Oh, wtf...

Shryke

I'm just home after weeks of travel to find that my home PC is screwed. I'm on my laptop right now. This might not even be virus related but basically the PC runs on XP. It has all of my music. Guys. All of it. I turn it on and before it gets to the User select screen I'm giving a warning telling me I might have spyware and to install appropriate software. Cool. So then I get to the user select screen. I'd love to click owner right about now but unfortunately the keyboard and mouse are unresponsive. So I try some hooking up an older set of K and M. No luck.
It's late, I'm tired and I can't think right now. All I can say is What The Fuc-.

Cuddlesworth

You have been fooled. What has happened is that spyware told you to install more spyware.

When you are turning on your laptop after the initial bios screen press F8 before windows loads. Choose Safe Mode with networking as your boot option.

Update and run your antivirus application and install the recommenced software in the stickys at the top of the forum.

Shryke

Alright I tried this. I can access safe mode and choose the option of safe mode with networking and then it brings me to the screen where I choose Owner or Administrator and both my keyboard and mouse don't work. I can't tab over and press enter and the mouse won't budge. I'm at a loss, and googling a good bit but I haven't found a solution.

Cuddlesworth

Try just old plain safe mode. Tell me if you can get that far without the input devices going dead.

Also are your mouse and keyboard ps2 or Usb?

Shryke

I can choose safe mode and then choose to use safe mode with XP. After that the devices go dead and I can't select a user profile.
I'm using wireless USB mouse and keyboard. I might have an older keyboard lying around somewhere that has the round connector. I assume that is a ps2 connection? It wasn't in great shape last time I used it but I'm sure it still worked. I'll give that a go right now...
A bit of success! The older keyboard works. So now I suppose I should just scan and try and clean it as best I can?
One last question then. Quick tips on navigating the desktop/switching windows and the like with just a keyboard?

Cuddlesworth

http://www.seoconsultants.com/windows/key/

Should help out. .msc commands are helpful as well.

You might want to run a file check on your system after trying to remove the spyward, should fix the USB problem.

http://www.helpwithwindows.com/WindowsXP/howto-24.html

token56

I imagine the wireless USB and Mouse are not working as in safe mode the drivers could be disabled, or you might need to reinstall them anyway because of the virus if thats what it is

Cuddlesworth

token56 wrote: »

I imagine the wireless USB and Mouse are not working as in safe mode the drivers could be disabled, or you might need to reinstall them anyway because of the virus if thats what it is

From personal experience, most wireless mice are as far as the system is concerned normal mice. The drivers are only optimisations for the movement inputs and incorporate features such as channel switching. Its the reason why they work at bios level as well.

Shryke

Things just got worse. I was in safe mode and my keyboard did the job. I scanned with AVG and Spybot. AVG found plenty and Spybot found a couple of things. They're a little out of date with their definitions but not by much. Scansd completed, I restarted. I'm still getting a warning up telling me about spyware while Windows boots and things may have gotten worse. I'm still using the keyboard and thats fine but when I now choose an account it acts as if it's going to go on ahead as it should for a moment but then that spyware warning or whatever it is flashes momentarily on the screen and the caption for the user profile has changed from 'loading your settings' or whatever it is to 'saving your settings' as if it were exiting my profile. And I'm left sitting at the select a profile menu.
So, I went back into safe mode and guess what happens? The same thing. I can't seem to access any account. Is this the end of the line? You've been very helpful so far Cuddles. Thanks for that. What's to be done though?

_CreeD_

If you have your files on a separate partition then format your system partition and reinstall Windows. If not do a new install of Windows, install to a different folder , e.g. Windows2, when you boot up backup your files and then wipe and reinstall.
I'm not a proponent of format/reinstall for everything but if a machine is this badly compromised it would likely take a tremendous effort to manually track and clean each infection (since the anti-malware tools have failed) so format/reinstall is the more efficient option for you.

Cuddlesworth

Sandor wrote: »

Things just got worse. I was in safe mode and my keyboard did the job. I scanned with AVG and Spybot. AVG found plenty and Spybot found a couple of things. They're a little out of date with their definitions but not by much. Scansd completed, I restarted. I'm still getting a warning up telling me about spyware while Windows boots and things may have gotten worse. I'm still using the keyboard and thats fine but when I now choose an account it acts as if it's going to go on ahead as it should for a moment but then that spyware warning or whatever it is flashes momentarily on the screen and the caption for the user profile has changed from 'loading your settings' or whatever it is to 'saving your settings' as if it were exiting my profile. And I'm left sitting at the select a profile menu.
So, I went back into safe mode and guess what happens? The same thing. I can't seem to access any account. Is this the end of the line? You've been very helpful so far Cuddles. Thanks for that. What's to be done though?

Can you write down the exact warning you get word for word about spyware?

What's written on the top of the window of the warning?

If you click the available link to "remove" does it direct or did it direct you towards a particular website.

Also to confirm do you get this warning before Windows login screen or during it?

Shryke

I hear you. This is the first time I've had to format in ten years. I'm fairly put back but format it is.

Cuddlesworth

_CreeD_ wrote: »

If you have your files on a separate partition then format your system partition and reinstall Windows. If not do a new install of Windows, install to a different folder , e.g. Windows2, when you boot up backup your files and then wipe and reinstall.
I'm not a proponent of format/reinstall for everything but if a machine is this badly compromised it would likely take a tremendous effort to manually track and clean each infection (since the anti-malware tools have failed) so format/reinstall is the more efficient option for you.

If we can find out exactly what he has we could make a better informed decision to wipe the system of not.

Shryke

Cuddlesworth wrote: »

If we can find out exactly what he has we could make a better informed decision to wipe the system of not.

Well I haven't done it yet and I'm not running out to. I'll get to it over the next week. If there is anything else I can do though let me know. Google hasn't turned up much for me so I'm at a loss otherwise.

Cuddlesworth

Sandor wrote: »

Well I haven't done it yet and I'm not running out to. I'll get to it over the next week. If there is anything else I can do though let me know. Google hasn't turned up much for me so I'm at a loss otherwise.

Normally if you find out the site that the spyware trys to redirect you to, you can find out how to removing it by googling the site or the alleged company. Its worked for me in the past. You can try highjack logs, there are a few very well in-formed sticky's at the top of the forum involving it.

But I suppose _creed_ is most likely right, your system sounds fairly screwed. It looks like the spyware itself has gone wrong and taken out a few core components. A re-install may be the quicker option. You can use safe mode and a external hard-drive to back up your data before hand. Or even removing the drive and installing as a slave in another system.

Spyware is rarely viral, the makers prefer to use flaws in browsers to infect machines.

FredsWebHead

Hi Sandor,
Just to let you know I had the same problem last night but not to the same extent as yourself. IE7 started acting up the same time as yourself around 00.30 I quickly went to windows update and there was a good few updates there for me to install. I installed these, rebooted, and left the PC and Laptop running AD-aware, Spybot and AVG running over night. Found a good few virus/malware and the sort. Everything seems to be running fine now. And I have XP service pack 3 on the laptop and Vista Home premium on the PC with dual boot to XP. The Windows update files I downloaded were all malware removal files and security updates. If you can in any way get to log on to your profile do what I did and hopefully you won't have to Format/Install OS. And maybe losing files and personal stuff. Hope I helped.
Cool Beans,
Fred.

Shryke

Thanks Fred but it might be too late.
To clarify the warning appears before the windows login screen and flicks up for a moment when I try to access a profile.There is no link I can follow unfortunately. It's pretty messed up. At least I have quite a few things stored on a secondary/slave drive including music, games, and films so I won't format that if possible. No crucial documents will be lost.

_CreeD_

Cuddlesworth wrote: »

If we can find out exactly what he has we could make a better informed decision to wipe the system of not.

If, and absolutely no offense meant to the OP, it was in the hands of someone who could reliably track what should and shouldn't be there on a Win32 system I'd agree. I have never had to wipe an infected system but many have taken hours of pain staking work that imho just isn't worth it for the home user

Cuddlesworth wrote: »

Spyware is rarely viral, the makers prefer to use flaws in browsers to infect machines.

Sorry I'm not trying to quote-roast but this is an important point and kinda leads back to why I suggested a wipe. Malware is moving from isolated applications from mostly script kiddies and wannabes to very complex blended threats by organised crime. The standard high end attack these days involves an initial infection by the simplest code the syndicate can get away with, something that only rarely pops it's head out to check for commands and see if it can download further malware. The actions of this initial infection can be innocuous enough that your AV does not pick it up. Usually the 2nd stage involves retro-virii to shutdown your AV, or simply mod. the code or definitions to render it inert, after that the main bot components followed by anything the bot-master likes and as SPAM and Spyware is a relatively safe and profitable byline while they wait for whatever they really want to do with their bots you can be sure you will get infected with both. So yes by itself Spyware is rarely viral but it as it is being incorporated into many final stage viral infections it may aswell be.
How many times have you cleaned an infected machine only to have the AV pick up the same infection again and again? The base infection is still there. If you're good with tools like ProcExplorer and TCPView and know your way around the registry you have a chance but again how much effort would be saved vs. a reinstall and the surety that it's gone.