Can't remove spyware/virus program.

  • Thread starter Thread starter Joatman71
  • Start date Start date
J

Joatman71

I have a running process that I can't get rid of. I have used
Symantec Antivirus, AGV Antivirus, Spybot and Ad-aware. None of these
find it.

If I kill this process it starts up again. I found the executable
name in the registry under
HKEY_LOCAL_MACHINE/Software/Microsoft/widows/CurrentVersion/RunOnce
(also under Run) and deleted it, but it immediately comes back again.
If I start in safe mode, it is already running. The only way I can
stop it is to install the hard drive onto another computer and delete
the file when the drive is acting as a slave. This can be hard
because the file is often in a directory that can only be accessed
using DOS and it is also a system file, which coincidently seems to be
only deleteable using Windows Explorer. When I can't delete it, I
rename the parent directory. This allows me to start up the system
again and delete the registry entries. Things seem fine for a while
and then the process comes back under a different name. I am using
NAT and am also behind a firewall.

I would like to be able to fix this without reinstalling everything,
but a larger concern is that none of the scanners that I used found
it. I am also concerned that I was infected. I am using email virus
scanning, real-time scanning, a firewall, and try to keep up with the
latest Microsoft patches. I am installing XPSP2 now, which I don't
think will get rid of the virus, but may help stop me from getting
another one.

Any suggestions as to how to get rid of the process? Is there a place
I can send the file and have it looked at?

Joatman71
 
Joatman71 said:
I have a running process that I can't get rid of. I have used
Symantec Antivirus, AGV Antivirus, Spybot and Ad-aware. None of these
find it.

If I kill this process it starts up again. I found the executable
name in the registry under
HKEY_LOCAL_MACHINE/Software/Microsoft/widows/CurrentVersion/RunOnce
(also under Run) and deleted it, but it immediately comes back again.
If I start in safe mode, it is already running. The only way I can
stop it is to install the hard drive onto another computer and delete
the file when the drive is acting as a slave. This can be hard
because the file is often in a directory that can only be accessed
using DOS and it is also a system file, which coincidently seems to be
only deleteable using Windows Explorer. When I can't delete it, I
rename the parent directory. This allows me to start up the system
again and delete the registry entries. Things seem fine for a while
and then the process comes back under a different name. I am using
NAT and am also behind a firewall.

I would like to be able to fix this without reinstalling everything,
but a larger concern is that none of the scanners that I used found
it. I am also concerned that I was infected. I am using email virus
scanning, real-time scanning, a firewall, and try to keep up with the
latest Microsoft patches. I am installing XPSP2 now, which I don't
think will get rid of the virus, but may help stop me from getting
another one.

Any suggestions as to how to get rid of the process? Is there a place
I can send the file and have it looked at?

Joatman71
Click to expand...

Would it be too much trouble for you if you posted the name of the process?
 
heya,

i'm havin kind of the same problems. When i run Adaware it finds some nasty
UKvideo file and a whole bunch of registry keys. When i run spybot S&D it
find exploit and various other baddies.
the hompage always goes to about: blank and viagra and other rubbish like
that is littered all through it.

same as JJ these things just keep comingback time after time, I'm not cluey
enough to do all the things JJ did so if there's a simple solution(just on
the off chance : )...

YOU ROCK

cheer

K

wait up, things just got worse. i reinstalled adaware coz i've only been
using spybot for the last week or so. it's found hundreds of bad critter
where it only used to find a few.
they mostly start with hkey then go current user, local machine, classes
root, etc

Joatman - sorry if i'm steppin on your posting. figrd it was more or less
the same thing tho.
 
kahnage said:
heya,

i'm havin kind of the same problems. When i run Adaware it finds some nasty
UKvideo file and a whole bunch of registry keys. When i run spybot S&D it
find exploit and various other baddies.
the hompage always goes to about: blank and viagra and other rubbish like
that is littered all through it.

same as JJ these things just keep comingback time after time, I'm not cluey
enough to do all the things JJ did so if there's a simple solution(just on
the off chance : )...

YOU ROCK

cheer

K

wait up, things just got worse. i reinstalled adaware coz i've only been
using spybot for the last week or so. it's found hundreds of bad critter
where it only used to find a few.
they mostly start with hkey then go current user, local machine, classes
root, etc

Joatman - sorry if i'm steppin on your posting. figrd it was more or less
the same thing tho.
Click to expand...

http://www.softwarepatch.com/tips/about-blank-adware.html

First choice is to download ad-aware and spybot update them and scan,If that
doesn't help aboutbuster may work I say may because I've never needed to use
it. Good luck.

To help stop unauthorized downloads via your activex controls change your
default settings.
These settings are good for XP. The wording should be close for other systems
as well.
Go to control panel and open "internet options.
Click on the security tab then custom level.
make sure these settings are as follows.

Download signed active x controls>set to prompt
Download unsigned active x controls>set to disable
Initialize and script active x controls not marked as safe>set to disable
Run active x controls and pluggins>set to enable
Script active x controls marked safe for scripting>set to enable
Java permissions>set to high
Launching programs and files in a IFRAME" > Prompt
Installation of Desktop items"> Prompt
Navigate sub-frames across different domains>prompt

Sometimes,when you remove malware it will stop your TCP/IP
stack from working (Internet connection).
Winsock or LSP-fix will correct the problem,Download first.
Note to anyone using NOD32 Anti-Virus software,Do Not delete the
"imon.dll" this fix reports,That is your e/mail scanning engine.

LSP-fix- http://www.cexx.org/lspfix.htm
Spybot S&D - http://www.safer-networking.org/en/index.html
CWS Smart Killer- http://www.safer-networking.org/minifiles.html

About Buster- http://www.spychecker.com/program/aboutbuster.html
Ad-Aware SE - http://www.lavasoftusa.com/software/adaware/
CWShredder - http://www.majorgeeks.com/download4086.html
Hijack this - http://www.majorgeeks.com/download3155.html
SpywareBlaster - http://www.javacoolsoftware.com/spywareblaster.html
SpywareGuard - http://www.javacoolsoftware.com/spywareguard.html
WinPatrol - http://winpatrol.com
BHODemon - http://pcworld.com/downloads/file_download.asp?fid=23611&fileidx=1
Bazooka -http://www.kephyr.com/spywarescanner/index.html
asquared2 "Trojan Remover" - http://www.emsisoft.com/en/
Sygate Firewall- http://smb.sygate.com/download_buy.htm
NOD32Anti-Virus Free 30 day trial
http://nod32.com/download/trial.htm
Backup your registry with:
Erunt- http://home.t-online.de/home/lars.hederer/erunt/index.htm

A link for free online virus and trojan scanners.
http://virusall.com/downscan.html

A listing of BHO's
http://www.spywaredata.com/bho.php?current_page=0

To see if that freeware program you are about to inststall
is infested with spyware check it out first at this link.
http://www.spychecker.com/
 
Back
Top