CurrentVersion/Run contents question

[Willie_Williams]

I'm trying to disinfect my daughter's XP Dell Inspiron Notebook, which is so under attack that she can't do anything. Two of these attackers are the "Casino" virus (which Symantec labels Adware.Jraun) and the "Adware.Websearch" virus.

I ran a Symantec scan (in Safe mode) and it found nothing.

I had removed the "Web Search" program from Add/Remove Programs, so maybe that actually did a through job of removing it.

I can't find the "Golden Palace Casino PT" program in Add/Remove Programs, (Symantec says to remove it from there) so it must be doing something under the covers.

Anyway, in the Symantec "manual" unstructions for removing the Casino virus, it says to go into regedit to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run and remove version.exe and keyhost.exe and HKEY_LOCAL_MACHINE\SOFTWARE\Redirectkey.

But none of these were there.

HOWEVER, there were all sorts of suspicious keys, like:

- adcomplusanalytic.exe
- exp.exe
- mmxp2passion.exe
- playandwin.exe
- Setup2-71.exe.exe

Can I remove these without worrying?

She's got dozens (maybe 45) executables being kicked off in this "Run" registry folder. This is excessive, isn't it.

Is there a way, other than writing them all down, of capturing a list of all those registry items so I could post it for your expert inspection?

Thanks,

- Willie Williams

[pip22]

Quote: "Is there a way, other than writing them all down, of capturing a list of all those registry items so I could post it for your expert inspection?"

Yes indeed there is a way. The accepted method is to download "HijackThis". Run it to create a log-file of everything that's running on the system, then post the log to the appropriate forum for analysis and instructions on what to 'fix'. It's important to remember that 'hijackthis' lists everything that's running, both good and bad, so don't attempt to analyse it yourself. 'HijackThis can be downloaded from here:
http://www.majorgeeks.com/download3155.htm

[Willie_Williams]

Since the machine I'm trying to revive/disinfect is completely useless at present--it starts attempting to download a Casino program and also puts up "Can't access locationXXXXXX" type error messages, and I can't even get it to respond to CNTL>ALT>DELETE or Task Manager. So I can only run hijackthis in Safe mode. But I think a much smaller (safer) number of processes are running in Safe mode.

I think I'll be able to download hijackthis in Safe mode with Network, but how will I run it when I'm not in Safe mode?

---------------------------------------------------------
You wrote:

Quote: "Is there a way, other than writing them all down, of capturing a list of all those registry items so I could post it for your expert inspection?"

Yes indeed there is a way. The accepted method is to download "HijackThis". Run it to create a log-file of everything that's running on the system, then post the log to the appropriate forum for analysis and instructions on what to 'fix'. It's important to remember that 'hijackthis' lists everything that's running, both good and bad, so don't attempt to analyse it yourself. 'HijackThis can be downloaded from here:
http://www.majorgeeks.com/download3155.htm[/quote]

[Willie_Williams]

I'm trying to disinfect my daughter's XP Dell Inspiron Notebook, which is so under attack that she can't do anything. Two of these attackers are the "Casino" virus (which Symantec labels Adware.Jraun) and the "Adware.Websearch" virus. (I discovered the Adware.Websearch likelihood because among the ~45 processes running after booting are:

- WSG.exe
- radio.exe
- PIB.exe
- TBPS.exe
-VPC32.exe

I Googled WSG.exe and the Symantec site says this process is part of the Adware.WebSearch virus.

I ran a Symantec scan (in Safe mode) and it found nothing. (?!?!)

I can't find the "Golden Palace Casino PT" program in Add/Remove Programs, (Symantec says to remove it from there) so it must be doing something under the covers.

Anyway, in the Symantec "manual" instructions for removing the Casino virus, it says to go into regedit to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run and remove version.exe and keyhost.exe and HKEY_LOCAL_MACHINE\SOFTWARE\Redirectkey.

But none of these were there.

HOWEVER, there were all sorts of suspicious keys, like:

- adcomplusanalytic.exe
- exp.exe
- mmxp2passion.exe
- playandwin.exe
- Setup2-71.exe.exe

Can I remove these without worrying?

She's got dozens (maybe 45) executables being kicked off in this "Run" registry folder. This is excessive, isn't it.

I understand that if you can run hijackthis, you can get a list of running processes to show experts. But that computer is so overwhelmed that I can't get to IE, Mozilla, or Windows Explorer to download/transfer the hijackthis program.

Do you think restoring an earlier version of the system (via System Restore in Safe mode) might improve the situation?

Or would that probably not affect these viruses?

Thanks for any advice you can give,

- Willie Williams

[yoni5002]

Why dont you better try an Antispyware first??/
About the:
adcomplusanalytic.exe
- exp.exe
- mmxp2passion.exe
- playandwin.exe
- Setup2-71.exe.exe

You can erase them all is not gonna afect you at all... ( It is posible that you'll receive a message of error after windows starts up... thats gonna be fixed later by any antispyware)

Yoni5002º
________