PL HELP!!!my system is infected with winavxxx and many more spywar

[Dr. X...The X Factor]

I have a HP Compaq nx7010 running Windows XP Home Edition SP2. I was browsing
the web searching for a medicine properties and I guess it was when the virus
entered my computer. It has been almost 2 weeks now. The virus was
(or is) a Trojan, it appeared as a yellow triangle with "!" sign in the
middle resembling windows alerts alerting me of potential spyware action.
Minutes later a pop-up appeared and if I click on it (which I did by mistake,
was chatting and hit the enter key when it poped-up) it will re-direct me to
a home page which I never used. I also got my homepage changed (hijacked) to
google.
I had tried various anti-virus softwares (Norton, AVG, McAfee) and it didn't
detect the Trojan nor it avoided its entrance. Now I have Avast.
I have tried many things to kill the virus and work normally but I have not
been successful. I downloaded SPYNOMORE (by that time I was aware of the
Trojan and its big power), I had to re-start my computer and then all got
worse.
When I started in Safe Mode, I was not able to see the Control Panel icon
anymore.
I tried to uninstall the SPYNOMORE but it didn't let me do it since I was
working in Safe Mode. Finally I downloaded SPYBOT SEARCH&DESTROY, and run it.
It found many undesirable files and removed them. Same
thing with SPYWARE TERMINATOR, it found many problems and claimed it had
solved them.
But it did not. The system was still working slow with the same pop ups and
yellow triangle when I tried to start
in Normal Mode and the Control Panel was no-where.
Just to check, I tried to Run-- regedit, but it says that it has been
disabled by my administrator. Also it has appeared a few times a popup
indicating that I have "restrictions" in this computer.
Same with Task Manager and many other things too!!
Another "intersting" thing that I noticed was when I was re-starting the
computer in Safe Mode, I saw that the lines read Partition2, and this
computer (hard drive) is not partitioned!

I read many similar problems on the internet on various forums with many
people suggesting many methods of removal...but i dont want to try something
myself and worsen my system's condition.
I get error message saying "Contact your system administrator or technical
support group for further
assistance"
And that is what I am doing, asking for HELP from microsoft's technical
support. I think I have made the most before posting this here, so if anyone
with knowledge about this problem can help me, I will be very happy.
Thank you so much in advance.

Akshay Hari

 

[Kayman]

"Dr. X...The X Factor" <Dr. X...The X Factor@discussions.microsoft.com>
wrote in message news:0231F3D6-FB53-4CA5-9622-3777696FB707@microsoft.com...
>I have a HP Compaq nx7010 running Windows XP Home Edition SP2. I was
>browsing
> the web searching for a medicine properties and I guess it was when the
> virus
> entered my computer. It has been almost 2 weeks now. The virus was
> (or is) a Trojan, it appeared as a yellow triangle with "!" sign in the
> middle resembling windows alerts alerting me of potential spyware action.
> Minutes later a pop-up appeared and if I click on it (which I did by
> mistake,
> was chatting and hit the enter key when it poped-up) it will re-direct me
> to
> a home page which I never used. I also got my homepage changed (hijacked)
> to
> google.
> I had tried various anti-virus softwares (Norton, AVG, McAfee) and it
> didn't
> detect the Trojan nor it avoided its entrance. Now I have Avast.
> I have tried many things to kill the virus and work normally but I have
> not
> been successful. I downloaded SPYNOMORE (by that time I was aware of the
> Trojan and its big power), I had to re-start my computer and then all got
> worse.
> When I started in Safe Mode, I was not able to see the Control Panel icon
> anymore.
> I tried to uninstall the SPYNOMORE but it didn't let me do it since I was
> working in Safe Mode. Finally I downloaded SPYBOT SEARCH&DESTROY, and run
> it.
> It found many undesirable files and removed them. Same
> thing with SPYWARE TERMINATOR, it found many problems and claimed it had
> solved them.
> But it did not. The system was still working slow with the same pop ups
> and
> yellow triangle when I tried to start
> in Normal Mode and the Control Panel was no-where.
> Just to check, I tried to Run-- regedit, but it says that it has been
> disabled by my administrator. Also it has appeared a few times a popup
> indicating that I have "restrictions" in this computer.
> Same with Task Manager and many other things too!!
> Another "intersting" thing that I noticed was when I was re-starting the
> computer in Safe Mode, I saw that the lines read Partition2, and this
> computer (hard drive) is not partitioned!
>
> I read many similar problems on the internet on various forums with many
> people suggesting many methods of removal...but i dont want to try
> something
> myself and worsen my system's condition.
> I get error message saying "Contact your system administrator or technical
> support group for further
> assistance"
> And that is what I am doing, asking for HELP from microsoft's technical
> support. I think I have made the most before posting this here, so if
> anyone
> with knowledge about this problem can help me, I will be very happy.
> Thank you so much in advance.
>
> Akshay Hari
>

The retail version of Norton can play havoc with your OS. Uninstall it
using Norton's own uninstall tool
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

The same applies to the retail version of McAfee. Go to:
http://ts.mcafeehelp.com/displaydoc.asp?frames=1&docid=131208&CategoryId=66251
for further guidance.

If this doesn't work use this:
http://www.revouninstaller.com/

While Norton's removal tool usually gets the job done, you may also want to
go to:
http://www.snapfiles.com/get/winsockxpfix.html
and download a copy of winsockxpfix just in case. Rarely, the removal of NIS
breaks the networking components in XP to the point where internet access is
impossible. This little utility will fix it back up.


For non-viral malware...
Please download, install and update the following software:

Ad-Aware - Free
http://www.lavasoftusa.com/products/ad_aware_free.php
http://www.download.com/3000-2144-10045910.html

Spybot Search & Destroy - Free
http://www.safer-networking.org/en/download/index.html

SuperAntispyware - Free
http://www.superantispyware.com/superantispywarefreevspro.html

After the software is updated, I suggest scanning the system in Safe Mode.

How do you boot to Safe Mode?
By pressing/tabbing F8 (or F5 on some keyboards) during re-boot.
Alternatively:
Click onto Start==>Run, type "msconfig" (without quotation marks), click OK.
Then click onto BOOT.INI tab and 'check' /SAFEBOOT then OK and click
Restart. To go back to Normal Mode, you must access the System Configuration
utility again and click the General tab then click/check the radio button
'Normal Startup'- load all device drivers and services'.

For viral malware:
Download David H. Lipman's MULTI_AV.EXE from the URL:
http://www.pctipp.ch/downloads/dl/35905.asp

To use this utility, perform the following...
Execute Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose Unzip
Choose Close

Execute C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your FireWall to allow it to download the needed AV vendor related
files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in
Normal Mode. This way all the components can be downloaded from each AV
vendor's web site.
The choices are Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot
the PC.

You can choose to go to each menu item and just download the needed files or
you can download the files and perform a scan in Normal Mode. Once you have
downloaded the files needed for each scanner you want to use, you should
reboot the PC into Safe Mode [F8 key during boot] and re-run the menu again
and choose which scanner you want to run in Safe Mode.
It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help file.
http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm

For your consideration:
Ensure that you OS is current/updated/patched.
http://www.update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us

Ensure that *all* software on your pc is current/updated.

Practice Safe-Hex
http://www.claymania.com/safe-hex.html

Read this also:
So How Did I Get Infected Anyway?
http://www.wilderssecurity.com/showthread.php?t=27971

Good luck and stay safe

 

[Kayman]

"Kayman" <kayhkay~nospam~@gmail.com> wrote in message
news:eut5YEU6HHA.3900@TK2MSFTNGP02.phx.gbl...
>
> "Dr. X...The X Factor" <Dr. X...The X Factor@discussions.microsoft.com>
> wrote in message
> news:0231F3D6-FB53-4CA5-9622-3777696FB707@microsoft.com...
>>I have a HP Compaq nx7010 running Windows XP Home Edition SP2. I was
>>browsing
>> the web searching for a medicine properties and I guess it was when the
>> virus
>> entered my computer. It has been almost 2 weeks now. The virus was
>> (or is) a Trojan, it appeared as a yellow triangle with "!" sign in the
>> middle resembling windows alerts alerting me of potential spyware
>> action.
>> Minutes later a pop-up appeared and if I click on it (which I did by
>> mistake,
>> was chatting and hit the enter key when it poped-up) it will re-direct me
>> to
>> a home page which I never used. I also got my homepage changed (hijacked)
>> to
>> google.
>> I had tried various anti-virus softwares (Norton, AVG, McAfee) and it
>> didn't
>> detect the Trojan nor it avoided its entrance. Now I have Avast.
>> I have tried many things to kill the virus and work normally but I have
>> not
>> been successful. I downloaded SPYNOMORE (by that time I was aware of the
>> Trojan and its big power), I had to re-start my computer and then all got
>> worse.
>> When I started in Safe Mode, I was not able to see the Control Panel icon
>> anymore.
>> I tried to uninstall the SPYNOMORE but it didn't let me do it since I was
>> working in Safe Mode. Finally I downloaded SPYBOT SEARCH&DESTROY, and run
>> it.
>> It found many undesirable files and removed them. Same
>> thing with SPYWARE TERMINATOR, it found many problems and claimed it had
>> solved them.
>> But it did not. The system was still working slow with the same pop ups
>> and
>> yellow triangle when I tried to start
>> in Normal Mode and the Control Panel was no-where.
>> Just to check, I tried to Run-- regedit, but it says that it has been
>> disabled by my administrator. Also it has appeared a few times a popup
>> indicating that I have "restrictions" in this computer.
>> Same with Task Manager and many other things too!!
>> Another "intersting" thing that I noticed was when I was re-starting the
>> computer in Safe Mode, I saw that the lines read Partition2, and this
>> computer (hard drive) is not partitioned!
>>
>> I read many similar problems on the internet on various forums with many
>> people suggesting many methods of removal...but i dont want to try
>> something
>> myself and worsen my system's condition.
>> I get error message saying "Contact your system administrator or
>> technical
>> support group for further
>> assistance"
>> And that is what I am doing, asking for HELP from microsoft's technical
>> support. I think I have made the most before posting this here, so if
>> anyone
>> with knowledge about this problem can help me, I will be very happy.
>> Thank you so much in advance.
>>
>> Akshay Hari
>>
>
> The retail version of Norton can play havoc with your OS. Uninstall it
> using Norton's own uninstall tool
> http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039
>
> The same applies to the retail version of McAfee. Go to:
> http://ts.mcafeehelp.com/displaydoc.asp?frames=1&docid=131208&CategoryId=66251
> for further guidance.
>
> If this doesn't work use this:
> http://www.revouninstaller.com/
>
> While Norton's removal tool usually gets the job done, you may also want
> to go to:
> http://www.snapfiles.com/get/winsockxpfix.html
> and download a copy of winsockxpfix just in case. Rarely, the removal of
> NIS breaks the networking components in XP to the point where internet
> access is impossible. This little utility will fix it back up.
>
>
> For non-viral malware...
> Please download, install and update the following software:
>
> Ad-Aware - Free
> http://www.lavasoftusa.com/products/ad_aware_free.php
> http://www.download.com/3000-2144-10045910.html
>
> Spybot Search & Destroy - Free
> http://www.safer-networking.org/en/download/index.html
>
> SuperAntispyware - Free
> http://www.superantispyware.com/superantispywarefreevspro.html
>
> After the software is updated, I suggest scanning the system in Safe Mode.
>
> How do you boot to Safe Mode?
> By pressing/tabbing F8 (or F5 on some keyboards) during re-boot.
> Alternatively:
> Click onto Start==>Run, type "msconfig" (without quotation marks), click
> OK. Then click onto BOOT.INI tab and 'check' /SAFEBOOT then OK and click
> Restart. To go back to Normal Mode, you must access the System
> Configuration utility again and click the General tab then click/check the
> radio button 'Normal Startup'- load all device drivers and services'.
>
> For viral malware:
> Download David H. Lipman's MULTI_AV.EXE from the URL:
> http://www.pctipp.ch/downloads/dl/35905.asp
>
> To use this utility, perform the following...
> Execute Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose Unzip
> Choose Close
>
> Execute C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE to
> go through your FireWall to allow it to download the needed AV vendor
> related files.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in
> Normal Mode. This way all the components can be downloaded from each AV
> vendor's web site.
> The choices are Sophos, Trend, McAfee, Kaspersky, Exit this menu and
> Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files
> or you can download the files and perform a scan in Normal Mode. Once you
> have downloaded the files needed for each scanner you want to use, you
> should reboot the PC into Safe Mode [F8 key during boot] and re-run the
> menu again and choose which scanner you want to run in Safe Mode.
> It is suggested to run the scanners in both Safe Mode and Normal Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more
> comprehensive PDF help file.
> http://www.ik-cs.com/multi-av.htm
>
> Additional Instructions:
> http://pcdid.com/Multi_AV.htm
>
> For your consideration:
> Ensure that you OS is current/updated/patched.
> http://www.update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us
>
> Ensure that *all* software on your pc is current/updated.
>
> Practice Safe-Hex
> http://www.claymania.com/safe-hex.html
>
> Read this also:
> So How Did I Get Infected Anyway?
> http://www.wilderssecurity.com/showthread.php?t=27971
>
> Good luck and stay safe
>

Valuable advice from an expert Be guided accordingly!

Question:
"Is it advisable to turn off System Restore while cleaning the OS using
AV/A-S, and if so, when do you turn it off and then on?
Also is it was recommended to delete all restore point during this
procedure?"

Answer:
"I used to be convinced that one should dump the System restore cache PRIOR
to cleaning a system. However after many discussions and based upon
personal tests and experience, I have come to the conclusion that this
should be done AFTER a system is cleaned.

Here's the problem. Most malware are binary files that the System Restore
cache will create a backup of in restore points. When one gets infected,
copies of the infector are now stored in the System Restore cache. If you
clean the system then restore to a prior Restore Point that contains
infectors, the OS become re-infected.

If you clean a PC and don't expect to restore to a previous Restore Point
then eventually the infected files will cache-out. In that situation, one
does NOT need to dump the System Restore cache.

If you dump the System Restore cache PRIOR to cleaning the system, you will
also remove a fall back point. That is, if during the cleanup the system
becomes unstable, you will not be able to restore the system from a previous
Restore Point. If you did restore the system
back to that state, you can clean the system differently such that the
system won't become unstable and/or unusable. Thus an infected Restore
Point is better than no Restore Point at all.

Later, when the system is cleaned and verified to be stable, you can then
dump the System Restore cache, reboot the PC and then re-enable the system
Restore cache and subsequently manually create an initial Restore Point.

Thus it is better the dump the cache AFTER and not BEFORE the system has
been cleaned of malware."

Dave H. Lipman
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

 

[BoaterDave]

Hello Akshay Hari - I smell a rat here! (British colloquialism!)

I'm *not* a technical helper but I have been in a similar situation and come
here for help. The conundrum is knowing just who one can trust! I had
originally thought that this was a site operated by Microsoft and thus
beyond reproach, but that seems not to be the case. Literally *anyone* can
post here and, of course, purport to be something other than they really
are. I believe it to be a very dangerous place. Just my view.

You were given magnificent advice (or so it seems) by 'Kayman' - it may all
be absolutely correct.

However, the follow-up post is 'signed' by David H. Lipman - in this case
what is known as a 'bottom poster', with his response under the original one
from 'Kayman'. It appears, though, that a mistake has been made. Even though
that second post was supposed to be from Mr Lipman, it appears that the
poster was the very same 'Kayman' - both the name used in 'From'
............... and the IP address (203.172.37.194) ........... are the same.

Perhaps there is a simple explanation. Comments from others here might help.

I do note that you personally didn't mention using System Restore. Have you
used it? (Start/All Programs/Accessories/System Tools/System Restore)

Perhaps worth a try if you haven't. Hope this helps!

BD

**********************************************************************

"Dr. X...The X Factor" <Dr. X...The X Factor@discussions.microsoft.com>
wrote in message news:0231F3D6-FB53-4CA5-9622-3777696FB707@microsoft.com...
>I have a HP Compaq nx7010 running Windows XP Home Edition SP2. I was
>browsing
> the web searching for a medicine properties and I guess it was when the
> virus
> entered my computer. It has been almost 2 weeks now. The virus was
> (or is) a Trojan, it appeared as a yellow triangle with "!" sign in the
> middle resembling windows alerts alerting me of potential spyware action.
> Minutes later a pop-up appeared and if I click on it (which I did by
> mistake,
> was chatting and hit the enter key when it poped-up) it will re-direct me
> to
> a home page which I never used. I also got my homepage changed (hijacked)
> to
> google.
> I had tried various anti-virus softwares (Norton, AVG, McAfee) and it
> didn't
> detect the Trojan nor it avoided its entrance. Now I have Avast.
> I have tried many things to kill the virus and work normally but I have
> not
> been successful. I downloaded SPYNOMORE (by that time I was aware of the
> Trojan and its big power), I had to re-start my computer and then all got
> worse.
> When I started in Safe Mode, I was not able to see the Control Panel icon
> anymore.
> I tried to uninstall the SPYNOMORE but it didn't let me do it since I was
> working in Safe Mode. Finally I downloaded SPYBOT SEARCH&DESTROY, and run
> it.
> It found many undesirable files and removed them. Same
> thing with SPYWARE TERMINATOR, it found many problems and claimed it had
> solved them.
> But it did not. The system was still working slow with the same pop ups
> and
> yellow triangle when I tried to start
> in Normal Mode and the Control Panel was no-where.
> Just to check, I tried to Run-- regedit, but it says that it has been
> disabled by my administrator. Also it has appeared a few times a popup
> indicating that I have "restrictions" in this computer.
> Same with Task Manager and many other things too!!
> Another "intersting" thing that I noticed was when I was re-starting the
> computer in Safe Mode, I saw that the lines read Partition2, and this
> computer (hard drive) is not partitioned!
>
> I read many similar problems on the internet on various forums with many
> people suggesting many methods of removal...but i dont want to try
> something
> myself and worsen my system's condition.
> I get error message saying "Contact your system administrator or technical
> support group for further
> assistance"
> And that is what I am doing, asking for HELP from microsoft's technical
> support. I think I have made the most before posting this here, so if
> anyone
> with knowledge about this problem can help me, I will be very happy.
> Thank you so much in advance.
>
> Akshay Hari

 

[Malke]

Dr. X...The X Factor wrote:
> I have a HP Compaq nx7010 running Windows XP Home Edition SP2. I was browsing
> the web searching for a medicine properties and I guess it was when the virus
> entered my computer. It has been almost 2 weeks now. The virus was
> (or is) a Trojan, it appeared as a yellow triangle with "!" sign in the
> middle resembling windows alerts alerting me of potential spyware action.
> Minutes later a pop-up appeared and if I click on it (which I did by mistake,
> was chatting and hit the enter key when it poped-up) it will re-direct me to
> a home page which I never used. I also got my homepage changed (hijacked) to

(snip very long post)

Do the preparatory steps here:
http://www.elephantboycomputers.com/page2.html#Removing_Malware

Then do the specific removal steps here:
http://www.elephantboycomputers.com/page2.html#Winfixer - Winfixer

You can also check to see if there are targeted removal steps for your
malware here:
Bleeping Computer removal how-to's -
http://www.bleepingcomputer.com/forums/forum55.html

When all else fails, run HijackThis and post your log in one of the
specialty forums listed at the first link above (not here, please).

Not all tools used will work in Vista and you will need to run them
elevated. Since Vista is so new, it will be a while before removal
techniques and tools are developed. If you are unable to remove the
infection by following the general steps, register at one of the
HijackThis forums as suggested.

Standard caveat: If the procedures look too complex - and there is no
shame in admitting this isn't your cup of tea - take the machine to a
professional computer repair shop (not your local version of
BigComputerStore/GeekSquad). Please be aware that not all local shops
are skilled at removing malware and even if they are, your computer may
be so infested that Windows will need to be clean-installed. Have all
your data backed up before you take the machine into a shop.


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

 

[Andrew Taylor]

"BoaterDave" <BoaterDave@nospam.invalid> wrote in message
news:u3lwE%23U6HHA.1208@TK2MSFTNGP03.phx.gbl...
> Hello Akshay Hari - I smell a rat here! (British colloquialism!)
>
No rats David. I'll make it very easy for you :>)

Valuable advice from an expert

<snip info>

Dave H. Lipman
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

 

[BoaterDave]

Thanks Andrew. Please see my response to Kayman in
microsoft.public.security.homeusers

David

*******************************************************************


"Andrew Taylor" <andrewcrumplehorn@spamcopSUBVERSIVE.com> wrote in message
news:46d4dd46@newsgate.x-privat.org...
> "BoaterDave" <BoaterDave@nospam.invalid> wrote in message
> news:u3lwE%23U6HHA.1208@TK2MSFTNGP03.phx.gbl...
>> Hello Akshay Hari - I smell a rat here! (British colloquialism!)
>>
> No rats David. I'll make it very easy for you :>)
>
> Valuable advice from an expert
>
> <snip info>
>
> Dave H. Lipman
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>