Clean it up or format/reload?

[Guest]

Running WinXP Pro SP2, all critical updates. User has managed to get it
infected with something that AV and 3 anti-spyware packages can't seem to
clean, at least not yet. Have cleaned up in safe mode, checked/cleaned some
registry locations, deleted files, looked in msconfig/startup for clues, etc,
etc. One AS reports CWS, but CWShredder doesn't find it. When start IE,
triggers the little bugger and AV starts reporting various .exe files
infected with W32/Startpage.ATH and W32/Agent.AIU. However, AV scan says box
is clean. There's also a red shield with an X in systray, tells me AV is bad
and system is infected with spyware. Looks like MS program but I don't trust
anything at this point. Have started working with AV vendor but their initial
suggestions didn't fix it. Other interesting note: system restore refuses to
restore to selected points, have tried multiple points both few weeks ago
(different problem) and this issue. Before I spend more time on phone with AV
support, wanted to see whether others thought I should just format/reload
given the situation (no disk image). All opinions welcome, humble or not.

 

[Theguy]

welcome to the wonderful world of spyaxe
this is not a microsoft program but it trys to pass as one.
spyaxe shows as a red circle with a white x in it and continueally
reports spyware on the system. i have fought with this program from
5hours to fix it in the past and barely managed to get rid of it, my
advise is to just format and reload. its not worth the fight.

 

[Malke]

Running WinXP Pro SP2, all critical updates. User has managed to get
it infected with something that AV and 3 anti-spyware packages can't
seem to clean, at least not yet. Have cleaned up in safe mode,
checked/cleaned some registry locations, deleted files, looked in
msconfig/startup for clues, etc, etc. One AS reports CWS, but
CWShredder doesn't find it. When start IE, triggers the little bugger
and AV starts reporting various .exe files infected with
W32/Startpage.ATH and W32/Agent.AIU. However, AV scan says box is
clean. There's also a red shield with an X in systray, tells me AV is
bad and system is infected with spyware. Looks like MS program but I
don't trust anything at this point. Have started working with AV
vendor but their initial suggestions didn't fix it. Other interesting
note: system restore refuses to restore to selected points, have tried
multiple points both few weeks ago (different problem) and this issue.
Before I spend more time on phone with AV support, wanted to see
whether others thought I should just format/reload given the situation
(no disk image). All opinions welcome, humble or not.

It sounds like your user has a variant of the Smitfraud/SpyAxe garbage.
Try these steps, doing everything with updated tools in Safe Mode:

Part 1 - Download and run noahdfear's SmitFraud and SpyAxe removal tool
from http://noahdfear.geekstogo.com/click counter/click.php?id=8

Part 2 - Download and run David Lipman's tool from
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

David's Instructions:
Execute SmitFraud.exe (Note: You must accept the default of C:\McAfee)
Choose Unzip
Choose Close

NOTE: You may have to disable your software firewall or allow WGET.EXE
to go through your firewall to enable WGET.EXE to download the needed
McAfee-related files.

Execute c:\mcafee\clean.bat (or Double-click on 'Clean Link' in c
\mcafee)

A final report in HTML format called C:\mcafee\ScanReport.HTML will be
generated. At the end of the scan, it will be displayed in your browser
(Opera, FireFox or Internet Explorer). It is suggested that you move
the report out of c:\mcafee before performing another scan.

Part 3 - Continue with general malware removal (since I don't know what
you've already done):
http://www.elephantboycomputers.com/page2.html#Removing_Malware

Malke

 

[Vagabond Software]

Running WinXP Pro SP2, all critical updates. User has managed to get it
infected with something that AV and 3 anti-spyware packages can't seem to
clean, at least not yet. Have cleaned up in safe mode, checked/cleaned
some
registry locations, deleted files, looked in msconfig/startup for clues,
etc,
etc. One AS reports CWS, but CWShredder doesn't find it. When start IE,
triggers the little bugger and AV starts reporting various .exe files
infected with W32/Startpage.ATH and W32/Agent.AIU. However, AV scan says
box
is clean. There's also a red shield with an X in systray, tells me AV is
bad
and system is infected with spyware. Looks like MS program but I don't
trust
anything at this point. Have started working with AV vendor but their
initial
suggestions didn't fix it. Other interesting note: system restore refuses
to
restore to selected points, have tried multiple points both few weeks ago
(different problem) and this issue. Before I spend more time on phone with
AV
support, wanted to see whether others thought I should just format/reload
given the situation (no disk image). All opinions welcome, humble or not.

One thing you can try is instead of using Internet Explorer, open up My
Computer, My Documents or any other folder window and type the following URL
in the address bar:

http://housecall.trendmicro.com/

Try and do a scan that way, especially in Safe Mode with Networking.

Start with that and let me know.

carl

 

[Guest]

Thanks for the suggestions. Sorry for the late reply. Don't really think it
was Spyaxe, different symbol (circle vs. shield) and removal tools didn't
find it. Finally decided to format/reload, but as was searching for
instructions on mfg's site on how to format from reinstall CD (no floppy
drive on this system), found instructions on how to restore to
originally-shipped configuration. Happy happy joy joy, they imaged the
original system! If it didn't seem like such a task to image every drive
here, I'd do it in a heartbeat, but there are very few identical systems.
Anyway, was back in business in no time, and I've locked him down tighter.