I am trying to get rid of some vicious spyware on a buddy's PC, running Windows ME, that was infected with over 300 Viruses that I removed with AVG (Grisoft), and with over 400 malware/spyware, detected by both SpyBot and AddAware. The kids love to download from all the freeware, play online Java Games, and download music, and naturally, there was no firewall, virus, or antispy protection installed.
AddAware chokes during the attempted deletion of detected critical objects, and Spybot's Resident IE monitoring gives constant warning prompts ( 1 per minute on average) to re-direction/browser web page changes to constantly changing addresses: ie http:// www .nuwprnbyqrybznfdkaarbuwpx. net/.(spaces added to address to disable hyperlink).
I was able to track one of the little buggers to WINDOWS\TEMP\ and found a 240 KB executable called oozwexsb.exe, and a lib called ladHide.dll(16KB). Both of these little buggers could not be deleted due to "the specified file is being used by Windows" message.
So I rebooted to Safe-Mode, and was able to successfully delete the file and the dll.
However, on each reboot, the exe and dll, are recopied from somewhere(??), back to the WINDOWS\TEMP folder, and the exe renames itself.
Anyone else encountered these little riggin's?
The interesting question, is how do I get rid of them, (aside from a flame thrower...).
I do have the OS restore CD (if needbe), but am not yet able to declare defeat by re-formatting the drive.
