delete all them:
C:\ARCHIVOS DE PROGRAMA\MyWay
C:\Program Files\SpySheriff

No problem to PKB reboot computer at this moment

Note: I have detected some strange files browsing from PKB to find the other one you have said to delete, for ex: 6to4svc.dll or vx.tll or w (just ‘w’ without extension). I have leave them without touch them.​

-Reboot in Safe Mode, seems better but AV-Antivir warnings about WINACPI.DLL makes work hard anyway, so
-HARD Reset and Reboot in Safe Mode with network
-Run Ccleaner (log saved)
-I forgot to search for updates so I do it now
-Found v.1.23 instead 1.22 so download and install it
-Run Ccleaner 1.23 (log saved)
-Run Spybot (no updates available) (log saved and posted next. 8 problems fixed)
-Reboot in normal mode, it seems better, (not so may warnings from AV Antivir, but some)
-Search HJT in his own folder… SpySheriff folder already found at C:\Program Files!!!!!
-Well I go on anyway with HJT and when it will finish will post his log and Spybot log (say me good luck to finish in a few hours…)

NOTE: I have any IE and any browser windows always closed (and any other program different than the one in use), but I had forget to unplug RJ45 cable from computer (I hope it’s not essential).

 

Hello here I'm.

HARD to HJT, it hangs at O23 NT Services.

The second attempt (and so much patiente) was better (it has been hang near 20 minutes, while i answer continuosly AV-Antivir warnings, saying it than 'Deny Access' or 'Delete File' to WINACPI.DLL).

Well, here are logs from Spybot and HJT.

I hope they will be useful for us.

Thanks again, i must go to sleep and at work until approx. 14-15 hours from now (lunch time in Spain). 'Read' you later.

 

Yes i didn't already, only NOW i read it.

Every time I must log out majorgeeks from one computer, unplug RJ45, plug it into the other one, browse until majorgeeks forums, log in, go to the thead, search messages and select new post... and it's first time for me, it's no easy for me manage attachments, write in the web page, and so on. But i think i do it better (i have hard head say in europe).

Thanks and i go to study your post before i go home.

Un saludo.

 

OK Chaslang, thank you very much too, my computer knowledge it’s better than my English knowledge, but not so many I wish.

It’s a bit late to me but I try to understand, only I’m not sure the meaning of ‘missed’, it’s means ‘not found’?. If yes I don’t understand you, that line is here in the log when you have seen it.

So the meaning must be another one, but I don’t know it.

You say This is malware and needs be fixed... ¡je! (in english may be, ha!, or aha! or ?? i'm not sure): thats exactly the question.

I’ve read your link at sophos. Do you want to say that I must manually, remove registry entries, that they say in advanced tab, and delete file using windows explorer?. Must i use HJT? Or another way?

Hey! You are writing now!

OK, but what’s the meaning of ‘overlooked’? (Sorry for seems so stupid)

(Seems? Why ‘seems’ you’ll say?. Well it’s a straight possibility).

(Note, perhaps tomorrow i can read again HJT tutorial and undestand better all you say, now i MUST go at home, sorry and thank you all very very much).

Saludos a todos.

 

Thanks for catching all my mistakes. I am not worthy!

Best Luck, guys

 

OK, i've been out all day.

Now i've seen your instructions (and PP post makes me understand a bit more the meaning of 'missed' and 'overlooked', this lines are there but they will "must not" to be there, i think, perhaps some program or step have forget to remove it; may be?).

Well, in an hour i will be in front of the computer and i try to do all.

The only doubt is that from beginning of the procedure

until

I do that i MUST be in Normal Mode (o my god!! this it's very exasperating, but OK).

If I don't read any instruction on this step i assume it's the only way to do this and i START to do it in an hour more or less.

Thank you all very very much.

Un saludo.

 

OK, i'm "on the air" now.

I'd clicked HJT.exe, and i'm waiting it starts while i answer AV-Antivirus known warnings (and i had start to try to kill -end task- warning windows that has already blocked at the middle of the screen).

Just one question about message no.14, what about this SpySheriff folder?

Must i delete it at any moment of the procedure?. Or not at the moment?.

Thanks.

NOTE: Default 'Program Files" folder in Spanish XP computers is called 'Archivos de progama', not 'Program Files'. This last folder (in english) it's unusual and only a few few programs create it while installing.

 

OK Chaslang.

But i have bad news. HJT don't appears, only a lot of AV-Antivir warnings.

And if i click again on HJT.exe program appears a window that says HJT is already running.

So i had HARD reset computer and i'll try again.

 

Oh sorry it's just for save typing, but the file is HijackThis.exe and it was donwloaded from a link in a previous PP post.

Antivirus shows a window titled W A R N I N G !

That always says:

C:\WINDOWS\SYSTEM32\WINACPI.DLL

Is the Trojan horse TR/Drop.Agen.bd.A.1
​

And offers these options:

Repair file (disabled, not selectable)
Move to quarantine directory (i haven't try to use this option at any time)
Delete file
Wipe file
Rename file (i haven't try to use this option at any time)
Deny access
Allow access (i haven't try to use this option at any time)
​

Hey! now i see HJT, i've killed mdms.exe process and next steps and i'm rebooting in safe mode (i have had a message form HJT to close all browser windows -they are like you say- and all WINDOWS explorer -i was one opened, closed then and click OK to HJT message to let it continue).

It seem have gone all OK.

I say you now...

 

Now i'm in safe mode i have deleted with no problems:

C:\windows\system32\mdms.exe

i can't find:

C:\windows\system32\appwiz.dll
C:\windows\system32\winacpi.dll

i've checked hidden and system files view it's ON.

(I see an appwiz.cpl file).

Now run Ccleaner and go on?, or must i do anything else before?.

Waiting instructions... (and thanks again).

 

OK, i run Ccleaner, delete Preftech, reset web settings, reboot in normal mode, run HJT and post log.

I tell you now..

 

So, here is HJT log from Normal Mode.

I don't dare to breath.... it seems to be it's all OK.

No AV-Antivir warnings...

Was reality or fiction?

Am i sleeping or not sleeping? Am i dreaming?

Well i have fingers crossed but i say you something next.

 

Is everything working okay now?Today 23:15

Oh it seems really OK now (but it was so many time fu...ing me than my head resists to believe it).

Guys you are really

GREATS!!!!!!

BUT VERY VERY GREAT!

I control it next days and you must be sure that you will have news about how it's working (and news about me too, to guess you two to see me when you travel to europe).

 

Hello again,


at my return, after many days travelling out, the persons who used computer confirms thats everything works fine.

I must (and I want) to give you both the more big thanks that I can.

Please, if you travel to Spain in the future send me a message. I'll be happy to offer you the best 'paella' we can find.

Thank you very very very much again.

Un saludo y hasta la vista.

rob0cop