Winspywarepro


Recommended Posts

Violent

Renamed HJT and could run it

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:12: VIRUS ALERT!, (by the way it says :VIRUS ALERT! next to anywhere that displays my clock) on 7/13/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\System32\cisvc.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Spyware Doctor\svcntaux.exe

C:\Program Files\Spyware Doctor\swdsvc.exe

C:\Program Files\Spyware Doctor\SDTrayApp.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\alg.exe

C:\Documents and Settings\Administrator\Desktop\lal.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\It blocks names\Haha\HijackThis.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)

O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)

O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll

O3 - Toolbar: sqvgnrpx - {695AD9B9-B97E-4F91-8B6F-B1BD73937505} - C:\WINDOWS\sqvgnrpx.dll

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [symantec Network Driver Update Warning] C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl (User 'Default user')

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing

O16 - DPF: {08D390AE-5101-4701-A89F-6C6DADCCC402} (MSN Photo Select Tool) - http://photos.msn.com/resources/neutral/co....cab?10,0,910,0

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab

O16 - DPF: {507813C3-0B26-47AD-A8C0-D483C7A21FA7} (PipPPush) - http://photos.msn.com/resources/neutral/co...ls/PipPPush.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager/plugi...NetOpPlugin.ocx

O21 - SSODL: fdxbameg - {C8E349C8-A6B0-4403-B6D8-D9ED7AF2F546} - C:\WINDOWS\fdxbameg.dll

O21 - SSODL: fsrpknov - {C41B398F-C986-444E-8EB1-D25BCC2C27EC} - C:\WINDOWS\fsrpknov.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: Intel? NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

O24 - Desktop Component 0: (no name) - http://images.google.com/images?q=tbn:ZHQ5...s/Hot_Water.jpg

--

End of file - 10216 bytes

Link to post
Share on other sites
Simon-

if you format c:, it would have been fixed by now.

Link to post
Share on other sites
+warwagon

Looks like you should download lspfix and get rid of that newsnet.

Link to post
Share on other sites
Unknown_97784568745

Use Malwarebytes' Anti-Malware, it's one of the best (if not THE best)!

Link to post
Share on other sites
roadgeek9

You can try out AVG Free, which should be able to cover some issues. I think it has round the clock anti-spyware coverage, but that might just be anti-virus coverage.

Link to post
Share on other sites
ViperAFK
You can try to remove the infection but as Leo Leporta and Steve Gibson would say, you machine has been comprised and can never be trusted again. I'd tend to agree. They would also never enter any banking information in that computer ever again unless a clean install was done.

I definitely agree, in my experience it's about impossible to completely get rid of these nasty deep rooted viruses. Though hopefully you can get it clean enough to backup all your files, but I would still recommend a format eventually. I've had viruses like this seem completely gone then resurface soon after.

Link to post
Share on other sites
redvamp128

I just found this how it is reproducing itself part of the issue-

C:\Documents and Settings\Administrator\Desktop\lal.exe

Positive identification: TrojanClicker.Win32.Spywad.a

File: c:\windows\lal.exe

You could try to remove that one in safe mode- or if you have a bootable linux like Puppy Linux or a good live version that can read NT-

I found this here.

http://www.webuser.co.uk/forums/showflat.p...view/collapsed/

Except in your case it is loading as part of the desktop- Like a webpage-

Edited by redvamp128
Link to post
Share on other sites
zhangm

First, in Safe Mode, kill these processes using Task Manager, if they still exist.

C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Documents and Settings\Administrator\Desktop\lal.exe

Use Hijack This, remove these entries. * You will lose some legitimate programs that start up automatically, such as AIM, but it will hopefully make the crippled computer less painful to use.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O3 - Toolbar: sqvgnrpx - {695AD9B9-B97E-4F91-8B6F-B1BD73937505} - C:\WINDOWS\sqvgnrpx.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKUS\S-1-5-18\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl (User 'Default user')
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O16 - DPF: {08D390AE-5101-4701-A89F-6C6DADCCC402} (MSN Photo Select Tool) - http://photos.msn.com/resources/neutral/co....cab?10,0,910,0
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {507813C3-0B26-47AD-A8C0-D483C7A21FA7} (PipPPush) - http://photos.msn.com/resources/neutral/co...ls/PipPPush.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager/plugi...NetOpPlugin.ocx
O21 - SSODL: fdxbameg - {C8E349C8-A6B0-4403-B6D8-D9ED7AF2F546} - C:\WINDOWS\fdxbameg.dll
O21 - SSODL: fsrpknov - {C41B398F-C986-444E-8EB1-D25BCC2C27EC} - C:\WINDOWS\fsrpknov.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O24 - Desktop Component 0: (no name) - http://images.google.com/images?q=tbn:ZHQ5...s/Hot_Water.jpg

Then, boot into Command Prompt, and use del and deltree to remove these files and folders, if they still exist. Always quote a path if it has spaces in it, like in the list below.

C:\WINDOWS\sqvgnrpx.dll
"c:\program files\newdotnet\newdotnet6_38.dll"
"C:\Program Files\newdotnet"
C:\WINDOWS\fsrpknov.dll
C:\WINDOWS\fdxbameg.dll

Then reboot the computer again in Safe Mode, try and update Symantec AV, and run a full scan. Also please note that you may not be dealing with spyware only - you may have a virus that is constantly checking, downloading, and reinstalling malware once it detects that you've removed some.

Edited by Relativity_17
Link to post
Share on other sites
Joel
I CANNOT access internet in normal mode only in safe mode.

So how are you posting now? Use that computer to get the LiveCD and burn it. Wow.

Link to post
Share on other sites
zhangm
So how are you posting now? Use that computer to get the LiveCD and burn it. Wow.

Seriously, did you just quote the answer to your own question? Wow.

Edit: Yup, just like you'd expect, programs like Internet Explorer and Firefox work in Safe Mode.

Edited by Relativity_17
Link to post
Share on other sites
xendrome

Just run Combo Fix 2 times in Safe mode it'll take this right out...

Link to post
Share on other sites
Joel
Seriously, did you just quote the answer to your own question? Wow.

Edit: Yup, just like you'd expect, programs like Internet Explorer and Firefox work in Safe Mode.

Then he should stop saying he can't get on the internet to get the LiveCD. Read the quoted post next time.

Link to post
Share on other sites
roadgeek9

If nothing we are telling you is working, you should just somehow back up your data safely and reformat.

If something we are telling you is working, still reformat, just to be safe.

Link to post
Share on other sites
morphen
If nothing we are telling you is working, you should just somehow back up your data safely and reformat.

If something we are telling you is working, still reformat, just to be safe.

+1

Just backup your data in safe mode, then reformat and reinstall windows.

winspyware pro and errorsafe are hard to remove completely, of course you can do a manual removal using one

of those step by step manual removal guides, but my experience is that you get reinfected shortly after.

Link to post
Share on other sites
roadgeek9
Just backup your data in safe mode, then reformat and reinstall windows.

How can he back it up in Safe Mode? Does Windows XP safe mode support USB (if he is using a flash drive)? I don't think CD Burning is an option either

Okay, that was probably a dumb question, but I am almost never in Safe Mode.

Link to post
Share on other sites
redvamp128

Safe mode with networking....

Link to post
Share on other sites
TYT

I just dealt with something similar ( Vundo, with the Smithfraud variant that brings in Vista AntiVirus 2008 and the like ). The steps about getting a live CD and using that to scan either with an online scanner such as TrendMicro or BitDefender are dead on. You will not get rid of this thing by trying to run programs in Windows, Safe Mode or not. Also, there was a link posted earlier for SDFix. Get it. It will do wonders once you get the first wave of scans done.

Finally, your C: Drive, and your Log Off abilities are in

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

There will probably be three keys there, Hide drives, logoff something and another drive related one. Export them to back them up and then delete them. You will then gain access to your drives.

Good luck.

Edited by TYT
Link to post
Share on other sites
Violent

Joel take the time and read my other posts. I posted the other day that I now had access to the internet on safe mode. I could get a LiveCD but I have a LOT of files on my computer and I wanted to see if there was a way to avoid backing everything up. Looks like not.

Link to post
Share on other sites
redvamp128
Joel take the time and read my other posts. I posted the other day that I now had access to the internet on safe mode. I could get a LiveCD but I have a LOT of files on my computer and I wanted to see if there was a way to avoid backing everything up. Looks like not.

I suggested the Linux (puppy Linux) live Cd if you could not delete those pesky virus/spyware files in safe mode- You just would have to boot with it and then mount the hard drive- then look for those files- Don't forget to unmount the drive- now once that is done- you may get mundo errors where it says it can't find them- but that is an easy fix when you get into the OS-Through the registry and msconfig.

The main one I am worried about is the

C:\Documents and Settings\Administrator\Desktop\lal.exe

That is why I suggested Puppy LInux _running in live mode.

Link to post
Share on other sites
Violent
I suggested the Linux (puppy Linux) live Cd if you could not delete those pesky virus/spyware files in safe mode- You just would have to boot with it and then mount the hard drive- then look for those files- Don't forget to unmount the drive- now once that is done- you may get mundo errors where it says it can't find them- but that is an easy fix when you get into the OS-Through the registry and msconfig.

The main one I am worried about is the

C:\Documents and Settings\Administrator\Desktop\lal.exe

That is why I suggested Puppy LInux _running in live mode.

I got firefox running by renaming the files. I dont get the google redirections anymore but I still have some sites blocked. Whatever, my comp is 5 years old, did its job for that long and I was looking into getting a new one before this all happened anyone so I think I'll just get a new one. Any suggestions for sites?

Link to post
Share on other sites
+warwagon
I got firefox running by renaming the files. I dont get the google redirections anymore but I still have some sites blocked. Whatever, my comp is 5 years old, did its job for that long and I was looking into getting a new one before this all happened anyone so I think I'll just get a new one. Any suggestions for sites?

well if you want to build your own then I would highly suggest http://www.newegg.com.

Other wise if you want to buy remade

http://www.dell.com

Link to post
Share on other sites
redvamp128

Did you ever get the lal.exe removed from the dektop?

I would suggest- if it were IE running- Panda Antivirus (online scanner). But possibly if you can load up the yahoo- toolbar in Firefox- Maybe its spyware scanner can remove it.

You could possibly- though worth a shot is stinger-

http://vil.nai.com/vil/stinger/

Link to post
Share on other sites
abcdefg
Whatever, my comp is 5 years old, did its job for that long and I was looking into getting a new one before this all happened anyone so I think I'll just get a new one. Any suggestions for sites?

http://www.apple.com/mac/

Link to post
Share on other sites
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.