[Fury9er]

Hello folks,

I found this vile thing on my laptop this morning. I tried getting one of Panda's AV programs to remove it, but upon retsart I was just getting the standard bluescreen - explorer.exe doesn't seem to be working.

The machine functions in safe mode, so I found this place on another PC and tried getting rid of some components mentioned in the help threads - all I really accomplished was getting a blank screen rather than a blue one if I try starting up in normal mode.

Unfortunatly I don't have a Hijack This log - will that program work in safe mode?

Thanks in advance for any help, its a great resource you have running here!

[Advertisements]

HijackTHis will work in Safe Mode but I expect you may already have removed the badguy and are just left with the termite damage.

The first thing is to post your HijackThis log.

This bug is caused by a file wp.exe. You will see him down in the O4 entries.

Terminate the process and then check his box and Fix Checked. That still leaves a problem in your registry.

Start, Run, regedit, OK to bring up the regedit program.

find HKey_Current_User->Software ->Microsoft->Windows->CurrentVersion>policies (Hit the + sign in front of each Key as you find them. That will open up the subkeys.)

Under Policies is usually an entry named System. If you find it highlight it and press the Delete key. Then OK. Close the program and reboot.

Start, Control Panel, Display (Properties). This should bring up Display Properties/Background. Change the wallpaper to something else and Apply. You may also need to select Web and uncheck the box where it says View My Active Desktop as a web page. OK

Ron

[RKinner]

HijackTHis will work in Safe Mode but I expect you may already have removed the badguy and are just left with the termite damage.

The first thing is to post your HijackThis log.

This bug is caused by a file wp.exe. You will see him down in the O4 entries.

Terminate the process and then check his box and Fix Checked. That still leaves a problem in your registry.

Start, Run, regedit, OK to bring up the regedit program.

find HKey_Current_User->Software ->Microsoft->Windows->CurrentVersion>policies (Hit the + sign in front of each Key as you find them. That will open up the subkeys.)

Under Policies is usually an entry named System. If you find it highlight it and press the Delete key. Then OK. Close the program and reboot.

Start, Control Panel, Display (Properties). This should bring up Display Properties/Background. Change the wallpaper to something else and Apply. You may also need to select Web and uncheck the box where it says View My Active Desktop as a web page. OK

Ron

[Fury9er]

Hello Ron,

Thanks for the quick response - I decided to bite the bullet and do a reformat in the end. I'm on a network and didnt want to risk spreading anything to other machines by going online. I apologise for wasting your time, I should have posted back sooner.

The version of XP I was using was SP1a so I made updating to SP2 the first priority after reformatting, then it had ad-aware, spybotS&D and spywareblaster installed - the infected machine had alot of junk on it and had not been reformatted in almost 3 years.

On the bright side I downloaded alot of the utilities mentioned in the various Smitfraud threads which will be useful if I ever get such an evil infection in future.

As a point of interest are there any free anti-virus programs like AVG that are allowed to be used on networked systems - Grisoft are quite clear about not using AVG on networks for some reason.

Thanks again!

[RKinner]

I think avg thinks that if you are networked you must be a company and if you are a company then you can afford to pay for you antivirus.

Microsoft's antispy beta is free and they claim the non beta will also be free. I've used it since it came out and it is getting better. It's not exactly an antivirus but it's close.

Norton (Symantec) has a new beta too but I haven't tried it. You have to uninstall your regular norton anti virus and that's too much trouble. It claims to be both antivirus and antispyware. Free until the end of June I think.

Ron