Ok, I am trying to get rid of this Raze Spyware and have tried the following programs: Ad-Aware SE, SpyBot S&D, HiJack This. Ran them all and removed a tonne of crap, except for the Raze Spyware that is still holding the desktop hostage! I have compared logs from Safe Mode to regular boot and am seeing a file called wuauclt.exe running when in regular boot mode. It seems to be in several places, Windows\System32, Windows\Software Distribution. Does anyone know if this can be removed? Are there any other suggestions to get rid of this spy?
Thanks! Ian
Get your IT Solutions GUARANTEED!
Get instant answers from Experts Exchange knowledge base
More IT professionals have found their answers instantly at Experts Exchange than at any other IT site
Choose a technology channel and SEARCH or ASK AN EXPERT
Operating Systems:
Linux
X-Windows
Macintosh
MS-DOS
OS/2
Solaris
Unix
Windows 2000
Windows NT
Windows ME
Windows XP
Windows 98
Windows 95 & 3.x
Open BSD
Windows Server 2003
FreeBSD
AIX IBMs UNIX OS
Win CE
Databases:
MS Access
Berkeley DB
Crystal Reports
FoxPro
IBM UDB
Interbase
Microsoft SQL
Mysql
Oracle
Sybase
Btrieve
FileMaker
DB Reporting
GIS & GPS
ERP
PostgreSQL
EAI
Security:
Linux Security
Windows Security
Unix Security
Bugs and Alerts
Firewalls
Programming:
Game Dev.
Platforms
Languages
Wireless
Web Languages
Software Design
Web Development:
App Servers
Web Dev. Software
Web Servers
Web Languages
Browser Issues
App Service Providers
Online Marketing
Hosting
Graphics
Lotus Domino Admin
Hardware:
Routers
Desktops
Mac Comm.
Modems
New Users
Microchips
Printers
Scanners
Handhelds/Wireless
Laptops/Notebooks
Notebooks Wireless
Networking:
Linux Net.
Mac Net.
Netware
OS/2 Net.
Unix Net.
Win95 Net.
WinNT Net.
Email/GroupWare
Broadband
Microsoft Network
VoIP/Voice over IP
Video Conferencing
Citrix
Sharepoint
Applications:
Mac Apps
MS Office
OS/2 Apps
Viruses
SAP
Lotus Smart Suite
Email
Graphics
WordPerfect Office Suite
MultiMedia Applications
Productivity Applications
EAI
Microsoft Project
CAD
CRM
Groupwise
ERP
Miscellaneous:
Lounge
Puzzles & Riddles
Philosophy & Religion
Math & Science
URLs
New Net Users
Games
Community Support:
EE Bugs
Expert Input
New Topics
Suggestions
New to EE?
CleanUp
Feedback
Reboot in Safe Mode* and run HiJackThis. (note: If any items do not appear in Safe Mode, re-run HiJackThis in Normal Mode and remove them after you finish removing these items.) O4 - HKLM\..\Run: [useful-soft] C:\WINDOWS\SYSTEM\svchst.exe O4 - Startup: PowerReg Scheduler.exe
Close all windows except HijackThis and click Fix checked.
While still in Safe Mode*, delete the following: (you may need to show hidden files**) (Files specified without a full path will be located in C:\Windows\ or C:\Windows\System32\) C:\WINDOWS\SYSTEM\svchst.exe
Wuauclt.exe is a process managing automatic updates for Windows. This process continuously checks for the latest updates by going online. This process should not be removed if you want to get informed about new updates.
Assisted Answer from r-k
Date: 09/09/2005 03:18PM PDT
Grade: A
Assisted Answer
If the above hasn't fixed the problem, then try the following:
(2) Get Autoruns from: http://www.sysinternals.com/Utilities/Autoruns.html and scan your system. Use the "Hide Signed Microsoft Entries" option to reduce the display, then ave to a text file and cut-and-paste it here.
Comment from isitcomputers
Date: 09/10/2005 05:04PM PDT
Author Comment
Thanks for the responses. So far war1's tips have not worked, it is still there (thanks for the info about Wuauclt.exe !) I will try r-k's two links on Monday and let you know.
What is "still there"? A file that you cannot delete? Symptoms of Raze spyware?
Comment from isitcomputers
Date: 09/11/2005 06:22PM PDT
Author Comment
Ewido got rid of a couple of other that SpyBot S&D and Ad-Aware didn't catch! But, the Razeware banner is still on the desktop, which brings me to war1's latest comment. The only thing I can see that is wrong is the desktop. I have a feeling the Razeware problem is gone but this is the left over affect. I cannot change the desktop bitmap and cannot right click on the desktop. Do you think that the Razeware problem iis fixed and that this is just one of the affects of having a Razeware infection? I will try and get the sysinternals to you on Monday or Tuesday (Sept. 12 or 13th)
Accepted Answer from war1
Date: 09/11/2005 06:43PM PDT
Grade: A
Accepted Answer
Thanks for the good feedback. We are making progress.
To remove this, shutdown computer and boot to safe mode command prompt. Once you have made it to a dos prompt it will help if you know dos commands type in cd\ to change to the root directory. Type in cd windows (I assume you are using Windows XP). You need to search the directory for files that were add on the date the red screen appeared. To do this type dir /t/p This command will fill one screen and pause (press enter to continue). The file I found in here was desktop.html. To delete this file type del desktop.html. Next move into winnt\system32 directory (type cd system32 and press enter). There are two files to delete in this directory (svcnt32.exe and zybigui.dll) To verify the date on these files type dir svcnt32.dll /t (do the same for the other one then delete both files. You may want to search all of system32 directory for other files added at the same time dir /t/p (there are many many files in this directory). Once you are finish type exit and press enter. Then press alt-ctrl-delete and select shutdown. After the system reboots you still have more work to do. Click start-settings-controlpanel Click display on the web tab deselect showweb content and you should be back to normal.
Comment from isitcomputers
Date: 09/12/2005 09:02AM PDT
Author Comment
I have no idea of the date the system was infected (not my PC, a clients)...but...the good news is, with everyones tips, the Razeware banner is gone! I went to a website called http://www.kellys-korner-xp.com/xp.htm and got the registry fix for missing display tabs. Then followed war1's hint "Click display on the web tab deselect showweb content" I rebooted and voila!