Surf Sidekick 3

[Crusher]

Anyone have the misfortune of dealing with this yet? I built a computer for a friend about two years ago, and apparently he didn't do much between then and now except install everyone's favorite (useless) anti-virus program, Norton. No SP2, no windows updates, no security hotfixes.

We were in their area this weekend and they mentioned their computer was having problems, so I checked it out. Sure enough, tons of spyware, adware, and viruses all over the place, which normally I can get rid of easy enough, but this one is just a bitch and a half. It has dll's that load even in safe mode, and apparently I formatted the drive as NTFS when I set it up so the Windows 98 boot floppy was no good. I had to bring it home with me and I'll have to mount the drive in one of my computers to clean it up. I hope this isn't a trend in new viruses, at least the old ones, as annoying as they are, clean up easily.

 

[AlphaWolf]

Link for you

 

[Tim Murray]

Always bring a WinXP CD with you, or at least the 6 bootable floppies required for each version of the WinXP recovery console (home will not work with pro and vice-versa). Yes, six floppies suck, and yes, it takes forever, but after the userinit.exe got corrupted on my father's machine (which had no XP media included--thanks Sony!), recovery console let me swap it out with a known good version. Life was once again peachy. And there was much rejoicing.

Then again, just slipstream your own WinXP ISO or use a BartPE thing or something.

 

[Crusher]

AlphaWolf: HijackThis was what I tried first, it failed to remove it. It's possible someone combined it with a stronger virus. I'm not sure how they got the DLLs to load even in safe mode, but as long as they're loaded, you can run HijackThis all you want, it keeps recreating itself.

The Baron: Yeah, I usually go better prepared, but I wasn't aware he was having problems until I was already out there. Guess I should just make a first aid kit to keep it in the car for these little emergencies.

 

[Tim Murray]

The Baron: Yeah, I usually go better prepared, but I wasn't aware he was having problems until I was already out there. Guess I should just make a first aid kit to keep it in the car for these little emergencies.

There's always Knoppix/Whoppix/whatever live CD distro you want to use. Not quite as useful because you don't have the holy trinity of chkdsk /r, fixboot, and fixmbr, but still handy nonetheless. Plus you never know when you'll need to crack a WEP or WPA key.

 

[deviantchild]

AlphaWolf: HijackThis was what I tried first, it failed to remove it. It's possible someone combined it with a stronger virus. I'm not sure how they got the DLLs to load even in safe mode, but as long as they're loaded, you can run HijackThis all you want, it keeps recreating itself.

The Baron: Yeah, I usually go better prepared, but I wasn't aware he was having problems until I was already out there. Guess I should just make a first aid kit to keep it in the car for these little emergencies.

Did you follow the rest of the instructions on that page too, even though the HijackThis part didn't work?
Sometimes it's enough to ruin malware by breaking it to enable you to remove it piece at a time.

There is a Regedit vulnerability which enables malicious strings to be hidden from HijackThis.

If you can find the names of the DLLs then use something like Pocket KillBox or GiPo MoveOnBoot (the latter is more effective) to delete them before they can load into memory at boot.
I used to have a program that could find ultra-hidden files in order to get the names required for the above file-killer applications, but i can't remember the name of it now.
If anyone else could help...?

ps. An easy thing to accidentally overlook is to forget to disable System Restore before doing anything like this. You probably don't use it, but the person whose computer it is may have it switched on. Or you may have intentionally left it on when setting it up for them.