RE: [OT] I think I have a virus
One more entry I found that just kinda skipped over,
spoolcrv.cpl. Sorry, its got almost the same name as
the print server. Its a virus called Inspir.11. If
you run Hijack this again, tell it to fix all the
entries with that file name. The original log you
sent me had it listed under RunServices for HKLM and
HKCU.
As far as windows logging off as soon as the desktop
loads, that's just strange. Never had that happen to
me before. Couple of things to check. Load
GroupPolicy Editor again and bring up the software
restrictions. Since it sounds like you told it to
disable the policies, Right click on Local Computer
Policy, and clear both the checks at the bottom and
click OK. First, go to Computer Config, Windows
Settings, Security Settings, Software Restrictions.
Open up Enforcement, make sure it is set to All Files
and All Users. Next, go to security levels. Open
Unrestricted, and set it to default. Then we want to
go to Additional Rules. Bring up the properties on
each of the HKEY_LOCAL_MACHINE (first four) path
rules. Make sure they are all set to unrestriced on
the security level. Then, lets go ahead and delete
all the hash rules we made.
Next, we want to delete several registry keys. BE
VERY CAREFUL.
1.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\iets32.exe
2.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\system
service and Windows Security Server, make sure its the
ones with the values of spoolcrv.cpl and rundll32.vbe.
They are probably the only entries under RunServices.
3.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices\system
service. Again, make sure its got a value of
spoolcrv.cpl.
After this, reboot. Let me know what happens. I'll
be up for quite a while yet, so feel free to send an
email tonight. I'll try to respond as quickly as
possible.
Chris
--- Greg Haberek <ghaberek at wowway.com> wrote:
> As far as the group policy helping with virus and
> spyware removal, its much improved since Windows
2000.
> You can tell Windows to include file types other
than
> just .exe. Some of the spyware sets the security
so
> tight, you can't even view the security tab while
it
> is running, much less delete it. To get to the
> software retrictions, run MMC. Go to File,
Add/Remove
> Snap In. Then click the Add button. Select Group
> Policy, click Add, Finish, Close, and OK. Open
Local
> Computer Policy, Computer Configuration, Windows
> Settings, Security Settings, Software
Restrictions.
> Double click Enforcement to bring up the options.
> Select All Software Files, and All Users and click
ok.
> Then, open up the Security Levels folder, Right
click
> on Disallowed, and click set as default. Then we
want
> to open the Additional Rules folder. Right click
in a
> blank spot for the rules and select New Hash Rule.
> Click the browse button and point it to
> C:\Windows\System32\iets32.exe. It should
> automatically set it to Disallowed, wich is what
we
> want. We also want to create a new hash rule for
> C:\WINDOWS\System32\msdxm.ocx,
> C:\WINDOWS\system32\rundll32.vbe.
Ok, I totally foobar-ed my computer. I did what was
mentioned above, and
when I restarted and logged on, Windows logged me
right off. I tried
logging in as Administrator, same thing. So I booted
into Safe Mode and
removed all the settings, restarted, same problem.
I'm posting this from
my laptop. (mmmmm.... Fedora :) If it weren't for
the homework I need to
do in VB, and the programs people want me to write
*in Windows* I'd
strip down that hard drive and install Fedora Core
2.
Grrrr.... Stupid Spyware....
~Greg
For Topica's complete suite of email marketing
solutions visit:
http://www.topica.com/?p=TEXFOOTER
|
Not Categorized, Please Help
|
|
