redvamp128 Posted July 12, 2008 Share Posted July 12, 2008 Also have a look and try this- Might help lift the restrictions in place http://support.microsoft.com/default.aspx?...p;Product=winxp And yes I know it is a fix for a different worm... but may help fix the restrictions. Link to comment Share on other sites More sharing options...
redvamp128 Posted July 12, 2008 Share Posted July 12, 2008 You also not only have to remove them from the registry but also look where they lead to and delete the files- look also in the following folders... C:\Documents and Settings\All Users\Start Menu\Programs\Startup C:\Program Files Then also look in the Documents and settings\your username\start menu\programs\Startup also try in safemode msconfig - startup then uncheck anythings suspicious. Link to comment Share on other sites More sharing options...
Violent Posted July 12, 2008 Author Share Posted July 12, 2008 Already did all that. Couldn't find ANY files in programs for winspywareprotect Link to comment Share on other sites More sharing options...
redvamp128 Posted July 12, 2008 Share Posted July 12, 2008 Here is a list of the where programs can use startup from the registry. http://www.doshelp.com/HowToView/Registry_Keys.htm Link to comment Share on other sites More sharing options...
NEVER85 Posted July 12, 2008 Share Posted July 12, 2008 http://www.bleepingcomputer.com/files/sdfix.php Click this link and download SDFix. It restores all your registry entries to default, which should fix the whole problem of being locked out of doing things. Had a similar problem before and it worked. Afterwards, you can run SUPERAntiSpyware and remove the infection. You have to run SDFix in Safe Mode, however. Link to comment Share on other sites More sharing options...
roadgeek9 Posted July 12, 2008 Share Posted July 12, 2008 You have to run SDFix in Safe Mode, however. I think he's only allowed to run in Safe Mode on that computer. Link to comment Share on other sites More sharing options...
redvamp128 Posted July 12, 2008 Share Posted July 12, 2008 You could probably make an issue at the Spybot Search and Destroy Forum. http://forums.spybot.info/ once you join their forum Sign in and go to this part to post your problem. http://forums.spybot.info/forumdisplay.php?f=17 Link to comment Share on other sites More sharing options...
zhangm Supervisor Posted July 12, 2008 Supervisor Share Posted July 12, 2008 Get Hijack This and post a log. You might have something else hiding away that redownloads and reinstalls malware, so we need to get your machine into a state where you can install and run AV software. Link to comment Share on other sites More sharing options...
redvamp128 Posted July 12, 2008 Share Posted July 12, 2008 Get Hijack This and post a log. You might have something else hiding away that redownloads and reinstalls malware, so we need to get your machine into a state where you can install and run AV software. He has already tried that one- but I think he will have the issue with Hijack This not Installing- Unless someone can find the older version that does not have to install- I already suggested that- redvamp128 Posted Today, 21:59 You could also try Hijack THis http://www.download.com/Trend-Micro-Hijack...3.html?hhTest=1 So that we know what processes are running Link to comment Share on other sites More sharing options...
zhangm Supervisor Posted July 12, 2008 Supervisor Share Posted July 12, 2008 He has already tried that one- but I think he will have the issue with Hijack This not Installing- Point me to the post where it is explicitly said that HT isn't "installing". It doesn't install as far as I'm aware, its a standalone EXE. Link to comment Share on other sites More sharing options...
redvamp128 Posted July 12, 2008 Share Posted July 12, 2008 I tryed installing Superantispywarepro but I get an error saying: The system administrator has set policies to prevent this installation.Where can I edit that? When I downloaded the latest version it unzipped the and kicked on the windows installer-- maybe he could find an earlier version. Link to comment Share on other sites More sharing options...
zhangm Supervisor Posted July 12, 2008 Supervisor Share Posted July 12, 2008 When I downloaded the latest version it unzipped the and kicked on the windows installer-- maybe he could find an earlier version. Here's mine, seems to just run. I'm gonna try not zipping it, just rename the file with a .exe extension. HjT.txt Link to comment Share on other sites More sharing options...
Violent Posted July 12, 2008 Author Share Posted July 12, 2008 Apparently no exe files will load. The SDFix won't load it just says: Run? (that dialogue box when you click on it) and I click yes and nothing happens. Link to comment Share on other sites More sharing options...
redvamp128 Posted July 12, 2008 Share Posted July 12, 2008 Can you try this- Download that backup Program- From http://www.dougknox.com/xp/utils/xp_emerutils.htm and run it on your dads computer- Worse case is that they will not run on the infected computer- then copy the folder that it creates after the backup= This may sound crazy- but copy the taskmanger1.exe file to another folder then rename it to taskmanager1.(com) without the ( ) then transfer those files to your infected computer- While in safe mode create a shortcut for startup in the all users to the taskmanger1 file. Then boot into your normal Operating system = this should kick the taskmanger to start up before anything else- and when you get that up then stop any task that you don't know. May take a few times - but could give you the leeway to get it to run an onlinevirus scanner - or to install saving software. Link to comment Share on other sites More sharing options...
zhangm Supervisor Posted July 12, 2008 Supervisor Share Posted July 12, 2008 If you are able to boot into command prompt, you might be able to use the command line interface to edit autorun entries in the registry. Here is a list of locations that programs can save autorun entries to: http://www.nthelp.com/40/autorun.htm You can either go through and REG QUERY each location for malware entries, or REG SAVE and then REG DELETE to backup and then remove all the autorun entries. You might then use the sc query command, write it to a text file, and figure out which services might be associated with the malware, and remove those. Link to comment Share on other sites More sharing options...
roadgeek9 Posted July 12, 2008 Share Posted July 12, 2008 Apparently no exe files will load. The SDFix won't load it just says: Run? (that dialogue box when you click on it) and I click yes and nothing happens. No EXE files will run? Have you tried going to Start > Run (or Windows Key+R) and typing in "cmd" or "notepad"? Try that and tell us the results. Link to comment Share on other sites More sharing options...
Violent Posted July 13, 2008 Author Share Posted July 13, 2008 (edited) Well some exe files will but the helpfull ones wont (antivirus stuff wont). Update: I am on my computer right now in safe mode, so far I have deleted some more crap I found from winspywareprotect. However, whenever I search on google I get redirected to asiuoqgusdbaksd.com and I can't download anything to help get rid of that because of the no anti anything exe files won't download. Also, my C drive is still hidden in My Computer but I can access it using run. How do I unhide it? I can also access taskmanager and regedit now. Im in safe mode still but I don't see anything suspicious in taskmanager. Edited July 13, 2008 by Violent Link to comment Share on other sites More sharing options...
zhangm Supervisor Posted July 13, 2008 Supervisor Share Posted July 13, 2008 What are your registry autorun entries? What services are installed? Link to comment Share on other sites More sharing options...
roadgeek9 Posted July 13, 2008 Share Posted July 13, 2008 Also, my C drive is still hidden in My Computer but I can access it using run. How do I unhide it? You shouldn't be worried about that, but if you must, you can download Tweak UI for Windows XP and find the setting. Link to comment Share on other sites More sharing options...
Violent Posted July 13, 2008 Author Share Posted July 13, 2008 I don't know what you mean Relativity. Roadgeek, I also have some sites that are 'blocked' that say Internet Explorer cannot display the webpage. It's obvious thats part of the virus because its only on sites that could help get rid of it. If you could provide an alternative link to Tweak such as rapidshare I would appreciate it. Link to comment Share on other sites More sharing options...
zhangm Supervisor Posted July 13, 2008 Supervisor Share Posted July 13, 2008 (edited) TweakUI is a bandage right now. You're infected, the program is obviously still running, because its blocking certain parts of your computer. You need to prevent its processes from starting up automatically, before you start fixing anything. I posted the link to autorun entries in the registry a few posts ago. Here it is again: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows, the "run" and Load" keys (if they exist). So for each of those, run in command prompt, reg export REGKEY C:\OUTPUT.FILE.NAME. Replace REGKEY with one of the lines from the code above, and replace OUTPUT.FILE.NAME with somename.txt. Do this for each line, you might get Not Found errors, if they don't all exist, but ignore them. ZIP those up and post them here, we want to see what is starting up automatically with Windows. The files will be placed Then, in a command prompt, type in sc query > C:\servicesquery.txt Zip that output and post it here as well. It will tell us what services are installed. We are basically doing the same things as some antispyware programs do, but since you can't run those, we'll just have to take each step ourselves. Edited July 13, 2008 by Relativity_17 Link to comment Share on other sites More sharing options...
Neyht Member Posted July 13, 2008 Member Share Posted July 13, 2008 Well the hosts file is probably getting edited. C:\windows\system32\drivers\etc\hosts Open it in notepad. The only line it needs to have in it is : 127.0.0.1 localhost Save as "hosts" (no extension) then mark as read only and see if the file stays intact. Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted July 13, 2008 MVC Share Posted July 13, 2008 You can try to remove the infection but as Leo Leporta and Steve Gibson would say, you machine has been comprised and can never be trusted again. I'd tend to agree. They would also never enter any banking information in that computer ever again unless a clean install was done. Link to comment Share on other sites More sharing options...
roadgeek9 Posted July 13, 2008 Share Posted July 13, 2008 Roadgeek, I also have some sites that are 'blocked' that say Internet Explorer cannot display the webpage. It's obvious thats part of the virus because its only on sites that could help get rid of it. If you could provide an alternative link to Tweak such as rapidshare I would appreciate it. Here you go: http://rapidshare.com/files/129339854/Twea...ySetup.exe.html. Link to comment Share on other sites More sharing options...
Violent Posted July 13, 2008 Author Share Posted July 13, 2008 (edited) Well I can't open a full reply anymore and quote anyone for some dumb reason. Relativity-Since I can't do anything with Add Reply, only quick reply I had to upload it to rapidshare. http://rapidshare.com/files/129393862/Commandtxts.zip.html Ned-When I first opened that folder up there wasnt a hosts file. So I made one like you said and it seems to stay the same. Roadgeek-Thanks Update: I figured out that if I renamed the file (SpybotSD) that it would load. I installed it but however it won't load now. I got install to work but no program. Edited July 13, 2008 by Violent Link to comment Share on other sites More sharing options...
Recommended Posts