Spyware issue - running low on ideas

[QueBert]

I good portion of what I do day to day is clean spyware off computers. I have my routine and programs I use and it's always worked for me. Last week I encountered one that isn't letting me do shit. Even if I boot into safe mode I still can't do shit and the spyware still comes up. XP Defender Pro is one of them that comes up. I googled and this in itself shouldn't be hard to remove. But it's not letting me, so something else is throwing a monkey wrench in. If I install anything, even in Safe Mode it won't run. It won't let me edit the register as it says the Administrator has restricted access to editing it. I did find a program on Google that is supposed to fix this, but since I can't install anything it's not going to help me.

Spybot is on there, with some older definitions, I ran it and it found plenty of stuff, had some in memory and had to reboot to run again - fine. But, when it reboots the spyware pops up before Spybot is even loaded again. Spybot has always ran before anything else opens up when it runs on a reboot. I think what I need is some sort of boot disc with something like Spybot on it. I can find some A/V boot discs but nothing for spyware. I'm not the type to reinstall XP as a fix, I consider cleaning the PC back to a usable state to be fixing it. This one is pissing me off. Also it looks like the spyware is doing something to make the CD drive inaccessible. I thought perhaps if I put the programs I need on a CD they could install. But it's not even coming up in my computer.

any ideas here??

 

[Pepsei]

the only way to make sure is to reinstall OS then use ESET nod 32.

you'll end up wasting more time on removing crap left and right, who knows what else you have.

when i see kryptik trojan on my pc, i know i was screwed. it happened when i disabled eset to install something, and forgot to re-enable it.

 

[busydude]

If you are not willing to reinstall OS then the only way I can think is for you to pop in a live cd of any linux distribution and scanning your windows drive from that.

There are plenty of how to's regarding this just google it.

Here is a link that might help you.

 

[Gunbuster]

Take the HDD out and scan it on another PC, or get a live/miniPE CD and boot from that to scan.

 

[gaidensensei]

Yeah, I think the least "hassle" with some hassle involved (taking the drive off, etc) is to actually take it off and pop it onto a usb->hdd adapter and run your fixes.

Otherwise you need to boot off from something else, like a thumb/external drive and do your fixes like that.

I used to use ComboFix and Vundofix pretty often on spyware'd PCs, but this was 2 years ago. Not sure how it holds up today. Give them a whirl and see if it works?

 

[Mashed Potato]

open a notepad and copy paste the following to it:

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command]
[-HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[-HKEY_CLASSES_ROOT\secfile]


Save as fix.reg - it is recommended to restart after you run it, but when a comp is not running .exe for me, I run it and then malwarebytes.exe immediately after, and that fixes it (Defender xp pro).


If that doesn't work because of the regedit problem, try the following before it:

Open notepad
type command.com
save it as a *.bat file
run

There are regedit fix programs - try google. Good luck.

 

[MadScientist]

If it will see a flash drive in Safe Mode try running rkill from it first to stop the virus processes and then finish up with Combofix, MAM, SAS, or your favorite AV/AS program.

http://www.technibble.com/rkill-repair-tool-of-the-week/