Trojan/Spyare/ect

[Cream Soda]

I think my friend picked up a trojan or some spyware or something of the sort. His computer is getting gay websites shortcuts popping up on his desktop. Any and all programs that may help this problem and prevent his pc from shit like this in the future would be appreciated

[Mayareira]

Ad-aware(for spyware): http://www.lavasoft.com/

AVG: Free anti-virus program. http://free.avg.com/

[Octavious]

http://malwarebytes.org/ is also a very good piece of freeware. It tends to find a lot of unusual spyware/adware that some others don't pickup.

[Rokku]

http://malwarebytes.org/ is also a very good piece of freeware. It tends to find a lot of unusual spyware/adware that some others don't pickup.

This. I think this particular one is one of the best freeware programs for removing this stuff that I've seen.

[Isiolia]

Hijackthis - Standard tool for "manual" removal of stuff or scans. Basically, this will show all the startup items, browser helper objects, etc. Good or bad. It's very possible to delete something you want using this though, so take care when using it.

Superantispyware - One of a number of packages out there for removing spyware. Which of them is the "best" seems to shift.

Spybot - Search and Destroy - While its scanning capability seems to be less now, Spybot does "immunize" your system by modifying the hosts file, and can run a registry protection agent (annoying as crap, but it has it). So there are reasons you might still want to run it.

Windows Defender - Yes, Microsoft's own anti-spyware product. I have found it to be more effective against some of the trickier stuff to remove than most of the third party tools.


Also, when repairing stuff, turn off system restore and/or make sure that you take ownership of the System Volume Information (where the system restore data lives). Otherwise you could possibly have Windows itself restoring spyware...or programs unable to scan in the directory.

[Cream Soda]

Thanks everyone, for once the shits not popping back up on the desktop when i delete it.

[Slott]

Also i find it good to do scans in safemode rather than normal bootup.

[Cream Soda]

Also, when repairing stuff, turn off system restore and/or make sure that you take ownership of the System Volume Information (where the system restore data lives). Otherwise you could possibly have Windows itself restoring spyware...or programs unable to scan in the directory.

how would i go about doing this? AVG just now found 3 threats in C:/System Volume Information/Restore..ect How would i go about getting that shit out of there?

[Isiolia]

how would i go about doing this? AVG just now found 3 threats in C:/System Volume Information/Restore..ect How would i go about getting that shit out of there?

Couple ways to go about it.

The simpler thing to do is just to disable system restore altogether. This is typically recommended even by malware or antivirus programs. To do this, simply right click on the My Computer icon, go to properties, and the System Restore tab. There's a checkbox for Turn off System Restore on All Drives.

System restore in general is a blessing and a curse. Sometimes it'll save your butt by being able to roll back a driver that blew up your system or something. Other times, it can restore a virus.

The second part of this is a little trickier, but may be necessary because not all stuff potentially lurking in the System Volume Information folder is part of the System Restore stuff. Some malware simply puts files there because the folder is usually invisible, and by default it prevents users from really doing much in there (though if your scanner is picking stuff up that's in there, this may be unnecessary).

Anyway, first open up My Computer (or any Explorer window really) and from the Tools menu go to Folder Options.
In there, go to View, and then make sure that you can see Hidden Files and Folders, and uncheck the Hide protected operating system files. Just to make sure you can see the folder.
Also scroll down to the very last item on that list, and uncheck Use Simple File Sharing. If you don't, you won't be able to access stuff for the next part.

Now, on the drive, right click System Volume Information and go to Properties.
Under the Security tab, click Advanced. Then click on the Owner tab. Highlight the Administrators group or the admin account you're using, check the Replace owner on subcontainers and objects, then hit OK or Apply. That will take ownership of the folder and its contents, which should allow scanners to look in, and delete, stuff in that folder if they need to.


From what it sounds like you probably just need to do the first part and turn off system restore, but it doesn't hurt to do the second step as well.

[Cream Soda]

Just ran the maleware program linked earlier and got this, but i can't read computer talk lol.

Spoiler: show

Malwarebytes' Anti-Malware 1.28
Database version: 1240
Windows 5.1.2600 Service Pack 3

10/7/2008 2:18:19 PM
mbam-log-2008-10-07 (14-18-19).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 122572
Time elapsed: 2 hour(s), 3 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{b3f2f73c-3d30-49e6-becf-24104cc1fb8f} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{49b75f02-c258-444e-b87c-9fd87ddb8cfe} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{99ed83aa-01d5-48c4-9e11-1f2ec96c2e3c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{45cab0e1-42b7-499d-8ca3-c6df9be42d8a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5409a90e-cd52-4f18-842b-205fa602ae97} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\lpvideo.lpvideoplugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\lpvideo.lpvideoplugin.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\lpvideo.xmldomdocumenteventssink (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\lpvideo.xmldomdocumenteventssink .1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\LPVideoPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\LPVideo.DLL (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\\yur2c.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\\yur2d.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\LPVideoPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Files Infected:
C:\System Volume Information\_restore{BBFBDD71-17A2-4BA2-8E2C-3ED85E0417AD}\RP140\A0042550.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LPVideo.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\x (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Did that get the shit for me in the system volume isoloa or shoudl i still go back and do your last post?

[Isiolia]

According to the log, it was able to delete the file it found in there, so it should be good, at least as far as that particular item goes.

[Cream Soda]

Awesome thanks. If anything else comes up, I'll go through your steps from your other post