Zitat

first off, let me say this was a pain in the arse to figure out, but it was staring me in the face the whole time. i wrote a huge detailed response to a couple virus software vendors etc. but here i'll just post wot i did. and mycomp specs.

read this through entirely before doing anything, and i'm not responsible for any damage caused etc. etc. and i'm sure that the operators of this forum don't want to be either


there are a few things i've noticed the virus/spyware do.
first the desktop was replaced by a webpage that led to www.smart-security.info apologizing that their advertisers are malicious (bs). this desktop, as long as it was enabled would open up pages to various websites every 60 seconds or so. i removed it by going to desktop properties=>web and deselecting 'security' i also deleted it (no need to keep it).

that's the desktop done, now the rest

first thing's first...write this down, save it to a text file, print it out, whatever. you may not have net access to this page in safemode. restart and when you see your hard disks being detected by bios start pushing F8 until you see the boot menu for windows. select safe mode or safe mode with networking (which may allow net access)
check the processes running and if mstasks2.exe is running, stop it.
go to the windows directory (btw i have winxp pro) and delete these files:
'system.exe','desktop.exe','seksdialer.exe','mstask2.exe','mstask1.exe','mstask3.exe','mstask4.exe','secure.html'.
notice how secure.html reappears.

now this is the trick to get rid of this [censored]...you need to have your xp cd handy... i don't know if the good old 'FCKGW' cd's will work, but guess they should.

hit the sweet ctrl+alt+del combo that has served so many times before, but usually only to close other 'not responding' microsoft programs.
find explorer.exe in the processes list and end it...your start menu should disappear.
go to file=>new task (run) and type 'cmd'
browse to d:\i386\ (where d: is your cd drive)
type in 'copy explorer.ex_ c:\windows\explorer.exe' (ex_ is not a typo and where c:\windows is the location of your INFECTED copy of explorer.exe)
the prompt will ask if you want to overwrite the file...yes you do.

thats a fresh explorer.exe and no auto changing to secure.html. you can now start up explorer again by closing the cmd prompt and going to file=>run on the task manager again. this time type 'explorer.exe'

if u have a anti-virus software, at some stage it may find a file or two it doesn't like and delete them or whatever it does. this should be ok.

boo ya

that's it...change your home page back to google or whatever it was, but remember to delete secure.html first. just in case it reinfects.

i checked the registry a thousand times trying to work the virus/spyware out, but in the end i dont think it actually uses it...just in case though, you should check for anything in the run/runservices that you dont want starting.