From: David Kaye on
Xray <pl(a)yer.com> wrote:

>Well, the virus hosed Avast, seemed like an option worth trying, since the
>alternative is basically to reinstall the OS.

It doesn't sound like a virus but a trojan. Anyhow, you can usually install
and run Mbam while in safe mode (and sometimes even update it if you run safe
mode with networking, though that's not always the case). At the moment, Mbam
still appears to be the best anti-malware tool out there.

From: David Kaye on
Xray <pl(a)yer.com> wrote:

>malwarebytes refuses to run, I even tried running it from an entirely
>different drive - If I try to name it something.com, it won't run unless
>its an exe extension.
>I can change it to donaldduck.exe or whatever, doesn't seem to do any good.
>This infection seems geared to stop most programs, either by corrupting the
>install or not letting them run.

I've seen this a lot; the malware appears to look at the size of the file.
There are some older tools I can use, such as a copy of SpySweeper from about
3 years ago that most malware won't shut down, though they'll shut down more
recent versions.

But try installing it in safe mode and you might have better success. Also,
try rolling back the registry manually (copy and paste) to at least a week
before the infection was first noticed.

From: David Kaye on
Xray <pl(a)yer.com> wrote:


>Its a matter of debate how crippled my system is, that may or may not be
>the case, and nothing you or I know would allow a definitive statement in
>that regards - I'm not trying to "clean it up", per se.
>I am trying to get rid of malicious infections, then I can go to the
>cleaning stage.

I think your computer can be saved without reinstalling Windows. It doesn't
sound like that bad an infection, just annoying as hell.

If you feel comfortable monkeying around in the registry, look at HKLM,
Software, Microsoft, Windows, CurrentVersion, Run and look at the first key.
It should say (default) and (value not set). If it doesn't say (value not
set) and instead is blank, delete that entry. I see this a lot -- it'a a RUN
entry that is masked by delete characters, making it invisible. These
infections that disable anti-malware tools and disable certain Control Panel
functions often hide themselves this way. I've seen it a LOT.

Also, while you're looking at the RUN section, see what else runs at startup.
Are there any programs with random characters in the file name? Do they
reside in the user's localsettings/temp directory rather than in Windows
System32? Nothing legitimate should be starting up from any temp or
local settings directory.

Some ideas for you...

From: Xray on
sfdavidkaye2(a)yahoo.com (David Kaye) wrote in
news:ho52fe$g21$2(a)news.eternal-september.org:

> Xray <pl(a)yer.com> wrote:
>
>
>>Its a matter of debate how crippled my system is, that may or may not be
>>the case, and nothing you or I know would allow a definitive statement
>>in that regards - I'm not trying to "clean it up", per se.
>>I am trying to get rid of malicious infections, then I can go to the
>>cleaning stage.
>
> I think your computer can be saved without reinstalling Windows. It
> doesn't sound like that bad an infection, just annoying as hell.
>
> If you feel comfortable monkeying around in the registry, look at HKLM,
> Software, Microsoft, Windows, CurrentVersion, Run and look at the first
> key. It should say (default) and (value not set). If it doesn't say
> (value not set) and instead is blank, delete that entry. I see this a
> lot -- it'a a RUN entry that is masked by delete characters, making it
> invisible. These infections that disable anti-malware tools and disable
> certain Control Panel functions often hide themselves this way. I've
> seen it a LOT.
>
> Also, while you're looking at the RUN section, see what else runs at
> startup. Are there any programs with random characters in the file
> name? Do they reside in the user's localsettings/temp directory rather
> than in Windows System32? Nothing legitimate should be starting up from
> any temp or local settings directory.
>
> Some ideas for you...


Finally, some words of optimism, thats what I like to hear.
It is annoying as hell, and insidious, but not unbeatable.

I have no problem mucking around the registry, been doing that since the
windows 95 days.
But can you run that key string again, everything starts with HKEY not
HKLM, and theres a bunch of software/microsoft folders.

I did have a bunch of temp files that I was unable to delete because they
were in use, very suspicious.
I used a handy little app called temporary file cleaner, which called for a
reboot to clean out the running temp files, so that helped.

Right now one of my main problems seems to be fraud windowsprotectionsuite,
which I believe is a trojan. Spybot detects it but is unable to kill it.
As far as viruses, not sure what I have as I have no functional virus app
right now.

From: Xray on
"FromTheRafters" <erratic(a)nomail.afraid.org> wrote in news:ho4tp4$qm5$1
@news.eternal-september.org:

> "Xray" <pl(a)yer.com> wrote in message
> news:ho47pf01ar6(a)news3.newsguy.com...
>
>> But I must say, ignoring the warning of anti virus software,
>> disabling it, then clicking on the exe file, crosses the line
>> from risk taking into another realm.
>>
>> Suffice it to say that I won't do that again.
>
> You can also look at it this way. You have a problem with a program that
> you downloaded and executed, contact the person that you got the program
> from for help. If you cannot contact that person, you shouldn't have
> trusted the file. Continuing to operate in this manner, it is only a
> matter of time before you get something that the AV won't even
> recognize.
>
> Don't beat yourself up over ignoring the AV's warning - beat yourself up
> over even allowing your AV to scan that program.

I can't say I will never download a usenet binary again, lifes too short to
get all tied up in knots about little things like that.

Up to date anti virus, heed its warnings, you should be fine 99% of the time.

The one caution I may take is not download certain binaries the day they are
posted, in case it contains new infections not yet in the AV database.