Spyware/virus that's blocking my main port..

[Syringer]

So I'm an idiot and got my machine infected--and I can no longer browse the internet unless I route through another port (8777 right now).

Is there a simple method to removing this? I've gone through msconfig, deleted the files that are starting up with my computer, its associated registry keys, and removed the files while in safemode too-which allows it to work temporarily, but eventually it just comes back..

 

[mechBgon]

As a starting point, try a System Restore back to before the infection. That's on Start > All Programs > Accessories > System Tools > System Restore. It might work, it might not.

Also, do you currently have an antivirus program, and which one is it.


BTW I'm going to move this over to Security, so look for it there after a while.

 

[Quiksilver]

How about an anti-virus? Like Avira, aVast, Clamwin, or AVG.
How about anti-spyware? Like Ad-aware, Spy Sweeper, or Spybot search and destory.
How about <insert what you want to call this> Hi-Jack This log, to check registry entries and other stuff.

 

[Medea]

Originally posted by: Syringer
So I'm an idiot and got my machine infected--and I can no longer browse the internet unless I route through another port (8777 right now).

Is there a simple method to removing this? I've gone through msconfig, deleted the files that are starting up with my computer, its associated registry keys, and removed the files while in safemode too-which allows it to work temporarily, but eventually it just comes back..

You can still have a downloader on your system which just downloads everything back that you removed.

 

[hans007]

Originally posted by: Medea

Originally posted by: Syringer
So I'm an idiot and got my machine infected--and I can no longer browse the internet unless I route through another port (8777 right now).

Is there a simple method to removing this? I've gone through msconfig, deleted the files that are starting up with my computer, its associated registry keys, and removed the files while in safemode too-which allows it to work temporarily, but eventually it just comes back..

You can still have a downloader on your system which just downloads everything back that you removed.

any good AV program will have signatures for the downloader also.

its possible the downloader is name teh same thing as some process that is real like svchost (so it will look the same in taskmanager).

i would go check my registry key for RUN , for both current user and local user. also check any other place sfor a weird svchost or other odd thing. like win.ini and your startup file. lastly go to services.msc and turn off any odd services you dont recognize.


it might be a bit difficult to do this all , but its worth a try.

 

[law9933]

For spyware these are some good scanners, all free.

AVG Antispywae manual
Superantispyware manual
Spybot manual
AdAware manual
a-squared manual

 

[Medea]

Hans -

There can be some whack downloaders out there. The following is a Vundo downloader that you'd see in the running process in a HJT log (the CLSID is always random):
C:\Program Files\Common Files\{B0F6B85A-03A4-1033-1119-020207100001}\Update.exe

In this case, you have to delete the key and then delete the folder. Otherwise, it'll just keep coming back.

You've got good instincts that it's being generated by a 'Run' key. The problem is that there are several run keys. This one happened to be located at:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]

However, for those who are not really sure what they're doing when working with the registry, at least back it up first with something like ERUNT.

M.