Winspywarepro

July 13, 2008

Renamed HJT and could run it

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:12: VIRUS ALERT!, (by the way it says :VIRUS ALERT! next to anywhere that displays my clock) on 7/13/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\System32\cisvc.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Spyware Doctor\svcntaux.exe

C:\Program Files\Spyware Doctor\swdsvc.exe

C:\Program Files\Spyware Doctor\SDTrayApp.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\alg.exe

C:\Documents and Settings\Administrator\Desktop\lal.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\It blocks names\Haha\HijackThis.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)

O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)

O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll

O3 - Toolbar: sqvgnrpx - {695AD9B9-B97E-4F91-8B6F-B1BD73937505} - C:\WINDOWS\sqvgnrpx.dll

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [symantec Network Driver Update Warning] C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl (User 'Default user')

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing

O16 - DPF: {08D390AE-5101-4701-A89F-6C6DADCCC402} (MSN Photo Select Tool) - http://photos.msn.com/resources/neutral/co....cab?10,0,910,0

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab

O16 - DPF: {507813C3-0B26-47AD-A8C0-D483C7A21FA7} (PipPPush) - http://photos.msn.com/resources/neutral/co...ls/PipPPush.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager/plugi...NetOpPlugin.ocx

O21 - SSODL: fdxbameg - {C8E349C8-A6B0-4403-B6D8-D9ED7AF2F546} - C:\WINDOWS\fdxbameg.dll

O21 - SSODL: fsrpknov - {C41B398F-C986-444E-8EB1-D25BCC2C27EC} - C:\WINDOWS\fsrpknov.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: Intel? NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

O24 - Desktop Component 0: (no name) - http://images.google.com/images?q=tbn:ZHQ5...s/Hot_Water.jpg

--

End of file - 10216 bytes

July 13, 2008

if you format c:, it would have been fixed by now.

July 13, 2008

Looks like you should download lspfix and get rid of that newsnet.

July 13, 2008

Use Malwarebytes' Anti-Malware, it's one of the best (if not THE best)!

July 13, 2008

You can try out AVG Free, which should be able to cover some issues. I think it has round the clock anti-spyware coverage, but that might just be anti-virus coverage.

July 13, 2008

http://removers.volyn.net/2008/05/21/how-t...atical-remover/

remove winspywarepro

July 13, 2008

You can try to remove the infection but as Leo Leporta and Steve Gibson would say, you machine has been comprised and can never be trusted again. I'd tend to agree. They would also never enter any banking information in that computer ever again unless a clean install was done.

I definitely agree, in my experience it's about impossible to completely get rid of these nasty deep rooted viruses. Though hopefully you can get it clean enough to backup all your files, but I would still recommend a format eventually. I've had viruses like this seem completely gone then resurface soon after.

July 13, 2008

I just found this how it is reproducing itself part of the issue-

C:\Documents and Settings\Administrator\Desktop\lal.exe

Positive identification: TrojanClicker.Win32.Spywad.a

File: c:\windows\lal.exe

You could try to remove that one in safe mode- or if you have a bootable linux like Puppy Linux or a good live version that can read NT-

I found this here.

http://www.webuser.co.uk/forums/showflat.p...view/collapsed/

Except in your case it is loading as part of the desktop- Like a webpage-

Edited July 13, 2008 by redvamp128

July 13, 2008

First, in Safe Mode, kill these processes using Task Manager, if they still exist.

C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Documents and Settings\Administrator\Desktop\lal.exe

Use Hijack This, remove these entries. * You will lose some legitimate programs that start up automatically, such as AIM, but it will hopefully make the crippled computer less painful to use.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&amp;lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O3 - Toolbar: sqvgnrpx - {695AD9B9-B97E-4F91-8B6F-B1BD73937505} - C:\WINDOWS\sqvgnrpx.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKUS\S-1-5-18\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl (User 'Default user')
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O16 - DPF: {08D390AE-5101-4701-A89F-6C6DADCCC402} (MSN Photo Select Tool) - http://photos.msn.com/resources/neutral/co....cab?10,0,910,0
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {507813C3-0B26-47AD-A8C0-D483C7A21FA7} (PipPPush) - http://photos.msn.com/resources/neutral/co...ls/PipPPush.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager/plugi...NetOpPlugin.ocx
O21 - SSODL: fdxbameg - {C8E349C8-A6B0-4403-B6D8-D9ED7AF2F546} - C:\WINDOWS\fdxbameg.dll
O21 - SSODL: fsrpknov - {C41B398F-C986-444E-8EB1-D25BCC2C27EC} - C:\WINDOWS\fsrpknov.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O24 - Desktop Component 0: (no name) - http://images.google.com/images?q=tbn:ZHQ5...s/Hot_Water.jpg

Then, boot into Command Prompt, and use del and deltree to remove these files and folders, if they still exist. Always quote a path if it has spaces in it, like in the list below.

C:\WINDOWS\sqvgnrpx.dll
"c:\program files\newdotnet\newdotnet6_38.dll"
"C:\Program Files\newdotnet"
C:\WINDOWS\fsrpknov.dll
C:\WINDOWS\fdxbameg.dll

Then reboot the computer again in Safe Mode, try and update Symantec AV, and run a full scan. Also please note that you may not be dealing with spyware only - you may have a virus that is constantly checking, downloading, and reinstalling malware once it detects that you've removed some.

Edited July 13, 2008 by Relativity_17

July 13, 2008

I CANNOT access internet in normal mode only in safe mode.

So how are you posting now? Use that computer to get the LiveCD and burn it. Wow.

July 14, 2008

So how are you posting now? Use that computer to get the LiveCD and burn it. Wow.

Seriously, did you just quote the answer to your own question? Wow.

Edit: Yup, just like you'd expect, programs like Internet Explorer and Firefox work in Safe Mode.

Edited July 14, 2008 by Relativity_17

July 14, 2008

Just run Combo Fix 2 times in Safe mode it'll take this right out...

July 14, 2008

Seriously, did you just quote the answer to your own question? Wow.
Edit: Yup, just like you'd expect, programs like Internet Explorer and Firefox work in Safe Mode.

Then he should stop saying he can't get on the internet to get the LiveCD. Read the quoted post next time.

July 14, 2008

If nothing we are telling you is working, you should just somehow back up your data safely and reformat.

If something we are telling you is working, still reformat, just to be safe.

July 14, 2008

If nothing we are telling you is working, you should just somehow back up your data safely and reformat.
If something we are telling you is working, still reformat, just to be safe.

+1

Just backup your data in safe mode, then reformat and reinstall windows.

winspyware pro and errorsafe are hard to remove completely, of course you can do a manual removal using one

of those step by step manual removal guides, but my experience is that you get reinfected shortly after.

July 14, 2008

Just backup your data in safe mode, then reformat and reinstall windows.

How can he back it up in Safe Mode? Does Windows XP safe mode support USB (if he is using a flash drive)? I don't think CD Burning is an option either

Okay, that was probably a dumb question, but I am almost never in Safe Mode.

July 14, 2008

Safe mode with networking....

July 14, 2008

I just dealt with something similar ( Vundo, with the Smithfraud variant that brings in Vista AntiVirus 2008 and the like ). The steps about getting a live CD and using that to scan either with an online scanner such as TrendMicro or BitDefender are dead on. You will not get rid of this thing by trying to run programs in Windows, Safe Mode or not. Also, there was a link posted earlier for SDFix. Get it. It will do wonders once you get the first wave of scans done.

Finally, your C: Drive, and your Log Off abilities are in

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

There will probably be three keys there, Hide drives, logoff something and another drive related one. Export them to back them up and then delete them. You will then gain access to your drives.

Good luck.

Edited July 14, 2008 by TYT

July 14, 2008

Joel take the time and read my other posts. I posted the other day that I now had access to the internet on safe mode. I could get a LiveCD but I have a LOT of files on my computer and I wanted to see if there was a way to avoid backing everything up. Looks like not.

July 14, 2008

Joel take the time and read my other posts. I posted the other day that I now had access to the internet on safe mode. I could get a LiveCD but I have a LOT of files on my computer and I wanted to see if there was a way to avoid backing everything up. Looks like not.

I suggested the Linux (puppy Linux) live Cd if you could not delete those pesky virus/spyware files in safe mode- You just would have to boot with it and then mount the hard drive- then look for those files- Don't forget to unmount the drive- now once that is done- you may get mundo errors where it says it can't find them- but that is an easy fix when you get into the OS-Through the registry and msconfig.

The main one I am worried about is the

C:\Documents and Settings\Administrator\Desktop\lal.exe

That is why I suggested Puppy LInux _running in live mode.

July 15, 2008

I suggested the Linux (puppy Linux) live Cd if you could not delete those pesky virus/spyware files in safe mode- You just would have to boot with it and then mount the hard drive- then look for those files- Don't forget to unmount the drive- now once that is done- you may get mundo errors where it says it can't find them- but that is an easy fix when you get into the OS-Through the registry and msconfig.
The main one I am worried about is the

C:\Documents and Settings\Administrator\Desktop\lal.exe

That is why I suggested Puppy LInux _running in live mode.

I got firefox running by renaming the files. I dont get the google redirections anymore but I still have some sites blocked. Whatever, my comp is 5 years old, did its job for that long and I was looking into getting a new one before this all happened anyone so I think I'll just get a new one. Any suggestions for sites?

July 15, 2008

I got firefox running by renaming the files. I dont get the google redirections anymore but I still have some sites blocked. Whatever, my comp is 5 years old, did its job for that long and I was looking into getting a new one before this all happened anyone so I think I'll just get a new one. Any suggestions for sites?

well if you want to build your own then I would highly suggest http://www.newegg.com.

Other wise if you want to buy remade

http://www.dell.com

July 15, 2008

Did you ever get the lal.exe removed from the dektop?

I would suggest- if it were IE running- Panda Antivirus (online scanner). But possibly if you can load up the yahoo- toolbar in Firefox- Maybe its spyware scanner can remove it.

You could possibly- though worth a shot is stinger-

http://vil.nai.com/vil/stinger/

July 15, 2008

Whatever, my comp is 5 years old, did its job for that long and I was looking into getting a new one before this all happened anyone so I think I'll just get a new one. Any suggestions for sites?

http://www.apple.com/mac/

July 16, 2008

http://www.apple.com/mac/

That's not a computer, it's a Mac. Stick to what he's talking about.

Sign In

Winspywarepro

Recommended Posts

Violent

Link to comment

Share on other sites

Japlabot

Link to comment

Share on other sites

+Warwagon MVC

Link to comment

Share on other sites

Unknown_97784568745

Link to comment

Share on other sites

roadgeek9

Link to comment

Share on other sites

joker999

Link to comment

Share on other sites

ViperAFK

Link to comment

Share on other sites

redvamp128

Link to comment

Share on other sites

zhangm Supervisor

Link to comment

Share on other sites

Joel

Link to comment

Share on other sites

zhangm Supervisor

Link to comment

Share on other sites

xendrome

Link to comment

Share on other sites

Joel

Link to comment

Share on other sites

roadgeek9

Link to comment

Share on other sites

morphen

Link to comment

Share on other sites

roadgeek9

Link to comment

Share on other sites

redvamp128

Link to comment

Share on other sites

TYT

Link to comment

Share on other sites

Violent

Link to comment

Share on other sites

redvamp128

Link to comment

Share on other sites

Violent

Link to comment

Share on other sites

+Warwagon MVC

Link to comment

Share on other sites

redvamp128

Link to comment

Share on other sites

abcdefg

Link to comment

Share on other sites

Joel

Link to comment

Share on other sites

Recently Browsing 0 members

Posts