GOD DAMNIT!@

[rky60]

I'm in the same boat, installed that MSN Plus the other day and didn't read the install questions, just kept clickin next. I've run every ad-aware program known, manually deleted registry entries, cleared every temp file thinkable, hijack-this entries deleted, CWS, virus scanners running, 75% of that done in safe mode, still hosed. Done all this mutilple times, unusual for me since I can't remember the last time I was stupid enough to have this happen with spyware, except the usual cookies those programs catch

 

[DangerAardvark]

Okay, then there's only one option. Get a Bible, a crucifix and an ordained church official. We're gonna go Constantine on this bitch.

 

[MAME]

Originally posted by: aidanjm

Originally posted by: MAME
I downloaded and installed a file that was 2.3 megs of pure spyware. Now, even after my best efforts to delete it, I get IE popups every minute or so.

I ran adware, spybot and trend micro. I checked for any processes running that I don't recognize and it looks ok.

There's a few things that come up in adware every time, but otherwise it says everything is fine.

The 5 things are registry keys, and the path is as follows:
HKEY_CRENNT_USER:software\LQ

Even when I delete the values, it regenerates instantly.

God damnit, this is SO not what I needed with my paper due tomorrow. I will have to format during spring break :|

do you have the windows xp restore function turned on? (it's turned on by default). Most geeks seem to turn it off, but if it is on, you can get your computer to revert to the state prior to the install of the spyware software.

I'm a geek and turned it off (on purpose)

 

[MAME]

YES! By moving the Internet Explorer executeable, I made this invisible elitenua32.exe crash. Once it crashed, I managed to delete all the spyware without it regenerating. I just hope that when I restart, the executeable isn't run again (I turned it off in msconfig's startup but it has the power to recheck itself).

I think I may have gotten lucky, but we will see. I'm running the MS antispyware stuff now

 

[DangerAardvark]

See, and all it took was faith in the lord.

 

[aidanjm]

Originally posted by: MAME

Originally posted by: aidanjm
do you have the windows xp restore function turned on? (it's turned on by default). Most geeks seem to turn it off, but if it is on, you can get your computer to revert to the state prior to the install of the spyware software.

I'm a geek and turned it off (on purpose)

I leave it on (on purpose). 😀

 

[aidanjm]

Originally posted by: MAME
YES! By moving the Internet Explorer executeable, I made this invisible elitenua32.exe crash. Once it crashed, I managed to delete all the spyware without it regenerating. I just hope that when I restart, the executeable isn't run again (I turned it off in msconfig's startup but it has the power to recheck itself).

I think I may have gotten lucky, but we will see. I'm running the MS antispyware stuff now

search the hard drive for all instances of elitenua32.exe (or whatever it is) just in case it is hiding out somewhere?

 

[kingshoc]

counterspy works too

 

[edro]

Admit it... you downloaded a porn dialer, didn't you? ...AVI converter my ass. 🙂

 

[Kniteman77]

Search the registry manually for the one thing that you cant get rid of. Then after you get rid of all the keys with that in it, run all the scanning programs again 🙂

 

[MAME]

Originally posted by: aidanjm

Originally posted by: MAME
YES! By moving the Internet Explorer executeable, I made this invisible elitenua32.exe crash. Once it crashed, I managed to delete all the spyware without it regenerating. I just hope that when I restart, the executeable isn't run again (I turned it off in msconfig's startup but it has the power to recheck itself).

I think I may have gotten lucky, but we will see. I'm running the MS antispyware stuff now

search the hard drive for all instances of elitenua32.exe (or whatever it is) just in case it is hiding out somewhere?

I did, it doesnt come up...even now, when the program crashed and isn't running, it can't be found

 

[MAME]

Originally posted by: edro13
Admit it... you downloaded a porn dialer, didn't you? ...AVI converter my ass. 🙂

I honestly don't know what a porn dialer is. I download porn movies, not .exe's

I'm trying to convert these avi's to mpgs so I can fit more than 1 episode of the sopranos on 1 dvd

 

[Jfrag Teh Foul]

Originally posted by: Specop 007
I re-formatted just last week.
Nothing beats the feeling of a squeeky new install.

Indeed.

<---- Did the same last week.

 

[MAME]

Originally posted by: Kniteman77
Search the registry manually for the one thing that you cant get rid of. Then after you get rid of all the keys with that in it, run all the scanning programs again 🙂

I went to the registry and deleted both folders named 'LQ'. The god damnit thing regenerates itself INSTANTLY, thanks to elitenua32.exe

However, now that it crashed, it does not regenerate

 

[Cleaner]

1. fdisk
2. format
3. install dos
4. ?
5. Profit

Or something like that.

 

[DaTT]

For future reference...can we refer to as pr0n for 1337/|/355?

 

[KeyserSoze]

Ok, so I didn't bother reading everything, but look:
1) Run the big three in Safe Mode with Networking. (Ad-Aware, Spybot, MS Antispyware.) Go through your registry, and see what files are put in the "Run" entries to run upon rebooting. (I forgot the entire path of the registry keys, something\software\microsoft\windows\currentversion\run". (Or something like that.)
2) After you go through EVERY entry in the registry, and delete the ones you aren't sure of, or that are bad processes, run hijack this.
3) Paste hijackthis logfile here., and delete offending entries.

After all of that, do an online virus scan at TrendMicro.

At this point....if it's not clean....then yeah, don't know what else to tell you.





KeyserSoze

 

[rh71]

i felt brave (yes, brave) enough to run an .exe from an untrusted site once... big mistake.

 

[MAME]

Originally posted by: KeyserSoze
Ok, so I didn't bother reading everything, but look:
1) Run the big three in Safe Mode with Networking. (Ad-Aware, Spybot, MS Antispyware.) Go through your registry, and see what files are put in the "Run" entries to run upon rebooting. (I forgot the entire path of the registry keys, something\software\microsoft\windows\currentversion\run". (Or something like that.)
2) After you go through EVERY entry in the registry, and delete the ones you aren't sure of, or that are bad processes, run hijack this.
3) Paste hijackthis logfile here., and delete offending entries.

After all of that, do an online virus scan at TrendMicro.

At this point....if it's not clean....then yeah, don't know what else to tell you.





KeyserSoze

I've done all that (and more actually) except for I didn't know about the hijack this log analyzer. Even though I checked it myself and everything was ok, it's still pretty cool, thanks!

 

[upsciLLion]

I didn't think you believed in God.

 

[torpid]

You say you tried hijack this and everything looked ok. I don't believe it. Do you actually know how to read hijack this? There are entries that seem ok but are actually potential malware. Post the log.

 

[MAME]

Originally posted by: torpid
You say you tried hijack this and everything looked ok. I don't believe it. Do you actually know how to read hijack this? There are entries that seem ok but are actually potential malware. Post the log.

Yes i could read it fine and the analyzer said everything was fine EXCEPT for it thought that MS's antipyware might be malicious

Here's my log

Logfile of HijackThis v1.98.2
Scan saved at 12:52:40 PM, on 3/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\j2re1.4.2_06\bin\javaw.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\God\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004...l.trendmicro.com/housecall/xscan53.cab

 

[sharkeeper]

Giant is good but won't work in safe mode. You can only run it in unsafe mode. Boot into another OS that can read NTFS partitions and get rid of the bogeys in the usual manner.

 

[JeffreyLebowski]

Originally posted by: DangerAardvark
Okay, then there's only one option. Get a Bible, a crucifix and an ordained church official. We're gonna go Constantine on this bitch.

You will also need a old priest and a young priest.

 

[Thurgo0dy]

try spybot search and destroy and the microsoft anti spyware beta.
see if they detect anything