Winspywarepro


Recommended Posts

redvamp128

You also not only have to remove them from the registry but also look where they lead to and delete the files- look also in the following folders...

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

C:\Program Files

Then also look in the Documents and settings\your username\start menu\programs\Startup

also try in safemode

msconfig

- startup then uncheck anythings suspicious.

Link to post
Share on other sites
Violent

Already did all that. Couldn't find ANY files in programs for winspywareprotect

Link to post
Share on other sites
NEVER85

http://www.bleepingcomputer.com/files/sdfix.php

Click this link and download SDFix. It restores all your registry entries to default, which should fix the whole problem of being locked out of doing things. Had a similar problem before and it worked. Afterwards, you can run SUPERAntiSpyware and remove the infection.

You have to run SDFix in Safe Mode, however.

Link to post
Share on other sites
roadgeek9
You have to run SDFix in Safe Mode, however.

I think he's only allowed to run in Safe Mode on that computer.

Link to post
Share on other sites
zhangm

Get Hijack This and post a log. You might have something else hiding away that redownloads and reinstalls malware, so we need to get your machine into a state where you can install and run AV software.

Link to post
Share on other sites
redvamp128
Get Hijack This and post a log. You might have something else hiding away that redownloads and reinstalls malware, so we need to get your machine into a state where you can install and run AV software.

He has already tried that one- but I think he will have the issue with Hijack This not Installing-

Unless someone can find the older version that does not have to install-

I already suggested that-

redvamp128 Posted Today, 21:59 spacer.gif You could also try

Hijack THis

http://www.download.com/Trend-Micro-Hijack...3.html?hhTest=1

So that we know what processes are running

Link to post
Share on other sites
zhangm
He has already tried that one- but I think he will have the issue with Hijack This not Installing-

Point me to the post where it is explicitly said that HT isn't "installing". It doesn't install as far as I'm aware, its a standalone EXE.

Link to post
Share on other sites
redvamp128
I tryed installing Superantispywarepro but I get an error saying: The system administrator has set policies to prevent this installation.

Where can I edit that?

When I downloaded the latest version it unzipped the and kicked on the windows installer-- maybe he could find an earlier version.

Link to post
Share on other sites
zhangm
When I downloaded the latest version it unzipped the and kicked on the windows installer-- maybe he could find an earlier version.

Here's mine, seems to just run. I'm gonna try not zipping it, just rename the file with a .exe extension.

HjT.txt

Link to post
Share on other sites
Violent

Apparently no exe files will load. The SDFix won't load it just says: Run? (that dialogue box when you click on it) and I click yes and nothing happens.

Link to post
Share on other sites
redvamp128

Can you try this- Download that backup Program- From http://www.dougknox.com/xp/utils/xp_emerutils.htm and run it on your dads computer- Worse case is that they will not run on the infected computer- then copy the folder that it creates after the backup= This may sound crazy- but copy the taskmanger1.exe file to another folder then rename it to taskmanager1.(com) without the ( ) then transfer those files to your infected computer- While in safe mode create a shortcut for startup in the all users to the taskmanger1 file. Then boot into your normal Operating system = this should kick the taskmanger to start up before anything else- and when you get that up then stop any task that you don't know. May take a few times - but could give you the leeway to get it to run an onlinevirus scanner - or to install saving software.

Link to post
Share on other sites
zhangm

If you are able to boot into command prompt, you might be able to use the command line interface to edit autorun entries in the registry. Here is a list of locations that programs can save autorun entries to:

http://www.nthelp.com/40/autorun.htm

You can either go through and REG QUERY each location for malware entries, or REG SAVE and then REG DELETE to backup and then remove all the autorun entries. You might then use the sc query command, write it to a text file, and figure out which services might be associated with the malware, and remove those.

Link to post
Share on other sites
roadgeek9
Apparently no exe files will load. The SDFix won't load it just says: Run? (that dialogue box when you click on it) and I click yes and nothing happens.

No EXE files will run? Have you tried going to Start > Run (or Windows Key+R) and typing in "cmd" or "notepad"? Try that and tell us the results.

Link to post
Share on other sites
Violent

Well some exe files will but the helpfull ones wont (antivirus stuff wont).

Update: I am on my computer right now in safe mode, so far I have deleted some more crap I found from winspywareprotect. However, whenever I search on google I get redirected to asiuoqgusdbaksd.com and I can't download anything to help get rid of that because of the no anti anything exe files won't download.

Also, my C drive is still hidden in My Computer but I can access it using run. How do I unhide it?

I can also access taskmanager and regedit now. Im in safe mode still but I don't see anything suspicious in taskmanager.

Edited by Violent
Link to post
Share on other sites
zhangm

What are your registry autorun entries? What services are installed?

Link to post
Share on other sites
roadgeek9
Also, my C drive is still hidden in My Computer but I can access it using run. How do I unhide it?

You shouldn't be worried about that, but if you must, you can download Tweak UI for Windows XP and find the setting.

Link to post
Share on other sites
Violent

I don't know what you mean Relativity.

Roadgeek, I also have some sites that are 'blocked' that say Internet Explorer cannot display the webpage. It's obvious thats part of the virus because its only on sites that could help get rid of it. If you could provide an alternative link to Tweak such as rapidshare I would appreciate it.

Link to post
Share on other sites
zhangm

TweakUI is a bandage right now. You're infected, the program is obviously still running, because its blocking certain parts of your computer. You need to prevent its processes from starting up automatically, before you start fixing anything.

I posted the link to autorun entries in the registry a few posts ago. Here it is again:

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows, the "run" and Load" keys (if they exist).

So for each of those, run in command prompt, reg export REGKEY C:\OUTPUT.FILE.NAME. Replace REGKEY with one of the lines from the code above, and replace OUTPUT.FILE.NAME with somename.txt. Do this for each line, you might get Not Found errors, if they don't all exist, but ignore them. ZIP those up and post them here, we want to see what is starting up automatically with Windows. The files will be placed

Then, in a command prompt, type in sc query > C:\servicesquery.txt

Zip that output and post it here as well. It will tell us what services are installed.

We are basically doing the same things as some antispyware programs do, but since you can't run those, we'll just have to take each step ourselves.

Edited by Relativity_17
Link to post
Share on other sites
Neyht

Well the hosts file is probably getting edited.

C:\windows\system32\drivers\etc\hosts Open it in notepad.

The only line it needs to have in it is :

127.0.0.1 localhost

Save as "hosts" (no extension) then mark as read only and see if the file stays intact.

Link to post
Share on other sites
+warwagon

You can try to remove the infection but as Leo Leporta and Steve Gibson would say, you machine has been comprised and can never be trusted again. I'd tend to agree. They would also never enter any banking information in that computer ever again unless a clean install was done.

Link to post
Share on other sites
roadgeek9
Roadgeek, I also have some sites that are 'blocked' that say Internet Explorer cannot display the webpage. It's obvious thats part of the virus because its only on sites that could help get rid of it. If you could provide an alternative link to Tweak such as rapidshare I would appreciate it.

Here you go: http://rapidshare.com/files/129339854/Twea...ySetup.exe.html.

Link to post
Share on other sites
Violent

Well I can't open a full reply anymore and quote anyone for some dumb reason.

Relativity-Since I can't do anything with Add Reply, only quick reply I had to upload it to rapidshare. http://rapidshare.com/files/129393862/Commandtxts.zip.html

Ned-When I first opened that folder up there wasnt a hosts file. So I made one like you said and it seems to stay the same.

Roadgeek-Thanks

Update: I figured out that if I renamed the file (SpybotSD) that it would load. I installed it but however it won't load now. I got install to work but no program.

Edited by Violent
Link to post
Share on other sites
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.