Infected! win32/fakespypro
April 25, 2010 9:34 PM   Subscribe

How do I manually remove win32/fakespypro (showed up from a link someone sent) from my Vista system? I googled,with no luck from any reliable sources. I have four antivirus pgms installed, they keep removing it but it comes back. I now have DOS issues, no internet, cannot execute most pgms.. I managed to get regedit up but cannot find the keywords to fix it. Oddly enough, my restore disk became full at the same time. Where are the entries in the registry?
posted by ~Sushma~ to Computers & Internet (15 answers total) 2 users marked this as a favorite
 
Not sure why google is failing you since "win32/fakespypro manual removal" gave me this, but:

via

Step 1 : Use Windows Task Manager to Remove Trojan.FakeSpypro Processes:
Adware_Pro.exe
nwdcsysguard.exe
sysguard.exe

Step 2 : Use Registry Editor to Remove Trojan.FakeSpypro Registry Values:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionExplorerBrowser HelperObjects{CFA131B1-3A6E-4c4f-A0CC-4CC9D844B04C}
HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN system tool
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionExplorerBrowser HelperObjects{3A44F370-735B-485f-B212-62007E9E6815}
RUNNING PROGRAMsysguard.exe
HKEY_CURRENT_USERSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Adware_ProMFCT
HKEY_CURRENT_USERSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN system tool
RUNNING PROGRAMExplorer.EXE
HKEY_CURRENT_USERSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN sysguard
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler{9030D464-4C02-4ABF-8ECC-5164760863C6}

Detect and Delete Other Trojan.FakeSpypro Files:
Adware_Pro.exe
nwdcsysguard.exe
sysguard.exe

View the Trojan.FakeSpypro Components with its MD5s:

File Name File Size MD5
sysguard.exe 387080 62efb7861dc2339d414ec54cf70dd184
iehelper.dll 10752 79eea244cd1be1ebf3cc4afc958ed274
nwdcsysguard.exe 276480 5722e811dfe81f804067841dd38ee683
sysguard.exe 317968 7133a5c5db960863e55100a94d9c5831
sysguard.exe 292368 df2d825847659517d0e119c5e174f161
iehelper.dll 12032 3f6d902b7a5c64223b25e4f082cf055c
Adware_Pro.exe 13839992 d1141b28f5081ef41a9980469cac8700
iehelper.dll 12032 5dd3e872fea8c9f9e9ddcbd2f2a17cf0
sysguard.exe 290832 46d81054aaae9edac747b3f8849c3729
iehelper.dll 10752 f56ab671b9bd31441cef1eafd18be4d0
posted by Bonzai at 9:58 PM on April 25, 2010


One thing you can try, if you can't get into regedit is to burn a knoppix CD and remove the registry keys from the editor there. A lot of these viruses will prevent you from manually removing the entries.
posted by delmoi at 10:17 PM on April 25, 2010


It's probably time to nuke it from orbit.
posted by Chocolate Pickle at 10:46 PM on April 25, 2010 [2 favorites]


In addition to the knoppix suggestion, you can try to fix this from Windows in safe mode. As the machine boots, press the F8 key repeatedly until the safe mode menu comes up (more info here). Booting up this way will prevent the items listed in HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN from running at startup, so the malware won't be running while you're trying to delete the .exe files and the associated reg keys.
posted by Blue Jello Elf at 11:29 PM on April 25, 2010


I agree with Chocolate Pickle -- if you can stomach it, it's often easier to just reformat your hard drive, and reinstall Windows in these situations. Use the Knoppix live CD suggested above to get any precious files, pictures, etc. off of your hard drive, then nuke it.

That said, it's pretty scary if the malware is screwing with your restore partitions? Mmaybe track down an actual Windows CD or some other restore disk if you do go this route.
posted by Herschel at 11:45 PM on April 25, 2010


Second and thirding -

You'll really, really have an easier time erasing the drive and starting over, at this point.
posted by koeselitz at 12:11 AM on April 26, 2010


it's often easier to just reformat your hard drive, and reinstall Windows in these situations

Nuke and pave may be an easier method for a technician whose job is disinfecting Windows boxes, but it's almost certainly not easier for the poor schmoe who gets to spend a week putting a carefully tailored computing environment back together again.

You do not have to nuke it.
posted by flabdablet at 3:22 AM on April 26, 2010


Also:

showed up from a link someone sent

only goes to show that UAC is indeed useless since it rapidly trains people to pay it no attention.

I trust that this experience will make you think more carefully about what you choose to install on your computer in future.
posted by flabdablet at 3:28 AM on April 26, 2010


Nuke the site from orbit, it's the only way to be sure.
posted by thewalrus at 5:31 AM on April 26, 2010


Here is Microsoft's page about fakespyro

If you are not afraid of regedit, it looks to be curable in Safe Mode, though there are quite a number of registry entries and files to check. The 'Downloading Files' section is a little worrisome--you might want to check r files newer than the infection.
posted by hexatron at 5:39 AM on April 26, 2010


You do not have to nuke it.

I believe the rationale for wiping the computer is not that it's impossible to remove this virus, but that anything that could give you one virus could give you two viruses, one of which may be undetected.

The main way to avoid this is to follow good practices - such as not downloading and installing dodgy software. If a person currently has a virus, that indicates that the practices they are following are not sufficient to prevent virus infection.

That said, it's true that (by definition) there's no evidence of an undetected virus, and it's difficult to rationally assess unknown risks; it's up to the user what they want to do.
posted by Mike1024 at 11:00 AM on April 26, 2010


flabdablet: “Nuke and pave may be an easier method for a technician whose job is disinfecting Windows boxes, but it's almost certainly not easier for the poor schmoe who gets to spend a week putting a carefully tailored computing environment back together again.”

Yeah, I guess the best 'rule' here is: it really depends on who you are and how you use your machine. Some people rigorously and strictly keep everything they even touch in their /home or \user folder; it takes a few seconds for them to back up and restore. Personally, I keep every bit of data I have on a separate drive, and it takes me about ten minutes to reinstall the dozen or so applications I always use, so a wipe is just the simplest solution. If someone were, say, running a PostGreSQL server with some scripting architecture on top of it on their machine, nuke and pave would be an extremely unfortunate measure to have to take. What's more, a lot of us are a bit lax about where we keep our files, and have all sorts of little optimizations we don't even think much about - internet bookmarks and saved passwords, to mention probably the most frequently forgotten one, in my experience. So it can be a hassle.

I guess it's worth considering, but it's also worth it to keep in mind the risks and remember what you might be going through to do it.
posted by koeselitz at 11:22 AM on April 26, 2010


Before you remove any virus from a computer, make sure you disable System Restore first. I don't know how it works in Vista/Win 7.
posted by Xoebe at 2:32 PM on April 26, 2010


A little of everything above worked. There were no entries in the registry that matched some of the fixes. I deleted a couple of entries that looked odd in the HKEY_CURRENT_USER_ portion and it seems to have helped. Then I had a DOS for Explorer, remedied that by unchecking the 'use proxy server' entry in the options tab. I then manually updated my virus software (the trojan disabled automatic updates) and it's running clean, however the D drive is still full and I'm not sure what to do with that yet....
posted by ~Sushma~ at 11:19 AM on May 3, 2010


SpaceMonger will show you what's occupying your disk space.
posted by flabdablet at 7:34 PM on May 3, 2010


« Older Browsing the magazine rack at Borders got me no...   |   Most energetic, artsy scenes in Europe? Newer »
This thread is closed to new comments.